Virus Trojan scan: Reverse Analysis of pandatv incense (Part 2)

Virus Trojan scan: Reverse Analysis of pandatv incense (Part 2)
I. Preface

This time, we will continue to analyze the virus in the previous article. The analysis may encounter some different situations. After all, we only need to step down the previous code to figure out the virus behavior, but in the following code, if the problem persists, the important code in some branches cannot be executed. Therefore, we need to take some strategies to complete each branch and thoroughly analyze the virus behavior.

Ii. Virus analysis

Now the program is executed at the loc_408171 position:

Figure 1 code at the beginning of loc_408171

The program first performs the comparison operation. because both of them are 0, ZF = 1 after the comparison, the next hop is not executed. The subsequent CALL obtains the path (including the file name) of the virus program, and saves the first address of the complete path name in eax, note that [ebp + var_3D8] stores an address value that points to the file path string. The address assigned to edx is the four-byte backward of the complete address of the virus program, skipping two uppercase letters and two symbols. Next, go to sub_40532C to view the information. You can find that:

Figure 2 view sub_40532C internal code

The CharUpperBuff function converts the specified number of characters in the buffer to uppercase. You can rename sub_40532C as ToUpper. The following are:

Figure 3 analyze the sub_4054BC Function

Here, the sub_4054BC function is displayed. You can find it after following up:

 

Figure 4 View sub_4054BC internal code

The GetSystemDirectory function is used to obtain the system path. Therefore, you can rename sub_4054BC to GetSystemDir. It can be seen that the analysis of the above functions is still relatively smooth, because the virus directly calls the API function, so that we can clearly understand the functions of the program. The following are:

Figure 5 sub_403F8C Function Analysis

The program first writes the first address of the obtained system path string to the stack, then presses the "drivers \ drivers and spoclsv.exe" strings, and then analyzes sub_403F8C using OD, after execution, you can find that:

Figure 6 tracking changes after sub_403F8C execution

It can be seen that sub_403F8C is used to connect two strings with another string to form a long path, so it can be renamed as: TwoStringsCat. Next:

Figure 7 sub_4060D4 Function Analysis

And copy it to the "drivers" directory. The comparison here is to check whether the virus has been copied to this directory. If not, the comparison result is not zero, then execute the next virus copy operation ). Dword_408658stores the serial spoclsv.exe ", and then you can go to sub_4060D4 for analysis.

Sub_4060D4 is a relatively long function. There are a large number of internal calls, which can be viewed one by one. You can find that it calls a lot of API functions based on the functions of these API functions, sub_4060D4 is used to find the specified process in the current memory. If it exists, it is terminated. Because it is long, we will not analyze it here. You can rename sub_4060D4 to SearchAndTerminateProcess. The following are:

 

Figure 8

This Code already has enough comments and will not be repeated. Next we will see:

Figure 9

You can tell from the last copyfilepath that the operation of the local file is the Active Directory, and copy the virus file to the "drivers" directory after it is renamed "spoclsv.exe. Next, we will see Figure 10. This Code calls the WinExec function. You can view the character information stored in the eax above and find that when the virus ontology copies itself to drivers and changes its name, here is the operation to run the virus program with the changed name, and then the main program exits. ". This position is 0x004081E8 in Figure 7. We first place a breakpoint at this position, and then re-load the program with OD, so that it stops at the breakpoint. Normally, the jump here is not true. To make it true, you can change jz to jnz, but this changes the virus program. The best way is to change the ZF flag and change the original 0 to 1. The internal execution process is different. In order to get the virus data, I use ODPS to download spoclsv.exe for dynamic analysis. So the jump at 0x004081E8 can be executed and the following code comes:

Figure 11 run loc_4082F0

This code shows the sub_40416C function, which is also abstract and not easy to analyze. This requires patience and attention. Here I will omit the process. In fact, this function is used to delete information in a string. eax stores the address of the string to be operated, and ecx stores the number of characters to be deleted. Rename sub_40416C to DeleteStringBuff. Then the program jumps to loc_4085D3:

 

Figure 12 run loc_4085D3

On the CALL function, eax stores a tag value, which is 0x01. The subsequent CALL is to find whether the file contains this mark. If it contains this mark, the jump will be executed; otherwise, the jump will not be performed. Therefore, we can assume that the 0x01 mark is the mark used to identify whether the program is infected after the virus infected the program and added to the original normal program. If this is the case, if you want to analyze the content of the Redirection Program, either modify the flag in OD or analyze an infected program, I will not repeat it here, interested readers can take an infected program for independent analysis. Here we can rename sub_4041B4 to SearchSignPos.

Because I am currently analyzing a virus program and it does not have a 0x01 flag, the redirection fails and continues to execute:

Figure 13

This part of the code is mainly used to end the work. The last CALL is used to delete the addresses saved in the stack. These addresses point to some information written by viruses. After this part of code is returned, sub_408024 is executed. You may not remember what sub_408024 is. This is the first function of the three major virus functions I have analyzed in the last part of this series of reverse analysis. After analysis, we can see that this first function is mainly used for virus initialization. I will not analyze the remaining two functions here. If you are interested, you can study them independently.

 

Iii. Summary

So far, the series of Reverse Analysis of pandatv is over. I have used three articles to give you a detailed analysis step by step. Although I only analyzed a major function of virus, I believe that you have learned more or less about the basic method of reverse virus analysis. In my opinion, there are not many advanced technologies. What is important is the accumulation of experience and the cultivation of personal patience. I hope that you will be able to analyze the virus in person and believe that this will bring huge gains.