请帮忙看看这个木马怎么杀出(附件)
请帮忙看看这个木马怎么杀出(附件)
用反汇编 看到里面有个邮件地址,估计是个马,高手查看下! 感谢中!
部分代码:
L00401C15:
mov edx,[L0040B078]
mov ecx,[esp+24h]
push 00000000h
push
SSZ00408AD0_iyanchuan_gmail_com mov eax,[L00408030+edx*4]
push eax
push ecx
call [USER32.dll!MessageBoxA]
mov edx,[L0040B078]
mov ecx,00000019h
pop edi
pop esi
lea eax,[edx+01h]
xor edx,edx
div ecx
pop ebp
xor eax,eax
pop ebx
mov [L0040B078],edx
add esp,00000010h
retn 0010h
----------------------------------
SSZ00408A10_FMS077:
db 'FMS077',0
Align 4
SSZ00408A18_Cannot_create_remote_thread_in_M:
db 'Cannot create remote thread in MS process!',0
Align 4
SSZ00408A44_Kernel32_dll:
db 'Kernel32.dll',0
Align 4
SSZ00408A54_LoadLibraryA:
db 'LoadLibraryA',0
Align 4
SSZ00408A64_Cannot_write_process_memory_:
db 'Cannot write process memory!',0
Align 4
SSZ00408A84_Cannot_allocate_memory_in_MS_pro:
db 'Cannot allocate memory in MS process!',0
Align 4
SSZ00408AAC__fms_dll:
db '\fms.dll',0
Align 4
SSZ00408AB8_Open_MS_process_failed_:
db 'Open MS process failed!',0
SSZ00408AD0_iyanchuan_gmail_com:
db [email=]
'iyanchuan@gmail.com',0[/email]
L00408AE4:
附件: FMS笨挂.rar (2009-11-25 14:47:46, 34.81 K)
该附件被下载次数 251
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 590; MAXTHON 2.0)
