Select Browser Mobile | Continue

Silic Group Froum Archive - Silic Security

 Forgot Password?
 Join Us
Search
Show: 7204|Reply: 41

[原创] 盗号木马简单分析一则 VB也能写木马

[Copy URL]
Posted 2014-1-8 08:31:32 | Show all replies |Read Mode
作者:小Dの马甲
来自:Silic习科论坛
//Blackap.Org
似乎最近被人盯上了,两个QQ号收到同一款盗号木马,分别是:
发件人为[email protected],主题为 Party聚会留影 的Email
发件人为[email protected],主题为 您的签证信息,请尽快查收 的Email
木马仅做zip压缩,未加密码,过云查杀,两封Email的附件hash值一致,发件时间不同,其中一个ip是125.73.11.62,另外一个ip是125.73.15.191,都是柳州的
虽然过了云查杀,但是一眼就能看出是木马,由此来的一则简单分析。
首先看一下加壳情况,使用PEID:

peid.png

显示为:Microsoft Visual Basic 5.0 / 6.0
那就应该是VB6编写的,目测确实没加壳,VB6写的程序屌爆了
VB写的程序内容其实很好提取,我这里用的是VBExplorer,在习科的兵器库有下载。
首先打开程序,对程序中的图片进行提取:

vbexplorer.png

那么这个是。。。。这明显是用来盗QQ的。
下面用VBExplorer导出工程细细看来

工程名起的很随意:sfgsfd,vbp代码:
  1. Type=exe
  2. Form=Form1.frm
  3. Object="{EAB22AC0-30C1-11cf-A7EB-0000C05BAE0B}#1.1#0"; "ieframe.dll"
  4. HelpFile=
  5. Title=dhgh
  6. Name=sfgsfd
  7. Description=
Copy
窗体只有一个即form1,form中的控件可以看到这些动作:
[Image2.Click]
[Image1.Click]
[Timer1.Timer]
[Form.Load]
[Form.MouseDown]
[Form.MouseMove]
[Form.MouseUp]
[Text1.KeyPress]

在timer控件中的属性是800,应该是启动后8秒?接下来是有趣的text5,他的text属性是:
  1. "start / Max; "C:\Program Files\Internet Explorer\Iexplore.exe""
Copy
同时也发现了两个SHDocVwCtl.WebBrowser控件,那么这个控件访问的是什么地址呢?

WebBrowser.png

这个地址就是:yjt120.com/plus/book.asp?pjID=  一看就是个马场
在text1的keypress是不是就是记录密码的控件呢?显而易见。
另外我还发现一个bat是针对360tray.exe的,多了就不说了,总之这个东西很傻比,简单看一下就好

bat.png

小学生表示不服!
Dolphin The user has been deleted
Posted 2014-1-8 09:27:31 | Show all replies
沙发
青春不朽 The user has been deleted
Posted 2014-1-8 09:27:32 | Show all replies
我的沙发,是的吗oo
跑得灰叉叉的 The user has been deleted
Posted 2014-1-8 09:28:50 | Show all replies
沙发,新手学习了
jacksak The user has been deleted
Posted 2014-1-8 09:32:12 | Show all replies
遇到360就自删除。?
Ryuuka The user has been deleted
Posted 2014-1-8 09:32:53 | Show all replies
错别字都出来了,盗号的能不能先去小学补一补语文。
darkcat715 The user has been deleted
Posted 2014-1-8 09:35:58 | Show all replies
这个作者,小学 没学好
996652220 The user has been deleted
Posted 2014-1-8 09:46:00 | Show all replies
看着这些很蛋疼的。。
0x6dhanli The user has been deleted
Posted 2014-1-8 09:47:57 | Show all replies
本帖最后由 0x6dhanli 于 2014-1-8 09:49 编辑

能有后续,么
xiaocaicai The user has been deleted
Posted 2014-1-8 09:49:18 | Show all replies
dedecms5.7 有狗
思绪 The user has been deleted
Posted 2014-1-8 09:55:19 | Show all replies
语死早笑尿
overlords The user has been deleted
Posted 2014-1-8 10:17:49 | Show all replies
拼音不好啊
Everdup The user has been deleted
Posted 2014-1-8 10:42:05 | Show all replies
谢谢分享,学到新知识
静默 The user has been deleted
Posted 2014-1-8 12:14:58 | Show all replies
D哥求直播,爆这个人的菊花。。。。
love The user has been deleted
Posted 2014-1-8 12:28:45 | Show all replies
门槛越来越低。。。
草泥马 The user has been deleted
Posted 2014-1-8 12:40:15 | Show all replies
楼主你语文这么好肯定是体育老师教的对不对
4ever The user has been deleted
Posted 2014-1-8 13:03:24 | Show all replies
语文老师死得早
kevin The user has been deleted
Posted 2014-1-8 14:34:33 | Show all replies
中学生表示不服
qq382802681 The user has been deleted
Posted 2014-1-8 15:17:03 | Show all replies
这个 确实 有点 嘿嘿
Eye The user has been deleted
Posted 2014-1-8 15:21:39 | Show all replies
无语死了
You need to login before reply! Login | Join Us

Credit Rules of This Forum

Close

公告Privious /1 Next

小黑屋|手机版|Archiver|Silic Security

GMT+8, 2020-8-13 16:57

© 2001-2014 Silic Corp.

Quick Reply Top Return List