auto.exe病毒先看看
http://www.newjian.net/auto_bingduzhuansha/200709281070.html
孤独更可靠的Auto.exe病毒分析
http://www.newjian.net/auto_bingduzhuansha/20070920915.html
本文是阿虎6月的分析!
查杀方法:http://www.newjian.net/auto_bingduzhuansha/200710091239.html
在每个驱动器下都有一个auto.exe(我获得的样本),大小19.6K,加了好多花,不知道什么语言写的,脱壳去花后发现是Microsoft Visual C++ 6.0编写 大小81.5K 由2个文件捆绑而成一个exe和一个dll,后来分析那个exe
_X_V0:00407CB0 ; unsigned __int8 s_Uokwin_dll
_X_V0:00407CB0 s_Uokwin_dll db 'uokwin.dll',0 ; DATA XREF: sub_401479+6D o //把那个DLL8位随机数命名
_X_V0:00407CB0 ; WinMain(x,x,x,x)+A0 o
_X_V0:00407CBB align 4
_X_V0:00407CBC dd 3Dh dup(0)
_X_V0:00407DB0 ; unsigned __int8 s_Uokwin_exe
_X_V0:00407DB0 s_Uokwin_exe db 'uokwin.exe',0 ; DATA XREF: sub_401479+A2 o //把那个EXE8位随机数命名
_X_V0:00407DBB align 4
_X_V0:00407DBC dd 3Dh dup(0)
_X_V0:00407EB0 s_Winlogon_exe db 'winlogon.exe',0 ; DATA XREF: sub_401479+105 o //DLL插入'winlogon.exe'
_X_V0:004080B0 ; char s_IBA6_0IK[]
_X_V0:004080B0 s_IBA6_0IK db '卡巴斯基反病毒软件 6.0: 通知',0 //发现咔吧
_X_V0:004080B0 ; DATA XREF: sub_401000:loc_4011B7 o
_X_V0:004080CD align 10h
_X_V0:004080D0 s_Del0 db 'del %0',0Dh,0Ah,0 ; DATA XREF: sub_401000+174 o //经典过喀吧
_X_V0:004080D0 ; sub_4011E2+252 o
_X_V0:004080D9 align 4
_X_V0:004080DC s_DateGgka db 'date %ggka%',0Dh,0Ah,0 ; DATA XREF: sub_401000+14A o //保存现在系统日期
_X_V0:004080EA align 4
_X_V0:004080EC s_Ping-n43Local db 'ping -n 43 localhost > nul',0Dh,0Ah,0 //ping 43次 127.0.0.1
_X_V0:004080EC ; DATA XREF: sub_401000+120 o
_X_V0:00408109 align 4
_X_V0:0040810C ; unsigned __int8 s_Date2005-01-1
_X_V0:0040810C s_Date2005-01-1 db 'date 2005-01-18',0Dh,0Ah,0 ; DATA XREF: sub_401000+F1 o //日期改为2005-01-18'
_X_V0:0040811E align 10h
_X_V0:00408120 s_SetGgkaDate db 'set ggka=%date%',0Dh,0Ah,0 ; DATA XREF: sub_401000+C7 o //将原来备份的时间还原!
_X_V0:00408132 align 4
_X_V0:00408134 ; unsigned __int8 s_
_X_V0:00408134 s_@echoOff db '@echo off',0Dh,0Ah,0 ; DATA XREF: sub_401000+92 o //编辑批处理,准备自杀!和杀咔吧!
_X_V0:00408134 ; sub_4011E2+DF o
_X_V0:00408140 s_Ggkb_bat db '\ggkb.bat',0 ; DATA XREF: sub_401000+55 o
_X_V0:0040814A align 4
_X_V0:0040814C ; char sz[]
_X_V0:0040814C sz db 'avp.exe',0 ; DATA XREF: sub_401000+A o
_X_V0:00408154 s_GotoSelfkill db '" goto selfkill',0Dh,0Ah,0 ; DATA XREF: sub_4011E2+228 o
_X_V0:00408166 align 4
_X_V0:00408168 s_IfExist db 'if exist "',0 ; DATA XREF: sub_4011E2+1D2 o
_X_V0:00408173 align 4
_X_V0:00408174 asc_408174 db '"',0Dh,0Ah,0 ; DATA XREF: sub_4011E2+1A8 o
_X_V0:00408178 ; unsigned __int8 byte_408178
_X_V0:00408178 byte_408178 db 64h ; DATA XREF: sub_4011E2+148 o
_X_V0:00408184 ; unsigned __int8 byte_408184
_X_V0:00408184 byte_408184 db 3Ah ; DATA XREF: sub_4011E2+119 o
_X_V0:0040819D align 10h
_X_V0:004081A0 dword_4081A0 dd 6B2D20h ; DATA XREF: WinMain(x,x,x,x)+1DD o
_X_V0:004081A4 ; char s_-k[]
_X_V0:004081A4 s_-k db '-k',0 ; DATA XREF: WinMain(x,x,x,x)+19C o
_X_V0:004081A7 align 4
_X_V0:004081A8 ; char Operation[]
_X_V0:004081A8 Operation db 'open',0 ; DATA XREF: WinMain(x,x,x,x)+152 o
_X_V0:004081AD align 10h
_X_V0:004081B0 ; char File[]
_X_V0:004081B0 File db 'explorer.exe',0 ; DATA XREF: WinMain(x,x,x,x)+14D o //干掉咔吧开始注入'explorer.exe'
_X_V0:004081BD align 10h
_X_V0:004081C0 ; char s_C[]
_X_V0:004081C0 s_C db '%c:\',0 ; DATA XREF: WinMain(x,x,x,x)+12D o //除C盘外所有驱动器下拷贝自己'auto.exe'
_X_V0:004081C5 align 4
_X_V0:004081C8 ; char s_Auto_exe[]
_X_V0:004081C8 s_Auto_exe db 'auto.exe',0 ; DATA XREF: WinMain(x,x,x,x)+FC o
_X_V0:004081D1 align 4
_X_V0:004081D4 ; unsigned __int8 byte_4081D4
_X_V0:004081D4 byte_4081D4 db 2Eh ; DATA XREF: WinMain(x,x,x,x)+AC o
_X_V0:004081D5 db 44h, 2 dup(4Ch)
_X_V0:004081D8 dd 0
_X_V0:004081DC ; unsigned __int8 byte_4081DC
_X_V0:004081DC byte_4081DC db 2Eh ; DATA XREF: WinMain(x,x,x,x)+79 o
_X_V0:004081DD db 45h, 58h, 45h
_X_V0:004081E0 dd 0
_X_V0:004081E4 ; char RootPathName[]
_X_V0:004081E4 RootPathName db 'c:\',0 ; DATA XREF: sub_401AF7+12 o
_X_V0:004081E8 ; char s_X[]
_X_V0:004081E8 s_X db '%x',0 ; DATA XREF: sub_401B37+59 o
_X_V0:004081EB align 4
_X_V0:004081EC ; char s_Type[]
_X_V0:004081EC s_Type db 'Type',0 ; DATA XREF: sub_401C16+1A8 o
_X_V0:004081F1 align 4
_X_V0:004081F4 ; char s_Start[]
_X_V0:004081F4 s_Start db 'Start',0 ; DATA XREF: sub_401C16+192 o
_X_V0:004081FA align 4
_X_V0:004081FC ; char s_Objectname[]
_X_V0:004081FC s_Objectname db 'ObjectName',0 ; DATA XREF: sub_401C16+17F o
_X_V0:00408207 align 4
_X_V0:00408208 ; BYTE Data
_X_V0:00408208 Data db 'LocalSystem',0 ; DATA XREF: sub_401C16+174 o
_X_V0:00408214 ; char s_Imagepath[]
_X_V0:00408214 s_Imagepath db 'ImagePath',0 ; DATA XREF: sub_401C16+169 o
_X_V0:0040821E align 10h
_X_V0:00408220 ; char s_Errorcontrol[]
_X_V0:00408220 s_Errorcontrol db 'ErrorControl',0 ; DATA XREF: sub_401C16+155 o
_X_V0:0040822D align 10h
_X_V0:00408230 ; char ValueName[]
_X_V0:00408230 ValueName db 'DisplayName',0 ; DATA XREF: sub_401C16+132 o
_X_V0:0040823C s_Description db 'Description',0 ; DATA XREF: sub_401C16+57 o
_X_V0:00408248 s_SystemCurrent db 'SYSTEM\CurrentControlSet\Services\',0
_X_V0:00408248 ; DATA XREF: sub_401C16+34 o //添加服务启动,7位的随机文件
DLL
__V0:10006C3A align 4
___V0:10006C3C ; char s_Reportbootok[]
___V0:10006C3C s_Reportbootok db 'ReportBootOk',0 ; DATA XREF: sub_10001000+12 o
___V0:10006C49 align 4
___V0:10006C4C ; char SubKey[]
___V0:10006C4C SubKey db 'SYSTEM\CurrentControlSet\Services\ERSvc',0 //病毒启动的服务!
___V0:10006C4C ; DATA XREF: sub_10001000:loc_10001006 o
___V0:10006C74 s_SoftwareMic_0 db 'SOFTWARE\Microsoft\PCHealth\ErrorReporting',0
___V0:10006C74 ; DATA XREF: sub_10001000+1 o
___V0:10006C9F align 10h
___V0:10006CA0 asc_10006CA0: ; DATA XREF: sub_10001111+5A o
...........................................
___V0:10006D88 s_Update_txt db '/update.txt',0 ; DATA XREF: sub_1000151D+9C o //病毒自我更新
___V0:10006D94 ; char s_Http211_100_0[]
___V0:10006D94 s_Http211_100_0 db 'http://211.100.21.4/info.cnt?id=506267&referer=&resolve=&navigator=&color=&title=&resource'
___V0:10006D94 ; DATA XREF: sub_10001C6D+4A2 o
___V0:10006D94 db '=&clientsys=&flux_stat_user=&flux_new_user=',0
___V0:10006E1A align 4
___V0:10006E1C ; char szUrlName[]
___V0:10006E1C szUrlName db 'http://211.100.21.4/info.cnt?id=506265&referer=&resolve=&navigator=&color=&title=&resource'
___V0:10006E1C ; DATA XREF: sub_10001C6D+495 o
___V0:10006E1C db '=&clientsys=&flux_stat_user=&flux_new_user=',0
___V0:10006EA4 s_SDDS db '%s%d%d%s',0 ; DATA XREF: sub_10001C6D+400 o
...................................
___V0:10007150 ; char s_CAutorun_inf[]
___V0:10007150 s_CAutorun_inf db '%c:\autorun.inf',0 ; DATA XREF: sub_10003C33+3E o //生成autorun.inf'
___V0:10007160 ; struct HKEY__ stru_10007160
___V0:10007160 stru_10007160 HKEY__ <74666F53h> ; DATA XREF: sub_10003C33+2B o
___V0:10007164 db 77h ; w
___V0:10007165 db 61h ; a
___V0:10007166 db 72h ; r
___V0:10007167 db 65h ; e
___V0:10007168 db 5Ch ; \
___V0:10007169 db 4Dh ; M
___V0:1000716A db 69h ; i
___V0:1000716B db 63h ; c
___V0:1000716C db 72h ; r
___V0:1000716D db 6Fh ; o
___V0:1000716E db 73h ; s
___V0:1000716F db 6Fh ; o
___V0:10007170 db 66h ; f
___V0:10007171 db 74h ; t
___V0:10007172 db 5Ch ; \
___V0:10007173 db 77h ; w
___V0:10007174 db 69h ; i
___V0:10007175 db 6Eh ; n
___V0:10007176 db 64h ; d
___V0:10007177 db 6Fh ; o
___V0:10007178 db 77h ; w
___V0:10007179 db 73h ; s
___V0:1000717A db 5Ch ; \
___V0:1000717B db 43h ; C
___V0:1000717C db 75h ; u
___V0:1000717D db 72h ; r
___V0:1000717E db 72h ; r
___V0:1000717F db 65h ; e
___V0:10007180 db 6Eh ; n
___V0:10007181 db 74h ; t
___V0:10007182 db 56h ; V
___V0:10007183 db 65h ; e
___V0:10007184 db 72h ; r
___V0:10007185 db 73h ; s
___V0:10007186 db 69h ; i
___V0:10007187 db 6Fh ; o
___V0:10007188 db 6Eh ; n
___V0:10007189 db 5Ch ; \
___V0:1000718A db 65h ; e
___V0:1000718B db 78h ; x
___V0:1000718C db 70h ; p
___V0:1000718D db 6Ch ; l
___V0:1000718E db 6Fh ; o
___V0:1000718F db 72h ; r
___V0:10007190 db 65h ; e
___V0:10007191 db 72h ; r
___V0:10007192 db 5Ch ; \
___V0:10007193 db 41h ; A
___V0:10007194 db 64h ; d
___V0:10007195 db 76h ; v
___V0:10007196 db 61h ; a
___V0:10007197 db 6Eh ; n
___V0:10007198 db 63h ; c
___V0:10007199 db 65h ; e
___V0:1000719A db 64h ; d
___V0:1000719B db 5Ch ; \
___V0:1000719C db 46h ; F
___V0:1000719D db 6Fh ; o
___V0:1000719E db 6Ch ; l //强制隐藏!
___V0:1000719F db 64h ; d
___V0:100071A0 db 65h ; e
___V0:100071A1 db 72h ; r
___V0:100071A2 db 5Ch ; \
___V0:100071A3 db 48h ; H
___V0:100071A4 db 69h ; i
___V0:100071A5 db 64h ; d
___V0:100071A6 db 64h ; d
___V0:100071A7 db 65h ; e
___V0:100071A8 db 6Eh ; n
___V0:100071A9 db 5Ch ; \
___V0:100071AA db 53h ; S
___V0:100071AB db 48h ; H
___V0:100071AC db 4Fh ; O
___V0:100071AD db 57h ; W
___V0:100071AE db 41h ; A
___V0:100071AF db 4Ch ; L
___V0:100071B0 db 4Ch ; L
___V0:100071B1 db 0
___V0:100071B4 ; char s_Checkedvalue[]
___V0:100071B4 s_Checkedvalue db 'CheckedValue',0 ; DATA XREF: sub_10003C33+26 o
___V0:100071C4 s_Autorun db 'AutoRun',0 ; DATA XREF: sub_10003C33+1F o
您的位置: