New pandatv Analysis notes-by cyto

Source: Internet
Author: User

A new version of pandatv has been developed from somewhere.
Based on the string and loveboom articles, this article provides an in-depth study.

Not exclusive, share as follows.

GameSetup.exe

1. Shelling:
FSG 2.0-> bart/xt
Borland Delphi 6.0-7.0

Ep:
00400154G> 8725 F4D24100 xchg dword ptr ds: [41D2F4], esp
0040015A 61 popad
0040015B 94 xchg eax, esp
0040015C 55 push ebp
0040015D A4 movs byte ptr es: [edi], byte ptr ds: [e>
0040015E B6 80 mov dh, 80
00400160 FF13 call dword ptr ds: [ebx]
00400162 ^ 73 F9 jnb short GameSetu.0040015D
...
004001CC 40 inc eax
004001CD ^ 78 F3 js short GameSetu.004001C2
004001CF 75 03 jnz short GameSetu.004001D4
004001D1-FF63 0C jmp dword ptr ds: [ebx + C]; GameSetu.0040D278, OEP
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call dword ptr ds: [ebx + 14]
004001D9 AB stos dword ptr es: [edi]
004001DA ^ eb ee jmp short GameSetu.004001CA

OEP:
0040D278 55 push ebp; URLMON.702B0000
0040D279 8BEC mov ebp, esp
0040D27B 83C4 E8 add esp,-18
0040D27E 53 push ebx
0040D27F 56 push esi
0040D280 33C0 xor eax, eax
0040D282 8945 E8 mov dword ptr ss: [ebp-18], eax
0040D285 8945 EC mov dword ptr ss: [ebp-14], eax
0040D288 B8 C8D14000 mov eax, GameSetu.0040D1C8
0040D28D E8 5677 FFFF call GameSetu.004049E8

For the text string, see GameSetu:
Address disassembly text string
0040626A mov eax, GameSetu.004069D8 ASCII "VirusScan"
00406296 mov eax, GameSetu.004069EC ASCII "NOD32"
004064B0 mov eax, GameSetu.00406AB4 ASCII "Symantec AntiVirus"
004064E2 mov eax, GameSetu.00406AD0 ASCII "Duba"
00406514 mov eax, GameSetu.00406AE0 ASCII "esteem procs"
0040660E mov eax, GameSetu.00406B44 ASCII "System Safety Monitor"
00406640 mov eax, GameSetu.00406B64 ASCII "Wrapped gift Killer"
00406672 mov eax, GameSetu.00406B80 ASCII "Winsock Expert"
0040670E push GameSetu.00406BC0 ASCII "msctls_statusbar32"
00406748 mov eax, GameSetu.00406BDC ASCII "pjf (ustc )"
004067E4 push GameSetu.00406BE8 ASCII "IceSword"
00406826 mov eax, GameSetu.00406BFC ASCII "Mcshield.exe"
00406830 mov eax, GameSetu.00406C14 ASCII "VsTskMgr.exe"
0040683A mov eax, GameSetu.00406C2C ASCII "naPrdMgr.exe"
00406844 mov eax, GameSetu.00406C44 ASCII "UpdaterUI.exe"
0040684E mov eax, GameSetu.00406C5C ASCII "TBMon.exe"
00406858 mov eax, GameSetu.00406C70 ASCII "scan32.exe"
00406862 mov eax, GameSetu.00406C84 ASCII "Ravmond.exe"
0040686C mov eax, GameSetu.00406C98 ASCII "CCenter.exe"
00406876 mov eax, GameSetu.00406CAC ASCII "RavTask.exe"
00406880 mov eax, GameSetu.00406CC0 ASCII "Rav.exe"
0040688A mov eax, GameSetu.00406CD0 ASCII "Ravmon.exe"
00406894 mov eax, GameSetu.00406CE4 ASCII "RavmonD.exe"
0040689E mov eax, GameSetu.00406CF8 ASCII "RavStub.exe"
004068A8 mov eax, GameSetu.00406D0C ASCII "KVXP. kxp"
004068B2 mov eax, GameSetu.00406D20 ASCII "KvMonXP. kxp"
004068BC mov eax, GameSetu.00406D34 ASCII "KVCenter. kxp"
004068C6 mov eax, GameSetu.00406D4C ASCII "KVSrvXP.exe"
004068D0 mov eax, GameSetu.00406D60 ASCII "KRegEx.exe"
004068DA mov eax, GameSetu.00406D74 ASCII "UIHost.exe"
004068E4 mov eax, GameSetu.00406D88 ASCII "TrojDie. kxp"
004068EE mov eax, GameSetu.00406D9C ASCII "FrogAgent.exe"
004068F8 mov eax, GameSetu.00406D0C ASCII "KVXP. kxp"
00406902 mov eax, GameSetu.00406D20 ASCII "KvMonXP. kxp"
0040690C mov eax, GameSetu.00406D34 ASCII "KVCenter. kxp"
00406916 mov eax, GameSetu.00406D4C ASCII "KVSrvXP.exe"
00406920 mov eax, GameSetu.00406D60 ASCII "KRegEx.exe"
0040692A mov eax, GameSetu.00406D74 ASCII "UIHost.exe"
00406934 mov eax, GameSetu.00406D88 ASCII "TrojDie. kxp"
0040693E mov eax, GameSetu.00406D9C ASCII "FrogAgent.exe"
00406948 mov eax, GameSetu.00406DB4 ASCII "logo=.exe"
00406952 mov eax, GameSetu.00406DC8 ASCII "Logo_1.exe"
0040695C mov eax, GameSetu.00406DDC ASCII "Rundl132.exe"
00406966 mov eax, GameSetu.00406DF4 ASCII "regedit.exe"
00406970 mov eax, GameSetu.00406E08 ASCII "msconfig.exe"
0040697A mov eax, GameSetu.00406E20 ASCII "taskmgr.exe"
00406E44 mov eax, GameSetu.00407014 ASCII "Schedule"
00406E4E mov eax, GameSetu.00407028 ASCII "sharedaccess"
00406E58 mov eax, GameSetu.00407040 ASCII "RsCCenter"
00406E62 mov eax, GameSetu.00407054 ASCII "RsRavMon"
00406E6C mov eax, GameSetu.00407060 ASCII "RsCCenter"
00406E76 mov eax, GameSetu.0040706C ASCII "RsRavMon"
00406E80 mov edx, GameSetu.00407080 ASCII "SOFTWAREMicrosoftWindowsCurrentVersionRunRavTask"
00406E8F mov eax, GameSetu.004070C0 ASCII "KVWSC"
00406E99 mov eax, GameSetu.004070D0 ASCII "KVSrvXP"
00406EA3 mov eax, GameSetu.004070D8 ASCII "KVWSC"
00406EAD mov eax, GameSetu.004070E0 ASCII "KVSrvXP"
00406EB7 mov edx, GameSetu.004070F0 ASCII "SOFTWAREMicrosoftWindowsCurrentVersionRunKvMonXP"
00406EC6 mov eax, GameSetu.00407130 ASCII "kavsvc"
00406ED0 mov eax, GameSetu.00407140 ASCII "AVP"
00406EDA mov eax, GameSetu.00407144 ASCII "AVP"
00406EE4 mov eax, GameSetu.00407148 ASCII "kavsvc"
00406EEE mov edx, GameSetu.00407158 ASCII "SOFTWAREMicrosoftWindowsCurrentVersionRunkav"
00406EFD mov edx, GameSetu.00407194 ASCII "SOFTWAREMicrosoftWindowsCurrentVersionRunKAVPersonal50"
00406F0C mov eax, GameSetu.004071D8 ASCII "McAfeeFramework"
00406F16 mov eax, GameSetu.004071F0 ASCII "McShield"
00406F20 mov eax, GameSetu.00407204 ASCII "McTaskManager"
00406F2A mov eax, GameSetu.00407214 ASCII "McAfeeFramework"
00406F34 mov eax, GameSetu.00407224 ASCII "McShield"
00406F3E mov eax, GameSetu.00407230 ASCII "McTaskManager"
00406F48 mov edx, GameSetu.00407248 ASCII "SOFTWAREMicrosoftWindowsCurrentVersionRunMcAfeeUpdaterUI"
00406F57 mov edx, GameSetu.00407290 ASCII "SOFTWAREMicrosoftWindowsCurrentVersionRunNetwork Associates Error Reporting Service"
00406F66 mov edx, GameSetu.004072F4 ASCII "SOFTWAREMicrosoftWindowsCurrentVersionRunShStatEXE"
00406F75 mov eax, GameSetu.0040732C ASCII "navapsvc"
00406F7F mov eax, GameSetu.00407338 ASCII "wscsvc"
00406F89 mov eax, GameSetu.00407340 ASCII "KPfwSvc"
00406F93 mov eax, GameSetu.00407348 ASCII "SNDSrvc"
00406F9D mov eax, GameSetu.00407350 ASCII "ccProxy"
00406FA7 mov eax, GameSetu.00407358 ASCII "ccEvtMgr"
00406FB1 mov eax, GameSetu.00407364 ASCII "ccSetMgr"
00406FBB mov eax, GameSetu.00407370 ASCII "SPBBCSvc"
00406FC5 mov eax, GameSetu.0040737C ASCII "Symantec Core LC"
00406FCF mov eax, GameSetu.00407390 ASCII "NPFMntor"
00406FD9 mov eax, GameSetu.0040739C ASCII "MskService"
00406FE3 mov eax, GameSetu.004073A8 ASCII "FireSvc"
00406FED mov edx, GameSetu.004073B8 ASCII "SOFTWAREMicrosoftWindowsCurrentVersionRunYLive.exe"
00406FFC mov edx, GameSetu.004073F8 ASCII "softwaremicrosoftwindowscurrentversionrunysponse"
004075D5 mov ecx, GameSetu.0040764C ASCII ":"
004079FF mov edx, GameSetu.00407AF4 ASCII "Search"
00407A04 mov eax, GameSetu.00407B04 ASCII "= nb {endw {g> ispy>,. ps ~ * Bb? 2gm. 12 & mmeb | lwls ''wi: & 9 & # ibmnlw <% 4 + :?. Nb {end9"
00407BB6 push GameSetu.00407E44 ASCII "$. bat"
00407BEE mov edx, GameSetu.00407E54 ASCII ": try1"
00407C08 push GameSetu.00407E64 ASCII "del ""
00407C50 push GameSetu.00407E80 ASCII "if exist ""
00407C6D push GameSetu.00407E94 ASCII "goto try1"
00407C9D push GameSetu.00407EA8 ASCII "ren ""
00407CB5 push GameSetu.00407EB8 ASCII ". exe"
00407D1D push GameSetu.00407E80 ASCII "if exist ""
00407D35 push GameSetu.00407EB8 ASCII ". exe"
00407D3F push GameSetu.00407ED4 ASCII "goto try2"
00407DB7 mov edx, GameSetu.00407EE8 ASCII ": try2"
00407DD1 mov edx, GameSetu.00407EF8 ASCII "del % 0"
00407FDE mov eax, GameSetu.0040815C ASCII "WhBoy"
00408060 push GameSetu.0040817C ASCII ". exe"
004081E1 mov edx, GameSetu.00408798 ASCII "Desktop _. ini"
00408227 mov edx, GameSetu.00408798 ASCII "Desktop _. ini"
0040826D mov edx, GameSetu.00408798 ASCII "Desktop _. ini"
00408329 push GameSetu.004087B0 ASCII "drivers"
0040832E push GameSetu.004087C4 ASCII "spo0lsv.exe"
00

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.