本帖最后由 ljwbh 于 2010-1-5 11:35 编辑
恶意程序分析
主程序:cncrk-setup.exe
文件大小:153600KB
加壳类型:Nspack
分析过程:
用OD脱壳(略)脱壳后的文件为:UnPACK_脱壳后的程序.exe
然后用W32Dasm无极版v3.0对脱壳后的主程序进行反编译
* Possible StringData Ref from Data Obj ->"\DefaultIcon"
|
:0041DCEB B940DF4100 mov ecx, 0041DF40
:0041DCF0 8BD6 mov edx, esi
:0041DCF2 E8D96CFEFF call 004049D0
:0041DCF7 8B55F8 mov edx, dword ptr [ebp-08]
:0041DCFA 8BC3 mov eax, ebx
:0041DCFC E8EFE6FFFF call 0041C3F0
:0041DD01 84C0 test al, al
:0041DD03 7432 je 0041DD37
:0041DD05 8D45F4 lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Data Obj ->"\DefaultIcon"
|
:0041DD08 B940DF4100 mov ecx, 0041DF40
:0041DD0D 8BD6 mov edx, esi
:0041DD0F E8BC6CFEFF call 004049D0
:0041DD14 8B55F4 mov edx, dword ptr [ebp-0C]
:0041DD17 33C9 xor ecx, ecx
:0041DD19 8BC3 mov eax, ebx
:0041DD1B E8ACE7FFFF call 0041C4CC
:0041DD20 84C0 test al, al
:0041DD22 7413 je 0041DD37
:0041DD24 8B4D08 mov ecx, dword ptr [ebp+08]
:0041DD27 33D2 xor edx, edx
:0041DD29 8BC3 mov eax, ebx
:0041DD2B E8A0EAFFFF call 0041C7D0
:0041DD30 8BC3 mov eax, ebx
:0041DD32 E821E6FFFF call 0041C358
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041DD03(C), :0041DD22(C)
|
:0041DD37 8D45F0 lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Data Obj ->"\Shell\属性(&D)\Command"
|
:0041DD3A B958DF4100 mov ecx, 0041DF58
:0041DD3F 8BD6 mov edx, esi
:0041DD41 E88A6CFEFF call 004049D0
:0041DD46 8B55F0 mov edx, dword ptr [ebp-10]
:0041DD49 8BC3 mov eax, ebx
:0041DD4B E8A0E6FFFF call 0041C3F0
:0041DD50 84C0 test al, al
:0041DD52 7434 je 0041DD88
:0041DD54 8D45EC lea eax, dword ptr [ebp-14]
* Possible StringData Ref from Data Obj ->"\Shell\属性(&D)\Command"
|
:0041DD57 B958DF4100 mov ecx, 0041DF58
:0041DD5C 8BD6 mov edx, esi
:0041DD5E E86D6CFEFF call 004049D0
:0041DD63 8B55EC mov edx, dword ptr [ebp-14]
:0041DD66 33C9 xor ecx, ecx
:0041DD68 8BC3 mov eax, ebx
:0041DD6A E85DE7FFFF call 0041C4CC
:0041DD6F 84C0 test al, al
:0041DD71 7415 je 0041DD88
* Possible StringData Ref from Data Obj ->"Rundll32.exe Shell32.dll,Control_RunDLL "
->"Inetcpl.cpl"
|
:0041DD73 B978DF4100 mov ecx, 0041DF78
:0041DD78 33D2 xor edx, edx
:0041DD7A 8BC3 mov eax, ebx
:0041DD7C E84FEAFFFF call 0041C7D0
:0041DD81 8BC3 mov eax, ebx
:0041DD83 E8D0E5FFFF call 0041C358
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041DD52(C), :0041DD71(C)
|
:0041DD88 8D45E8 lea eax, dword ptr [ebp-18]
* Possible StringData Ref from Data Obj ->"\Shell\Open(&O)\Command"
|
:0041DD8B B9B4DF4100 mov ecx, 0041DFB4
:0041DD90 8BD6 mov edx, esi
:0041DD92 E8396CFEFF call 004049D0
:0041DD97 8B55E8 mov edx, dword ptr [ebp-18]
:0041DD9A 8BC3 mov eax, ebx
:0041DD9C E84FE6FFFF call 0041C3F0
:0041DDA1 84C0 test al, al
:0041DDA3 0F8488000000 je 0041DE31
* Possible StringData Ref from Data Obj ->"\Shell\Open(&O)\Command"
|
:0041DDA9 B9B4DF4100 mov ecx, 0041DFB4
:0041DDAE 8D45E4 lea eax, dword ptr [ebp-1C]
:0041DDB1 8BD6 mov edx, esi
:0041DDB3 E8186CFEFF call 004049D0
:0041DDB8 8B55E4 mov edx, dword ptr [ebp-1C]
:0041DDBB 33C9 xor ecx, ecx
:0041DDBD 8BC3 mov eax, ebx
:0041DDBF E808E7FFFF call 0041C4CC
:0041DDC4 84C0 test al, al
:0041DDC6 7469 je 0041DE31
:0041DDC8 8D55DC lea edx, dword ptr [ebp-24]
:0041DDCB 8BC3 mov eax, ebx
:0041DDCD E8D2FDFFFF call 0041DBA4
:0041DDD2 FF75DC push [ebp-24]
* Possible StringData Ref from Data Obj ->" "
|
:0041DDD5 68D4DF4100 push 0041DFD4
:0041DDDA FF750C push [ebp+0C]
:0041DDDD 8D45E0 lea eax, dword ptr [ebp-20]
:0041DDE0 BA03000000 mov edx, 00000003
:0041DDE5 E8626CFEFF call 00404A4C
:0041DDEA 8B4DE0 mov ecx, dword ptr [ebp-20]
:0041DDED 33D2 xor edx, edx
:0041DDEF 8BC3 mov eax, ebx
:0041DDF1 E8DAE9FFFF call 0041C7D0
:0041DDF6 8BC3 mov eax, ebx
:0041DDF8 E85BE5FFFF call 0041C358
:0041DDFD 8D45D8 lea eax, dword ptr [ebp-28]
* Possible StringData Ref from Data Obj ->"\Shell\Open(&O)"
|
:0041DE00 B9E0DF4100 mov ecx, 0041DFE0
:0041DE05 8BD6 mov edx, esi
:0041DE07 E8C46BFEFF call 004049D0
:0041DE0C 8B55D8 mov edx, dword ptr [ebp-28]
:0041DE0F 33C9 xor ecx, ecx
:0041DE11 8BC3 mov eax, ebx
:0041DE13 E8B4E6FFFF call 0041C4CC
:0041DE18 84C0 test al, al
:0041DE1A 740E je 0041DE2A
* Possible StringData Ref from Data Obj ->"Open(&O)"
|
:0041DE1C B9F8DF4100 mov ecx, 0041DFF8
:0041DE21 33D2 xor edx, edx
:0041DE23 8BC3 mov eax, ebx
:0041DE25 E8A6E9FFFF call 0041C7D0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DE1A(C)
|
:0041DE2A 8BC3 mov eax, ebx
:0041DE2C E827E5FFFF call 0041C358
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041DDA3(C), :0041DDC6(C)
|
:0041DE31 8D45D4 lea eax, dword ptr [ebp-2C]
* Possible StringData Ref from Data Obj ->"\ShellFolder"
|
:0041DE34 B90CE04100 mov ecx, 0041E00C
:0041DE39 8BD6 mov edx, esi
:0041DE3B E8906BFEFF call 004049D0
:0041DE40 8B55D4 mov edx, dword ptr [ebp-2C]
:0041DE43 8BC3 mov eax, ebx
:0041DE45 E8A6E5FFFF call 0041C3F0
:0041DE4A 84C0 test al, al
:0041DE4C 7437 je 0041DE85
* Possible StringData Ref from Data Obj ->"\ShellFolder"
|
:0041DE4E B90CE04100 mov ecx, 0041E00C
:0041DE53 8D45D0 lea eax, dword ptr [ebp-30]
:0041DE56 8BD6 mov edx, esi
:0041DE58 E8736BFEFF call 004049D0
:0041DE5D 8B55D0 mov edx, dword ptr [ebp-30]
:0041DE60 33C9 xor ecx, ecx
:0041DE62 8BC3 mov eax, ebx
:0041DE64 E863E6FFFF call 0041C4CC
:0041DE69 84C0 test al, al
:0041DE6B 7418 je 0041DE85
:0041DE6D B90A000000 mov ecx, 0000000A
* Possible StringData Ref from Data Obj ->"Attributes"
|
:0041DE72 BA24E04100 mov edx, 0041E024
:0041DE77 8BC3 mov eax, ebx
:0041DE79 E882E9FFFF call 0041C800
:0041DE7E 8BC3 mov eax, ebx
:0041DE80 E8D3E4FFFF call 0041C358
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041DE4C(C), :0041DE6B(C)
|
:0041DE85 8D4DFC lea ecx, dword ptr [ebp-04]
:0041DE88 BA26000000 mov edx, 00000026
:0041DE8D 8BC6 mov eax, esi
:0041DE8F E8FCEAFFFF call 0041C990
:0041DE94 8BC3 mov eax, ebx
:0041DE96 E8BDE4FFFF call 0041C358
:0041DE9B BA02000080 mov edx, 80000002
:0041DEA0 8BC3 mov eax, ebx
:0041DEA2 E8E1E4FFFF call 0041C388
:0041DEA7 33C9 xor ecx, ecx
* Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Expl"
->"orer\Desktop\NameSpace\"
|
:0041DEA9 BA38E04100 mov edx, 0041E038
:0041DEAE 8BC3 mov eax, ebx
:0041DEB0 E817E6FFFF call 0041C4CC
:0041DEB5 84C0 test al, al
:0041DEB7 7440 je 0041DEF9
:0041DEB9 8B55FC mov edx, dword ptr [ebp-04]
:0041DEBC 8BC3 mov eax, ebx
:0041DEBE E82DE5FFFF call 0041C3F0
:0041DEC3 84C0 test al, al
:0041DEC5 7432 je 0041DEF9
:0041DEC7 8BC3 mov eax, ebx
:0041DEC9 E88AE4FFFF call 0041C358
* Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Expl"
->"orer\Desktop\NameSpace\"
|
:0041DECE BA38E04100 mov edx, 0041E038
:0041DED3 8D45CC lea eax, dword ptr [ebp-34]
:0041DED6 8B4DFC mov ecx, dword ptr [ebp-04]
:0041DED9 E8F26AFEFF call 004049D0
:0041DEDE 8B55CC mov edx, dword ptr [ebp-34]
:0041DEE1 33C9 xor ecx, ecx
:0041DEE3 8BC3 mov eax, ebx
:0041DEE5 E8E2E5FFFF call 0041C4CC
:0041DEEA 84C0 test al, al
:0041DEEC 740B je 0041DEF9
:0041DEEE 8BCF mov ecx, edi
:0041DEF0 33D2 xor edx, edx
:0041DEF2 8BC3 mov eax, ebx
:0041DEF4 E8D7E8FFFF call 0041C7D0
--------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E2F2(C)
|
:0041E2FC 8BF1 mov esi, ecx
:0041E2FE 8BDA mov ebx, edx
:0041E300 8BF8 mov edi, eax
:0041E302 33C0 xor eax, eax
:0041E304 55 push ebp
:0041E305 688CE34100 push 0041E38C
:0041E30A 64FF30 push dword ptr fs:[eax]
:0041E30D 648920 mov dword ptr fs:[eax], esp
:0041E310 B201 mov dl, 01
* Possible StringData Ref from Data Obj ->"�TMyReg愷貯"
|
:0041E312 A150D94100 mov eax, dword ptr [0041D950]
:0041E317 E8CCDFFFFF call 0041C2E8
:0041E31C 894730 mov dword ptr [edi+30], eax
:0041E31F B201 mov dl, 01
* Possible StringData Ref from Data Obj ->"<XA"
|
:0041E321 A148454100 mov eax, dword ptr [00414548]
:0041E326 E86555FEFF call 00403890
:0041E32B 894744 mov dword ptr [edi+44], eax
:0041E32E 8D4734 lea eax, dword ptr [edi+34]
* Possible StringData Ref from Data Obj ->"CLSID\{00022503-0000-0000-C000-000000000046}"
|
:0041E331 BAB8E34100 mov edx, 0041E3B8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E2CF(C)
|
:0041E336 E8D163FEFF call 0040470C
:0041E33B 8D4738 lea eax, dword ptr [edi+38]
* Possible StringData Ref from Data Obj ->"安全浏览器"
|
:0041E33E BAF0E34100 mov edx, 0041E3F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E2E0(C)
|
:0041E343 E8C463FEFF call 0040470C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E2D7(C)
|
:0041E348 8D473C lea eax, dword ptr [edi+3C]
* Possible StringData Ref from Data Obj ->"%1 h%t%t%p:%//%g%o%13%10%10.%c%o%m"
|
:0041E34B BA04E44100 mov edx, 0041E404
:0041E350 E8B763FEFF call 0040470C
:0041E355 8D55FC lea edx, dword ptr [ebp-04]
:0041E358 8B4730 mov eax, dword ptr [edi+30]
:0041E35B E844F8FFFF call 0041DBA4
:0041E360 8B55FC mov edx, dword ptr [ebp-04]
:0041E363 8D4740 lea eax, dword ptr [edi+40]
:0041E366 E8A163FEFF call 0040470C
:0041E36B 8BCE mov ecx, esi
:0041E36D 33D2 xor edx, edx
:0041E36F 8BC7 mov eax, edi
:0041E371 E84EC4FFFF call 0041A7C4
:0041E376 33C0 xor eax, eax
:0041E378 5A pop edx
:0041E379 59 pop ecx
:0041E37A 59 pop ecx
:0041E37B 648910 mov dword ptr fs:[eax], edx
:0041E37E 6893E34100 push 0041E393
--------------------------------------------------------------------
* Referenced by a CALL at Address:
|:0042032D
|
:0041F304 55 push ebp
:0041F305 8BEC mov ebp, esp
:0041F307 83C4F8 add esp, FFFFFFF8
:0041F30A 33C0 xor eax, eax
:0041F30C 8945F8 mov dword ptr [ebp-08], eax
:0041F30F 33C0 xor eax, eax
:0041F311 55 push ebp
:0041F312 6819F44100 push 0041F419
:0041F317 64FF30 push dword ptr fs:[eax]
:0041F31A 648920 mov dword ptr fs:[eax], esp
:0041F31D 33C9 xor ecx, ecx
:0041F31F B201 mov dl, 01
* Possible StringData Ref from Data Obj ->"<XA"
|
:0041F321 A1A4D94100 mov eax, dword ptr [0041D9A4]
:0041F326 E8BDEFFFFF call 0041E2E8
:0041F32B 8945FC mov dword ptr [ebp-04], eax
:0041F32E 33C0 xor eax, eax
:0041F330 55 push ebp
:0041F331 68FCF34100 push 0041F3FC
:0041F336 64FF30 push dword ptr fs:[eax]
:0041F339 648920 mov dword ptr fs:[eax], esp
* Possible StringData Ref from Data Obj ->"%1 h%t%t%p:%//%g%o%13%10%10.%c%o%m"
|
:0041F33C B92CF44100 mov ecx, 0041F42C
* Possible StringData Ref from Data Obj ->"CLSID\{D8B9F522-3C24-11D4-97C2-0080C882687E}"
|
:0041F341 BA58F44100 mov edx, 0041F458
:0041F346 8B45FC mov eax, dword ptr [ebp-04]
:0041F349 E84EF1FFFF call 0041E49C
:0041F34E 8D45F8 lea eax, dword ptr [ebp-08]
:0041F351 50 push eax
* Possible StringData Ref from Data Obj ->"Icon_"
|
:0041F352 B988F44100 mov ecx, 0041F488
* Possible StringData Ref from Data Obj ->"regedit.ico"
|
:0041F357 BA98F44100 mov edx, 0041F498
* Possible StringData Ref from Data Obj ->"HIco"
|
:0041F35C B8ACF44100 mov eax, 0041F4AC
:0041F361 E8BAFEFFFF call 0041F220
:0041F366 8B55F8 mov edx, dword ptr [ebp-08]
:0041F369 8B45FC mov eax, dword ptr [ebp-04]
:0041F36C 83C040 add eax, 00000040
:0041F36F E89853FEFF call 0040470C
:0041F374 8B45FC mov eax, dword ptr [ebp-04]
:0041F377 E808F1FFFF call 0041E484
:0041F37C 8B45FC mov eax, dword ptr [ebp-04]
:0041F37F 83C03C add eax, 0000003C
* Possible StringData Ref from Data Obj ->"http://go300.com"
|
:0041F382 BABCF44100 mov edx, 0041F4BC
:0041F387 E88053FEFF call 0040470C
:0041F38C 8B45FC mov eax, dword ptr [ebp-04]
:0041F38F E8FCF6FFFF call 0041EA90
* Possible StringData Ref from Data Obj ->"\go300网址导航,安全,绿色,快速.url"
|
:0041F394 B9D8F44100 mov ecx, 0041F4D8
* Possible StringData Ref from Data Obj ->"http://go300.com"
|
:0041F399 BABCF44100 mov edx, 0041F4BC
:0041F39E 8B45FC mov eax, dword ptr [ebp-04]
:0041F3A1 E83EF3FFFF call 0041E6E4
:0041F3A6 8B45FC mov eax, dword ptr [ebp-04]
:0041F3A9 83C03C add eax, 0000003C
* Possible StringData Ref from Data Obj ->"http://go300.com"
|
:0041F3AC BABCF44100 mov edx, 0041F4BC
:0041F3B1 E85653FEFF call 0040470C
:0041F3B6 8B45FC mov eax, dword ptr [ebp-04]
:0041F3B9 8B4044 mov eax, dword ptr [eax+44]
* Possible StringData Ref from Data Obj ->"Mozilla Firefox"
|
:0041F3BC BA04F54100 mov edx, 0041F504
:0041F3C1 8B08 mov ecx, dword ptr [eax]
:0041F3C3 FF5138 call [ecx+38]
:0041F3C6 8B45FC mov eax, dword ptr [ebp-04]
:0041F3C9 8B4044 mov eax, dword ptr [eax+44]
* Possible StringData Ref from Data Obj ->"IEXPLORE"
|
:0041F3CC BA1CF54100 mov edx, 0041F51C
:0041F3D1 8B08 mov ecx, dword ptr [eax]
:0041F3D3 FF5138 call [ecx+38]
:0041F3D6 8B45FC mov eax, dword ptr [ebp-04]
:0041F3D9 E852FAFFFF call 0041EE30
:0041F3DE 8B45FC mov eax, dword ptr [ebp-04]
:0041F3E1 E822FCFFFF call 0041F008
:0041F3E6 33C0 xor eax, eax
:0041F3E8 5A pop edx
:0041F3E9 59 pop ecx
:0041F3EA 59 pop ecx
:0041F3EB 648910 mov dword ptr fs:[eax], edx
:0041F3EE 6803F44100 push 0041F403
--------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E2F2(C)
|
:0041E2FC 8BF1 mov esi, ecx
:0041E2FE 8BDA mov ebx, edx
:0041E300 8BF8 mov edi, eax
:0041E302 33C0 xor eax, eax
:0041E304 55 push ebp
:0041E305 688CE34100 push 0041E38C
:0041E30A 64FF30 push dword ptr fs:[eax]
:0041E30D 648920 mov dword ptr fs:[eax], esp
:0041E310 B201 mov dl, 01
* Possible StringData Ref from Data Obj ->"�TMyReg愷貯"
|
:0041E312 A150D94100 mov eax, dword ptr [0041D950]
:0041E317 E8CCDFFFFF call 0041C2E8
:0041E31C 894730 mov dword ptr [edi+30], eax
:0041E31F B201 mov dl, 01
* Possible StringData Ref from Data Obj ->"<XA"
|
:0041E321 A148454100 mov eax, dword ptr [00414548]
:0041E326 E86555FEFF call 00403890
:0041E32B 894744 mov dword ptr [edi+44], eax
:0041E32E 8D4734 lea eax, dword ptr [edi+34]
* Possible StringData Ref from Data Obj ->"CLSID\{00022503-0000-0000-C000-000000000046}"
|
:0041E331 BAB8E34100 mov edx, 0041E3B8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E2CF(C)
|
:0041E336 E8D163FEFF call 0040470C
:0041E33B 8D4738 lea eax, dword ptr [edi+38]
* Possible StringData Ref from Data Obj ->"安全浏览器"
|
:0041E33E BAF0E34100 mov edx, 0041E3F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E2E0(C)
|
:0041E343 E8C463FEFF call 0040470C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041E2D7(C)
|
:0041E348 8D473C lea eax, dword ptr [edi+3C]
* Possible StringData Ref from Data Obj ->"%1 h%t%t%p:%//%g%o%13%10%10.%c%o%m"
|
:0041E34B BA04E44100 mov edx, 0041E404
:0041E350 E8B763FEFF call 0040470C
:0041E355 8D55FC lea edx, dword ptr [ebp-04]
:0041E358 8B4730 mov eax, dword ptr [edi+30]
:0041E35B E844F8FFFF call 0041DBA4
:0041E360 8B55FC mov edx, dword ptr [ebp-04]
:0041E363 8D4740 lea eax, dword ptr [edi+40]
:0041E366 E8A163FEFF call 0040470C
:0041E36B 8BCE mov ecx, esi
:0041E36D 33D2 xor edx, edx
:0041E36F 8BC7 mov eax, edi
:0041E371 E84EC4FFFF call 0041A7C4
:0041E376 33C0 xor eax, eax
:0041E378 5A pop edx
:0041E379 59 pop ecx
:0041E37A 59 pop ecx
:0041E37B 648910 mov dword ptr fs:[eax], edx
:0041E37E 6893E34100 push 0041E393
恶意程序创建二个CLSID,分别是:
1、HKEY_CLASSES_ROOT\CLSID\{00022503-0000-0000-C000-000000000046}
sell\command 指向为"%1 h%t%t%p:%//%g%o%13%10%10.%c%o%m"
2、HKEY_CLASSES_ROOT\CLSID\{D8B9F522-3C24-11D4-97C2-0080C882687E}
sell\command 指向为"%1 h%t%t%p:%//%g%o%13%10%10.%c%o%m"
在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons 下建立这二个CLSID
在%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch
把启动 Internet Explorer 浏览器.lnk 快捷键指向:"http://go300.com"
解决办法比较简单,在这儿就不撰写了。 |
楼主: Sherry.ai
发表于 2010-1-5 11:16:21
发表于 2010-1-15 09:13:42
