I don't have time to analyze a remote control in the middle of the night (it's boring)

It's okay in the middle of the night. It's okay to chat with xiaoxin for a while. Then, after a while, he said he was caught by a chicken. I tried it and the Trojan came over, but the operation was intercepted by Kingsoft, which saved the remote control horse.

I am depressed.

Okay, now, let's take a look at the sample.

A vc ++ 6.0,

/P>

This is the focus, 10 KB, no shelling, simply look at it with Ollydbg, it is estimated that this thing only has a download function, used to raise chicken, update the downloader or something.

00401A9F BE BC314000 mov esi, Kola.004031BC; 222.eg129.com: 10001 // bounce Domain Name

Here we can see that the bounce domain name is: 222.eg129.com port is 10001

 

00401E4B |. 68 F8344000 | push Kola.004034F8; Software \ Microsoft \ Windows \ CurrentVersion \ Run

Write the Registry here and write it to the startup Item of the system.

 

00401EA1 |. 68 64344000 | push Kola.00403464; C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \ Start \ expor.exe

The written file is expor.exe.

This trojan is only 10 KB without shelling. It's really awesome ~~~

So I read his whois ~~

 

It turned out to be bought from xinnet ~~ This product .. In the beginning, Xiao Xin thought it was a foreign hacker because the IP address was from Germany.

Registrant: He Shusheng (he is a real scholar)

Address: Nakhon Cheon district Zhongjie (I just guessed pinyin)

ShiShaShi doesn't know what it is.

This is Email:

 

You can start to guess in pinyin.

Then I checked whether the record was filed ......

This product has been filed for record ~~~ Grandma's

So it's over ~~~