查看文章 |
样本来自:http://bbs.kafan.cn/viewthread.php?tid=89016&extra=page%3D1 .rdata:121520DC s_Urldownloadto db 'URLDownloadToFileA',0 ; DATA XREF: .text:12151488 o .rdata:12152118 s_ProgramFilesI db 'program files\Internet Explorer\IEXPLORE.EXE',0 .rdata:12152284 s_File1_5D15_zi db 'file/1.5/d15.zip',0 ; DATA XREF: start+153 o //调用URLDownloadToFileA函数开启IE后台进行小马下大马,两个木马的连接为(以证实): http://3w.39100.net/file/1.5/d15.zip http://3w.39100.net/file/1.5/m15.zip .rdata:12152210 s_SoftwareMic_0 db 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msv1_1\',0 .rdata:121521E8 s_Dllname db 'DllName',0 ; DATA XREF: start+3C0 o //写注册表挂接winlogon.exe进程 d15.zip浅析: 被下载的木马实则为PE文件,应该是该病毒的空间无法上传PE文件导致病毒幕后使用者更改扩展名,如图:  待d15.zip'下载完成运行后,同上:
.rdata:35155114 s_ProgramFilesI db 'program files\Internet Explorer\IEXPLORE.EXE',0
.rdata:35155114 ; DATA XREF: sub_35151DA5+62 o .rdata:35155114 ; sub_35152D5C+83 o .rdata:35155141 align 4 .rdata:35155144 ; char s_Urldownloadto[] .rdata:35155144 s_Urldownloadto db 'URLDownloadToFileA',0 ; DATA XREF: sub_35151E2F+32 o .rdata:351552D0 s_Login_asp?cpu db 'login.asp?cpuid=',0 ; DATA XREF: sub_35152F0C+10E o .rdata:351552E1 align 4 .rdata:351552E4 ; char s_Http3w_39100_[] .rdata:351552E4 s_Http3w_39100_ db 'http://3w.39100.net/',0 ; DATA XREF: sub_35152F0C+FD o //尝试连接http://3w.39100.net/login.asp?
.rdata:351553E8 s_File1_5D15_zi db 'file/1.5/d15.zip',0 ; DATA XREF: DllEntryPoint+139 o
.rdata:351553F9 align 4 .rdata:351553FC ; char s_Docprop1_dll[] .rdata:351553FC s_Docprop1_dll db '\DocProp1.dll',0 ; DATA XREF: DllEntryPoint+115 o .rdata:3515540A align 4 .rdata:3515540C ; char s_File1_5Fb15_z[] .rdata:3515540C s_File1_5Fb15_z db 'file/1.5/fb15.zip',0 ; DATA XREF: DllEntryPoint+F7 o .rdata:3515541E align 10h .rdata:35155420 ; char s_File1_5Server[] .rdata:35155420 s_File1_5Server db 'file/1.5/serverhelp.zip',0 .rdata:35155420 ; DATA XREF: DllEntryPoint+9E o .rdata:35155420 ; DllEntryPoint+A9 o //继续进行下载,下载文件如下(已证实):
http://3w.39100.net/file/1.5/serverhelp.zip
http://3w.39100.net/file/1.5/fb15.zip
.rdata:35155244 ; char s_ShellAutoComm[] .rdata:35155244 s_ShellAutoComm db 'shell\Auto\command',0 ; DATA XREF: sub_351529E9+1CB o .rdata:35155257 align 4 .rdata:35155258 ; char s_Shellexecute[] .rdata:35155258 s_Shellexecute db 'shellexecute',0 ; DATA XREF: sub_351529E9+1B5 o .rdata:35155265 align 4 .rdata:35155268 ; char s_Autorun[] .rdata:35155268 s_Autorun db 'AutoRun',0 ; DATA XREF: sub_351529E9+19F o .rdata:35155270 ; char s_Open[] .rdata:35155270 s_Open db 'OPEN',0 ; DATA XREF: sub_351529E9+19A o .rdata:35155275 align 4 .rdata:35155278 ; char String[] .rdata:35155278 String db '1.5',0 ; DATA XREF: sub_351529E9+147 o .rdata:35155278 ; sub_351529E9+1DA o .rdata:35155278 ; sub_35152F0C+5A o .rdata:35155278 ; sub_351535CB+49 o .rdata:35155278 ; sub_35153A30+4A o .rdata:3515527C ; char s_Ver[] .rdata:3515527C s_Ver db 'ver',0 ; DATA XREF: sub_351529E9+12F o .rdata:3515527C ; sub_351529E9+1DF o .rdata:3515527C ; sub_351535CB+4E o .rdata:3515527C ; sub_35153A30+39 o .rdata:35155280 ; char s_Autorun_inf[] .rdata:35155280 s_Autorun_inf db 'autorun.inf',0 ; DATA XREF: sub_351529E9+100 o .rdata:35155280 ; sub_35152C2D+B0 o .rdata:3515528C ; char s_Recycler_0[] .rdata:3515528C s_Recycler_0 db 'RECYCLER\',0 ; DATA XREF: sub_351529E9+BC o .rdata:3515528C ; sub_35152C2D+6C o .rdata:35155296 align 4 .rdata:35155298 ; char s_Recycler[] .rdata:35155298 s_Recycler db 'RECYCLER',0 ; DATA XREF: sub_351529E9+33 o .rdata:351552A1 align 4 //该病毒为autorun病毒,将自身写入回收站目录中
serverhelp.zip浅析
serverhelp.zip是一个VC++写得dll程序,伪装为zip文件,里面只获得如下脚本:
.rdata:09167538 unicode 0, <my applet>,0
.rdata:0916754C s_Afterbegin: ; DATA XREF: sub_9153920+CF o .rdata:0916754C unicode 0, <afterBegin>,0 .rdata:09167562 align 8 .rdata:09167568 ; char s_<divIdTmpdiv>[] .rdata:09167568 s_<divIdTmpdiv> db '<div id=tmpdiv></div> <script language=javascript src=%s defer></script>',0 .rdata:09167568 ; DATA XREF: sub_9153AE0+158 o 对脚本不是很了解,只能够到此 |
