写在前面:又是一个十足的流氓程序,本文分析不是很透彻,好多地方不是很理解,多多指教。
.rdata:00414210 s_SoftwareMic_0 db 'Software\Microsoft\Windows\CurrentVersion\RunServices',0
.rdata:00414210 ; DATA XREF: .data:00418184 o
.rdata:00414246 align 4
.rdata:00414248 s_SystemCurrent db 'SYSTEM\CurrentControlSet\Services\EventLog\Application\',0
.rdata:00414248 ; DATA XREF: .data:off_418180 o
.data:00418180 off_418180 dd offset s_SystemCurrent ; DATA XREF: .text:004016DE r
.data:00418180 ; "SYSTEM\\CurrentControlSet\\Services\\Event"...
.data:00418184 dd offset s_SoftwareMic_0 ; "Software\\Microsoft\\Windows\\CurrentVersi"...
.data:00418188 dd offset off_414950
.data:0041818C align 10h
.data:00418190 s__?avcntservic db '.?AVCNTService@@',0
//写注册表实现登陆前启动
.rdata:00414514 s_Bho_dll db 'bho.dll',0 ; DATA XREF: .text:004123E2 o
.rdata:0041451C s_Play_dll db 'play.dll',0 ; DATA XREF: .text:00412402 o
.rdata:00414528 s_Ser_exe db 'ser.exe',0 ; DATA XREF: .text:00412422 o
.rdata:00414530 s_Inject_dll db 'inject.DLL',0 ; DATA XREF: .text:00412442 o
.rdata:0041453C s_Tmp333_tmp db 'tmp333.tmp',0 ; DATA XREF: .text:00412462 o
.rdata:00414548 s_Tmp334_tmp db 'tmp334.tmp',0 ; DATA XREF: .text:00412482 o
.rdata:00414554 s_Tmp335_tmp db 'tmp335.tmp',0 ; DATA XREF: .text:004124A2 o
.rdata:00414560 s_Helpie_dll db 'HelpIE.dll',0 ; DATA XREF: .text:004124C2 o
.rdata:0041456C s_Player_dll db 'player.dll',0 ; DATA XREF: .text:004124E2 o
.rdata:00414578 s_Mshtmlsed_exe db 'mshtmlsed.exe',0 ; DATA XREF: .text:00412502 o
.rdata:00414588 s_Fp30ie_dll db 'FP30IE.dll',0 ; DATA XREF: .text:00412522 o
.rdata:00414594 s_Fp30py_dll db 'FP30PY.dll',0 ; DATA XREF: .text:00412542 o
.rdata:004145A0 s_Fp30svr_exe db 'FP30SVR.exe',0 ; DATA XREF: .text:00412562 o
//释放病毒文件FP30SVR.exe、FP30PY.dll、FP30IE.dll、mshtmlsed.exe、player.dll、HelpIE.dll、tmp335.tmp、tmp334.tmp、tmp333.tmp、inject.DLL、ser.exe、play.dll、bho.dll
.text:00412392 align 10h
.text:004123A0 push 7
.text:004123A2 push offset s_Ms_2fax ; "ms_2fax"
.text:004123A7 mov ecx, offset unk_4181BC
.text:004123AC call sub_4029A0
.text:004123AC
.text:004123B1 push offset loc_412FA0
.text:004123B6 call _atexit
.text:004123B6
.text:004123BB pop ecx
.text:004123BC retn
.text:004123BC
.text:004123BC ; ---------------------------------------------------------------------------
.text:004123BD align 10h
.text:004123C0 push 0Bh
.text:004123C2 push offset s_Fax2client ; "Fax 2Client"
.text:004123C7 mov ecx, offset unk_4181D8
.text:004123CC call sub_4029A0
.text:004123CC
.text:004123D1 push offset loc_412FD0
.text:004123D6 call _atexit
.text:004123D6
.text:004123DB pop ecx
.text:004123DC retn
.text:004123DC
.text:0041259D align 10h
.text:004125A0 push 22h
.text:004125A2 push offset s_SystemCurre_0 ; "SYSTEM\\CurrentControlSet\\Services\\"
.text:004125A7 mov ecx, offset unk_41837C
.text:004125AC call sub_4029A0
.text:004125AC
.text:004125B1 push offset loc_4132A0
.text:004125B6 call _atexit
.text:004125B6
.text:004125BB pop ecx
.text:004125BC retn
.text:004125BC
.rdata:004145FC s_SystemCurre_0 db 'SYSTEM\CurrentControlSet\Services\',0
//注册服务名称为ms_2fax的服务,显示名称为Fax 2Client
.rdata:00414680 unicode 0, <\>,0
.rdata:00414684 s_Unknown db 'Unknown',0 ; DATA XREF: sub_4057D0+15C o
.rdata:00414684 ; sub_405940+4E o
.rdata:0041468C ; char s_WindowsMe[]
.rdata:0041468C s_WindowsMe db 'Windows Me',0 ; DATA XREF: sub_4034D0:loc_40362E o
.rdata:0041468C ; sub_4057D0+B2 o
.rdata:00414697 align 4
.rdata:00414698 ; char s_Windows98[]
.rdata:00414698 s_Windows98 db 'Windows 98',0 ; DATA XREF: sub_4034D0:loc_403601 o
.rdata:00414698 ; sub_4057D0:loc_405866 o
.rdata:004146A3 align 4
.rdata:004146A4 ; char s_Windows98Seco[]
.rdata:004146A4 s_Windows98Seco db 'Windows 98 Second Edition',0
.rdata:004146A4 ; DATA XREF: sub_4034D0:loc_4035D4 o
.rdata:004146A4 ; sub_4057D0+87 o
.rdata:004146BE align 10h
.rdata:004146C0 ; char s_Windows95[]
.rdata:004146C0 s_Windows95 db 'Windows 95',0 ; DATA XREF: sub_4034D0:loc_4035A7 o
.rdata:004146C0 ; sub_4057D0:loc_405827 o
.rdata:004146CB align 4
.rdata:004146CC ; char s_Windows95Osr2[]
.rdata:004146CC s_Windows95Osr2 db 'Windows 95 OSR2',0 ; DATA XREF: sub_4034D0:loc_40357A o
.rdata:004146CC ; sub_4057D0+48 o
//判断操作系统版本,如果非NT内核,不进行发作
.rdata:004146DC s_Vector<t>TooL db 'vector<T> too long',0 ; DATA XREF: .text:00402F5A o
.rdata:004146EF align 10h
.rdata:004146F0 ; char ProcName[]
.rdata:004146F0 ProcName db 'SHGetFolderPathA',0 ; DATA XREF: sub_403190+33 o
.rdata:00414701 align 4
.rdata:00414704 ; char LibFileName[]
.rdata:00414704 LibFileName db 'shell32.dll',0 ; DATA XREF: sub_403190+F o
.rdata:00414710 asc_414710: ; DATA XREF: sub_4034D0+28A o
.rdata:00414710 unicode 0, <">,0
.rdata:00414714 s_US db ' /u /s "',0 ; DATA XREF: sub_4034D0+267 o
.rdata:0041471D align 10h
.rdata:00414720 s_S db ' /s "',0 ; DATA XREF: sub_4034D0+25E o
.rdata:00414726 align 4
.rdata:00414728 s_SystemRegsvr3 db '\system\regsvr32.exe',0 ; DATA XREF: sub_4034D0+1DB o
.rdata:0041473D align 10h
.rdata:00414740 s_Regsvr32_exe db '\regsvr32.exe',0 ; DATA XREF: sub_4034D0+17E o
.rdata:0041474E align 10h
.rdata:00414750 s_2810bb9d466d db '2810BB9D466D}',0 ; DATA XREF: sub_403940+78 o
.rdata:0041475E align 10h
.rdata:00414760 s_01de82f0 db '{01DE82F0',0 ; DATA XREF: sub_403940+68 o
.rdata:0041476A align 4
.rdata:0041476C s_Y: ; DATA XREF: sub_4040A0+CA o
.rdata:0041476C unicode 0, <y>,0
.rdata:00414770 s_S_0: ; DATA XREF: sub_4040A0+60 o
.rdata:00414770 unicode 0, <s>,0
.rdata:00414774 s_1_rm db '1.rm',0 ; DATA XREF: sub_4040A0+730 o
.rdata:00414779 align 4
.rdata:0041477C s_1_txt db '1.txt',0 ; DATA XREF: sub_4040A0+64B o
.rdata:00414782 align 4
.rdata:00414784 s_1_bmp db '1.bmp',0 ; DATA XREF: sub_4040A0+4BB o
.rdata:0041478A align 4
.rdata:0041478C s_1_exe db '1.exe',0 ; DATA XREF: sub_4040A0+326 o
.rdata:0041478C ; sub_4040A0+566 o
.rdata:00414792 align 4
.rdata:00414794 s_1_dll db '1.dll',0 ; DATA XREF: sub_4040A0+1C5 o
.rdata:00414794 ; sub_4040A0+27E o
.rdata:00414794 ; sub_4040A0+3D9 o
.rdata:0041479A align 4
.rdata:0041479C s_Usb8028x db 'usb8028x',0 ; DATA XREF: .text:00412B40 o
.rdata:004147A5 align 4
.rdata:004147A8 s_Usb8028 db 'usb8028',0 ; DATA XREF: .text:00412B60 o
.rdata:004147B0 s_List<t>TooLon db 'list<T> too long',0 ; DATA XREF: sub_404FE0+2E o
.rdata:004147C1 align 4
.rdata:004147C4 s_Hosts db '\hosts',0 ; DATA XREF: sub_405190+CD o
.rdata:004147CB align 4
.rdata:004147CC s_System32Drive db '\System32\drivers\etc\hosts',0
.rdata:004147CC ; DATA XREF: sub_405190+9A o
.rdata:004147E8 ; char s_WT[]
.rdata:004147E8 s_WT db 'w+t',0 ; DATA XREF: sub_4053A0:loc_4055B0 o
.rdata:004147EC ; char s_Rt[]
.rdata:004147EC s_Rt db 'rt',0 ; DATA XREF: sub_4053A0:loc_405441 o
.rdata:004147EF align 10h
.rdata:004147F0 ; char s_S_1[]
.rdata:004147F0 s_S_1 db '%s',0 ; DATA XREF: sub_4056F0+24 o
.rdata:004147F0 ; sub_405760+24 o
.rdata:004147F3 align 4
.rdata:004147F4 off_4147F4 dd offset sub_405740 ; DATA XREF: sub_4056F0+12 o
.rdata:004147F4 ; .text:loc_405730 o
.rdata:004147F4 ; sub_405740+8 o
.rdata:004147F8 ; char s_S_sys[]
.rdata:004147F8 s_S_sys db '%s.sys',0 ; DATA XREF: sub_4056F0+C o
.rdata:004147F8 ; sub_405760+C o
.rdata:004147FF align 10h
.rdata:00414800 off_414800 dd offset sub_4057B0 ; DATA XREF: sub_405760+12 o
.rdata:00414800 ; .text:loc_4057A0 o
.rdata:00414800 ; sub_4057B0+8 o
.rdata:00414804 s_WindowsServer db 'Windows Server 2003 family',0
.rdata:00414804 ; DATA XREF: sub_4057D0+147 o
.rdata:0041481F align 10h
.rdata:00414820 s_WindowsXp db 'Windows XP',0 ; DATA XREF: sub_4057D0+12D o
.rdata:0041482B align 4
.rdata:0041482C s_Windows2000 db 'Windows 2000',0 ; DATA XREF: sub_4057D0+113 o
.rdata:00414839 align 4
.rdata:0041483C s_WindowsNt4_0 db 'Windows NT 4.0',0 ; DATA XREF: sub_4057D0+F1 o
.rdata:0041484B align 4
.rdata:0041484C s_WindowsNt3_51 db 'Windows NT 3.51',0 ; DATA XREF: sub_4057D0+D7 o
//判断操作系统类型,如果是NT内核系统,写入驱动、修改host文件、对移动存储设备写入5个垃圾文件、反注册shell32.dll
