1.盘符值下释放autorun.inf,和病毒文件
00405044 MOV ECX,sbl.00405364 ASCII "\1.inf"
00405072 MOV ECX,sbl.00405364 ASCII "\1.inf"
004050B8 MOV EDX,sbl.00405374 ASCII "[autorun]"
004050D2 MOV EDX,sbl.00405388 ASCII "OPEN=sbl.exe"
004050EC MOV EDX,sbl.004053A0 ASCII "shellexecute=sbl.exe"
00405106 MOV EDX,sbl.004053C0 ASCII "shell\Auto\command=sbl.exe"
00405120 MOV EDX,sbl.004053E4 ASCII "shell=open"
004051DD MOV EDX,sbl.004053FC ASCII ":\autorun.inf"
0040520D MOV EDX,sbl.00405414 ASCII ":\sbl.exe"
00405256 MOV EDX,sbl.004053FC (初始 CPU 选择)
00405272 MOV ECX,sbl.00405364 ASCII "\1.inf"
004052A8 MOV EDX,sbl.004053FC ASCII ":\autorun.inf"
004052D8 MOV EDX,sbl.00405414 ASCII ":\sbl.exe"
00405364 ASCII "\1.inf",0
2.关闭系统防火墙,释放DLL,EXE文件,创建服务
004055E6 PUSH sbl.00405664 ASCII "Shell32.dll"
004055F5 PUSH sbl.00405670 ASCII "ShellExecuteA"
00405619 PUSH sbl.00405680 ASCII "open"
00405664 ASCII "Shell32.dll",0
00405670 ASCII "ShellExecuteA",0
00405680 ASCII "open",0
004056A6 PUSH sbl.00405730 ASCII "cmd.exe /c net stop sharedaccess"
004056CA MOV ECX,sbl.0040575C ASCII "\lovesbl.dll"
004056E6 MOV ECX,sbl.00405774 ASCII "\urlmon.dll"
00405730 ASCII "cmd.exe /c net s"
00405740 ASCII "top sharedaccess"
00405750 ASCII 0
0040575C ASCII "\lovesbl.dll",0
00405774 ASCII "\urlmon.dll",0
3.发送wm_close,每3毫秒一次,比较狠毒了,并结束avp.exe进程(作者和卡巴有仇)
4.下载后运行程序
睡200毫秒一次
a-squared | 3.0.0.123 | 2007.09.20 | 2007-09-20 | -
| 7.881 | AntiVir | 7.6.0.15 | 6.39.1.163 | 2007-09-21 | TR/Hijack.Explor.4380
| 2.665 | Arcavir | 1.0.4 | 200709201237 | 2007-09-20 | -
| 2.402 | AVAST | 1.0.8 | 000775-4 | 2007-09-20 | Win32:Agent-KNZ [Trj]
| 3.070 | AVG | 7.5.49.442 | 269.13.25/1018 | 2007-09-19 | Generic7.MVV
| 1.834 | BitDefender | 7.60825.896043 | 7.14874 | 2007-09-21 | BehavesLike:Win32.ExplorerHijack
| 3.659 | CA (VET) | 8.4.0.24 | 31.2.5152 | 2007-09-21 | -
| 1.571 | ClamAV | 0.91.1 | 4357 | 2007-09-21 | -
| 0.039 | Comodo | 2.11 | 2.0.0.291 | 2007-09-21 | -
| 2.801 | Dr.WEB | 4.33 | 2007.09.21 | 2007-09-21 | Win32.HLLW.Autoruner.572
| 6.029 | ewido | 4.0.0.2 | 2007.09.20 | 2007-09-20 | -
| 2.136 | F-PROT | 4.4.0.50 | 20070921 | 2007-09-21 | -
| 1.610 | F-SECURE | 5.51.6100 | 2007.09.21.02 | 2007-09-21 | -
| 3.985 | IKARUS | T3.1.1.12 | 2007.09.21.69539 | 2007-09-21 | Trojan-PWS.Win32.Delf.mc
| 2.277 | MKS_VIR | 2.01 | 2007.09.20 | 2007-09-20 | -
| 4.353 | NOD32 | 2.70.10 | 2542 | 2007-09-21 | -
| 0.024 | NORMAN | 5.91.07 | 5.90 | 2007-09-21 | W32/Malware.ARIA
| 5.180 | nProtect | 2007-09-21.00 | 57020 | 2007-09-21 | -
| 20.375 | QuickHeal | 9.00 | 2007.09.20 | 2007-09-20 | -
| 5.225 | SOPHOS | 2.49.1 | 4.21 | 2007-09-21 | -
| 3.926 | The Hacker | 6.2.5 | v00064 | 2007-09-20 | -
| 1.692 | VBA32 | 3.12.2.4 | 20070921.0404 | 2007-09-21 | -
| 0.869 | ViRobot | 20070920 | 2007.09.20 | 2007-09-20 | Trojan.Win32.PSWIGames.25088.P
| 0.745 | VirusBuster | 4.3.19:9 | 9.106.3/11.0 | 2007-09-20 | -
| 2.176 | 卡巴斯基 | 5.5.10 | 2007.09.21 | 2007-09-21 | -
| 0.033 | 江民杀毒 | 10.00.650 | 2007.09.20 | 2007-09-20 | -
| 2.552 | 熊猫卫士 | 9.04.03.0001 | 2007.09.20 | 2007-09-20 | -
| 11.355 | 瑞星 | 19.0 | 19.41.40.00 | 2007-09-20 | -
| 4.020 | 赛门铁克 | 1.3.0.24 | 20070920.009 | 2007-09-20 | -
| 0.237 | 趋势 | 8.500-1001 | 4.733.00 | 2007-09-20 | TROJ_ARIA.A
| 0.036 | 迈克菲 | 5.2.00 | 5124 | 2007-09-20 | -
| 1.241 | 金山毒霸 | 2007.6.20.249 | 2007.9.21 | 2007-09-21 | -
| 1.843 | 飞塔 | 2.81-3.11 | 8.126 | 2007-09-19 | -
| 2.126 |
[ 本帖最后由 promised 于 2007-9-22 14:39 编辑 ] |