瑞星免杀,程序调用两个dll文件,在temp生释放病毒,UPX加密压缩保护,程序含有敲诈者病毒代码,暂时定义为敲诈者病毒,下面是入口:
Disassembly of File: 复件 调戏美女.exe
Code Offset = 00000400, Code Size = 00000000
Data Offset = 00000400, Data Size = 00000000
Number of Objects = 0003 (dec), Imagebase = 00400000h
Object01: RVA: 00001000 Offset: 00000400 Size: 00000000 Flags: E0000080
Object02: RVA: 00009000 Offset: 00000400 Size: 00004800 Flags: E0000040
Object03: .rsrc RVA: 0000E000 Offset: 00004C00 Size: 00000600 Flags: C0000040
+++++++++++++++++++ MENU INFORMATION ++++++++++++++++++
There Are No Menu Resources in This Application
+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++
There Are No Dialog Resources in This Application
+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 0 (decimal)
+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++
+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)
+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object **************
Program Entry Point = 0040D4C0 (复件 调戏美女.exe File Offset:000048C0)
:00409000 FFFFFFFF BYTE 4 DUP(0ffh)
:00409004 55 push ebp
:00409005 8BEC mov ebp, esp
:00409007 8B4D0C mov ecx, dword ptr [ebp+0C]
:0040900A 56 push esi
:0040900B 57 push edi
:0040900C 8B7D08 mov edi, dword ptr [ebp+08]
:0040900F 8BF7 mov esi, edi
:00409011 81E6FFFF0000 and esi, 0000FFFF
:00409017 C1EF10 shr edi, 10
:0040901A 85C9 test ecx, ecx
:0040901C 7508 jne 00409026
:0040901E 6A01 push 00000001
:00409020 58 pop eax
:00409021 E90600F6DB jmp DC36902C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040901C(C)
|
:00409026 B7FF mov bh, FF
:00409028 0111 add dword ptr [ecx], edx
:0040902A 837D1000 cmp dword ptr [ebp+10], 00000000
:0040902E 0F86E22E0053 jbe 5340BF16
:00409034 BAB0150A39 mov edx, 390A15B0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004090B4(C)
|
:00409039 55 push ebp
:0040903A 107303 adc byte ptr [ebx+03], dh
:0040903D 8B08 mov ecx, dword ptr [eax]
:0040903F FFFF BYTE 2 DUP(0ffh)
:00409041 EF out dx, ax
:00409042 B729 mov bh, 29
:00409044 0483 add al, 83
:00409046 FA cli
:00409047 100F adc byte ptr [edi], cl
:00409049 8C97328BC2C1 mov [edi+C1C28B32], ss
:0040904F E8048BD8F7 call F8191B58
:00409054 DBC1 fcmovnb st(0), st(1)
:00409056 E304 jcxz 0040905C
:00409058 03D3 add edx, ebx
:0040905A 0FB619 movzx ebx, byte ptr [ecx]
:0040905D 27 daa
:0040905E 27 daa
:0040905F DF BYTE 0dfh
:00409060 DB03 fild dword ptr [ebx]
:00409062 F3 repz
:00409063 085901 or byte ptr [ecx+01], bl
:00409066 03FE add edi, esi
:00409068 0F0203 lar eax, dword ptr [ebx]
:0040906B 0427 add al, 27
:0040906D 27 daa
:0040906E 27 daa
:0040906F 27 daa
:00409070 0506070827 add eax, 27080706
:00409075 27 daa
:00409076 27 daa
:00409077 27 daa
:00409078 090A or dword ptr [edx], ecx
:0040907A 0B0C29 or ecx, dword ptr [ecx+ebp]
:0040907D 27 daa
:0040907E 27 daa
:0040907F 27 daa
:00409080 0D0E0F16D8 or eax, D8160F0E
:00409085 DBBF0683C110 fstp tbyte ptr [edi+10C18306]
:0040908B 48 dec eax
:0040908C 0F8577FF0085 jne 85419009
:00409092 D2 BYTE 0d0h
:00409093 740B je 004090A0
:00409095 2E BYTE 02eh |
发表于 2007-1-15 07:45:14
除非是你自己的作品!
它不报我报!
发表于 2007-1-15 10:28:12
