css.exe逆向分析

int __stdcall sub_100637A(HMODULE a1, int a2, const CHAR *a3, int a4)
{
if ( Init(a1, a3, a4) )
{
v4 = TorjanKernelFuc();
DeleteTmpDirectory(v5); // - -病毒启动部分分析完毕、其实这只是一个外壳而已、做坏事的都是从CAB包里释放出来的垃圾
}
}

004019FC call 004018F0
00401A01 add esp, 4
00401A04 inc esi
00401A05 push esi
00401A06 call <DecodeProc>
00401A0B mov esi, eax
00401A0D add esp, 4
00401A10 test esi, esi
00401A12 jnz short 00401A1E
00401A14 push -2
00401A16 call 004018F0
00401A1B add esp, 4
00401A1E mov eax, dword ptr [404400]
00401A23 push eax
00401A24 push 00404408 ; ASCII "WCCCRXcIKDfnxnQyYmJydDgmd6LzEmGQ=="
00401A29 push esi
00401A2A call <InitString>
00401A2F add esp, 4
00401A32 push eax
00401A33 push edi
00401A34 call <InitString> ; 服务的说明字符串
00401A39 add esp, 4
00401A3C push eax
00401A3D call 00402050 ; 创建服务，启动服务、分析到此结束。

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: e4ae1102c9e22fb3e20644d18fbd8462
Date first seen: 2010-05-17 23:10:20 (UTC)
Date last seen: 2010-05-17 23:10:20 (UTC)
Detection ratio: 30/40

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！