红伞不报,偶中了,清理病毒去,看见是个文件夹就点了,仔细看后缀exe,看着OD插件参考清理。。。
。。。
地址 反汇编 文本字串
004015D8 PUSH aaa.0040A7C0 (初始 cpu 选择)
0040CF3C MOV EAX,aaa.0040B674 hkey_current_user\software\microsoft\windows\currentversion\run\html
0040CF51 MOV EDX,aaa.0040B704 c:\windows\profile\susoft.exe
0040CF5E PUSH aaa.0040B744 regwrite
0040CF92 MOV DWORD PTR SS:[EBP-4C],aaa.0040B75C \profile
0040CFEB MOV DWORD PTR SS:[EBP-4C],aaa.0040B75C \profile
0040D02E MOV DWORD PTR SS:[EBP-4C],aaa.0040B77C \profile\susoft.exe
0040D14D MOV DWORD PTR SS:[EBP-4C],aaa.0040B77C \profile\susoft.exe
0040D177 PUSH aaa.0040B7A8 \
0040D194 PUSH aaa.0040B7B0 .exe
0040D1F2 MOV DWORD PTR SS:[EBP-4C],aaa.0040B77C \profile\susoft.exe
0040DA60 MOV DWORD PTR SS:[EBP-4C],aaa.0040B7E0 cmd.exe /c start iexplore http://www.metroflog.com/ricardosuazo
0040DA99 MOV DWORD PTR SS:[EBP-4C],aaa.0040B864 cmd.exe /c msg * firma mi metroflog ;)!!
0040DB73 MOV DWORD PTR SS:[EBP-4C],aaa.0040B7E0 cmd.exe /c start iexplore http://www.metroflog.com/ricardosuazo
0040DBAC MOV DWORD PTR SS:[EBP-4C],aaa.0040B864 cmd.exe /c msg * firma mi metroflog ;)!!
0040DBEA MOV DWORD PTR SS:[EBP-4C],aaa.0040B7E0 cmd.exe /c start iexplore http://www.metroflog.com/ricardosuazo
0040DC23 MOV DWORD PTR SS:[EBP-4C],aaa.0040B864 cmd.exe /c msg * firma mi metroflog ;)!!
0040DC5E MOV DWORD PTR SS:[EBP-4C],aaa.0040B7E0 cmd.exe /c start iexplore http://www.metroflog.com/ricardosuazo
0040DC97 MOV DWORD PTR SS:[EBP-4C],aaa.0040B864 cmd.exe /c msg * firma mi metroflog ;)!!
0040DE3B PUSH aaa.0040B8BC wscript.shell
0040DE72 PUSH aaa.0040B8DC scripting.filesystemobject
0040DEA2 MOV EAX,aaa.0040B918 desktop
0040DEA9 PUSH aaa.0040B928 specialfolders
0040DF04 MOV EAX,aaa.0040B94C mydocuments
0040DF1E PUSH aaa.0040B928 specialfolders
0040DF66 MOV EAX,aaa.0040B968 startup
0040DF6D PUSH aaa.0040B928 specialfolders
0040DFD1 PUSH aaa.0040B978 getspecialfolder
0040E0C7 PUSH aaa.0040B9A0 \su.soft
0040E0DC PUSH aaa.0040B9B8 .html
0040E0F3 PUSH aaa.0040B9C8 <html><head><title>ricardosuazo</title></head><body bgcolor =
0040E0F8 PUSH aaa.0040B29C black
0040E107 PUSH aaa.0040BA48 >
0040E116 PUSH aaa.0040BA50 </doby></html>
0040E125 PUSH aaa.0040BA74 \n\n
0040E150 PUSH aaa.0040BA80 <p align =
0040E15F PUSH aaa.0040B2BC center
0040E16E PUSH aaa.0040BA48 >
0040E17D PUSH aaa.0040BA9C <font size = 6 color =
0040E18C PUSH aaa.0040B2AC lime
0040E19B PUSH aaa.0040BA48 >
0040E1AA PUSH aaa.0040BAD0 di no a las drogas</font></p>
0040E1B9 PUSH aaa.0040BA74 \n\n
0040E1EE PUSH aaa.0040BB10 <br><br><p align =
0040E1FD PUSH aaa.0040B2BC center
0040E20C PUSH aaa.0040BA48 >
0040E21B PUSH aaa.0040BB3C <font size 4 color =
0040E22A PUSH aaa.0040B2AC lime
0040E239 PUSH aaa.0040BA48 >
0040E248 PUSH aaa.0040BB6C ------------ tu sistema operativo ha sido infectado por un mortal virus ------------ </font></p>
0040E257 PUSH aaa.0040BA74 \n\n
0040E28C PUSH aaa.0040BC34 <br><font size = 3 color =
0040E29B PUSH aaa.0040B2D0 green
0040E2AA PUSH aaa.0040BA48 >
0040E2B9 PUSH aaa.0040BC70 <a href =
0040E2C8 PUSH aaa.0040BCA8 http://www.metroflog.com/ricardosuazo>
0040E2D7 PUSH aaa.0040BCFC www.metroflog.com/ricardosuazo
0040E2E6 PUSH aaa.0040BD40 </a>
0040E2F5 PUSH aaa.0040BD50 </font></body></html>
0040E304 PUSH aaa.0040BA74 \n\n
0040E33D PUSH aaa.0040BC34 <br><font size = 3 color =
0040E34C PUSH aaa.0040B2D0 green
0040E35B PUSH aaa.0040BA48 >
0040E36A PUSH aaa.0040BD80 http://groups.msn.com/ricardosuazo
0040E379 PUSH aaa.0040BDCC </font>
0040E388 PUSH aaa.0040BA74 \n\n
0040E3B5 PUSH aaa.0040BC34 <br><font size = 3 color =
0040E3C4 PUSH aaa.0040B2D0 green
0040E3D3 PUSH aaa.0040BA48 >
0040E3E2 PUSH aaa.0040BC70 <a href =
0040E3F1 PUSH aaa.0040BDE0 http://www.hotmail.com> www.hotmail.com </a>
0040E400 PUSH aaa.0040BDCC </font>
0040E40F PUSH aaa.0040BA74 \n\n
0040E440 PUSH aaa.0040BC34 <br><font size = 3 color =
0040E44F PUSH aaa.0040B2D0 green
0040E45E PUSH aaa.0040BA48 >
0040E46D PUSH aaa.0040BC70 <a href =
0040E47C PUSH aaa.0040BE84 http://www.sexyono.com> www.sexyono.com </a>
0040E48B PUSH aaa.0040BDCC </font>
0040E49A PUSH aaa.0040BA74 \n\n
0040E4CB PUSH aaa.0040BC34 <br><font size = 3 color =
0040E4DA PUSH aaa.0040B2D0 green
0040E4E9 PUSH aaa.0040BA48 >
0040E4F8 PUSH aaa.0040BC70 <a href =
0040E507 PUSH aaa.0040BEE4 http://www.google.com> www.google.com </a>
0040E516 PUSH aaa.0040BDCC </font>
0040E525 PUSH aaa.0040BA74 \n\n
0040E556 PUSH aaa.0040BC34 <br><font size = 3 color =
0040E565 PUSH aaa.0040B2D0 green
0040E574 PUSH aaa.0040BA48 >
0040E583 PUSH aaa.0040BF40 <a = href=
0040E592 PUSH aaa.0040BF5C http://www.lawebelprogramador.com> www.lawebelprogramador.com </a>
0040E5A1 PUSH aaa.0040BDCC </font>
0040E5B0 PUSH aaa.0040BA74 \n\n
0040E5E1 PUSH aaa.0040BC34 <br><font size = 3 color =
0040E5F0 PUSH aaa.0040B2D0 green
0040E5FF PUSH aaa.0040BA48 >
0040E60E PUSH aaa.0040BF40 <a = href=
0040E61D PUSH aaa.0040BFE8 www.elguille.com> www.elguille.com </a>
0040E62C PUSH aaa.0040BDCC </font>
0040E63B PUSH aaa.0040BA74 \n\n
0040E66C PUSH aaa.0040BC34 <br><font size = 3 color =
0040E67B PUSH aaa.0040B2D0 green
0040E68A PUSH aaa.0040BA48 >
0040E699 PUSH aaa.0040C068 www.recursosbisualbasic.com.ar> www.recursosbisualbasic.com.ar </a>
0040E6A8 PUSH aaa.0040BDCC </font>
0040E6D1 PUSH aaa.0040C0F4 <br><br><br><font size = 3 color =
0040E6E0 PUSH aaa.0040B2AC lime
0040E6EF PUSH aaa.0040BA48 >
0040E6FE PUSH aaa.0040C140 <a href = www.metroflog.com/ricardosuazo> by c.r.s. </a>
0040E70D PUSH aaa.0040BDCC </font>
0040E7D9 PUSH aaa.0040C1C0 open
0040E8F9 PUSH aaa.0040C1D0 \format.bat
0040E922 PUSH aaa.0040C1E8 createtextfile
0040E978 PUSH aaa.0040C20C del /s /q /f
0040E997 PUSH aaa.0040C228 writeline
0040E9C4 PUSH aaa.0040C038 close
0040E9DE PUSH aaa.0040C1D0 \format.bat
0040EC5A PUSH aaa.0040C048 d:\musica.exe
0040EC63 PUSH aaa.0040B7A8 \
0040EC90 PUSH aaa.0040B7B0 .exe
0040EE6E PUSH aaa.0040BE40 e:\musica.exe
0040EE77 PUSH aaa.0040B7A8 \
0040EEA4 PUSH aaa.0040B7B0 .exe
0040F082 PUSH aaa.0040BE60 f:\musica.exe
0040F08B PUSH aaa.0040B7A8 \
0040F0B8 PUSH aaa.0040B7B0 .exe
0040F296 PUSH aaa.0040BC88 g:\musica.exe
0040F29F PUSH aaa.0040B7A8 \
0040F2CC PUSH aaa.0040B7B0 .exe
0040F4AA PUSH aaa.0040C244 h:\musica.exe
0040F4B3 PUSH aaa.0040B7A8 \
0040F4E0 PUSH aaa.0040B7B0 .exe
0040F6BE PUSH aaa.0040C264 i:\musica.exe
0040F6C7 PUSH aaa.0040B7A8 \
0040F6F4 PUSH aaa.0040B7B0 .exe
0040F8D2 PUSH aaa.0040C284 j:\musica.exe
0040F8DB PUSH aaa.0040B7A8 \
0040F908 PUSH aaa.0040B7B0 .exe
0040FAF0 PUSH aaa.0040C2A4 \musica.exe
0040FB0B PUSH aaa.0040B7A8 \
0040FB38 PUSH aaa.0040B7B0 .exe
0040FD21 PUSH aaa.0040C2A4 \musica.exe
0040FD3C PUSH aaa.0040B7A8 \
0040FD69 PUSH aaa.0040B7B0 .exe
0040FDCF PUSH aaa.0040C2A4 \musica.exe
0040FEA6 MOV EAX,aaa.0040B674 hkey_current_user\software\microsoft\windows\currentversion\run\html
0040FEB5 MOV EDX,aaa.0040B704 c:\windows\profile\susoft.exe
0040FED5 PUSH aaa.0040B744 regwrite
0040FEFA MOV EAX,aaa.0040C2C0 hkey_local_machine\software\microsoft\windows\currentversion\run\html
0040FF08 PUSH aaa.0040B744 regwrite
0040FF43 MOV EAX,aaa.0040C350 hkey_current_user\software\microsoft\windows\currentversion\policies\system\
0040FF4A PUSH aaa.0040B744 regwrite
0040FF6E MOV EAX,aaa.0040C410 hkey_current_user\software\microsoft\windows\currentversion\policies\system\disableregistrytools
0040FFAE PUSH aaa.0040B744 regwrite
0040FFBB MOV EAX,aaa.0040C4D8 reg_dword
0040FFDA MOV EAX,aaa.0040C4F0 hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\nofolderoptions
0041001A PUSH aaa.0040B744 regwrite
00410027 MOV EAX,aaa.0040C4D8 reg_dword
0041023C MOV DWORD PTR SS:[EBP-9C],aaa.0040C5B0 homedrive
0041026D MOV DWORD PTR SS:[EBP-AC],aaa.0040C5C8 homepath
004102A4 MOV DWORD PTR SS:[EBP-BC],aaa.0040C3F0 \escritorio\
0041031B MOV DWORD PTR SS:[EBP-9C],aaa.0040C5E0 susoft.exe
0041048D PUSH aaa.0040B7A8 \
004104AA PUSH aaa.0040C5FC .exe
00410554 MOV DWORD PTR SS:[EBP-9C],aaa.0040B75C \profile
004105B6 MOV DWORD PTR SS:[EBP-9C],aaa.0040B75C \profile
00410601 MOV DWORD PTR SS:[EBP-9C],aaa.0040B77C \profile\susoft.exe
00410731 MOV DWORD PTR SS:[EBP-9C],aaa.0040B77C \profile\susoft.exe
00410761 PUSH aaa.0040B7A8 \
00410786 PUSH aaa.0040B7B0 .exe
004107E9 MOV DWORD PTR SS:[EBP-9C],aaa.0040B77C \profile\susoft.exe
00410838 MOV DWORD PTR SS:[EBP-9C],aaa.0040B77C \profile\susoft.exe
00410CB0 PUSH aaa.0040B7A8 \
00410FF3 PUSH aaa.0040B7A8 \
00411026 PUSH aaa.0040C5FC .exe
00411041 PUSH aaa.0040B7A8 \
0041106E PUSH aaa.0040C5FC .exe
00411401 PUSH aaa.0040B8DC scripting.filesystemobject
004116A8 PUSH aaa.0040C628 getdrive
0041170B PUSH aaa.0040C63C drivetype
0041174C MOV DWORD PTR SS:[EBP-70],aaa.0040C654 desconocido
0041177C MOV DWORD PTR SS:[EBP-70],aaa.0040C670 separable
004117AC MOV DWORD PTR SS:[EBP-70],aaa.0040C688 fijo
004117DC MOV DWORD PTR SS:[EBP-70],aaa.0040C698 red
00411809 MOV DWORD PTR SS:[EBP-70],aaa.0040C6A4 cd-rom
00411836 MOV DWORD PTR SS:[EBP-70],aaa.0040C6B8 disco ram
00411855 PUSH aaa.0040C6D0 driveletter
0041185F MOV DWORD PTR SS:[EBP-70],aaa.0040C6EC :
004118A1 PUSH aaa.0040C6F0 isready
004118E2 MOV DWORD PTR SS:[EBP-70],aaa.0040C670 separable
004118EC MOV DWORD PTR SS:[EBP-80],aaa.0040C688 fijo
00411B22 PUSH aaa.0040B8DC scripting.filesystemobject
00411B56 PUSH aaa.0040C700 drives
00411BCE MOV DWORD PTR SS:[EBP-60],aaa.0040C6EC :
00411BDE PUSH aaa.0040C6D0 driveletter
00411C44 PUSH aaa.0040C63C drivetype
00411C89 PUSH aaa.0040C710 sharename
00411CCA PUSH aaa.0040C724 volumename
|
发表于 2008-8-19 21:39:08
