this file the program might be exposing itself, but then again the typical vic-
tims of these kinds of programs are usually nontechnical users that aren’t sure
exactly what to expect from the computer at any given moment in time.
They’d probably think that the reason the image didn’t appear was their own
fault.
The first actual change that takes place after the program is launched is that
the original executable is gone from the directory where it was launched! The
task list in Task Manager (or any other process list viewer) seems to contain a
new and unidentified process called ZoneLockup.exe. (The machine I was
running this on was a freshly installed, clean Windows 2000 system with
almost no additional programs installed, so it was easy to detect the newly cre-
ated process.) The file’s name is clearly designed to fool naïve users into think-
ing that this process is some kind of a security component.
If we launch a more powerful process viewer such as the Sysinternals
Process Explorer (available from http://www.sysinternals.com),,) you can exam-
ine the full path of the ZoneLockup.exeprocess. It looks like the program
has placed itself in the SYSTEM32directory of the currently running OS (in my
case this was C:\WINNT\SYSTEM32).
The Initial Installation
Let’s take a quick look at the code that executes when we initially run this pro-
gram, because it is the closest thing this program has to an installation pro-
gram. This code is presented in Listing 8.3.
00402621 PUSH EBP
00402622 MOV EBP,ESP
00402624 SUB ESP,42C
0040262A PUSH EBX
0040262B PUSH ESI
0040262C PUSH EDI
0040262D XOR ESI,ESI
0040262F PUSH 104 ; BufSize = 104 (260.)
00402634 PUSH ZoneLock.00404540 ; PathBuffer = ZoneLock.00404540
00402639 PUSH 0 ; hModule = NULL
0040263B CALL <JMP.&KERNEL32.GetModuleFileNameA>
00402640 PUSH 104 ; BufSize = 104 (260.)
00402645 PUSH ZoneLock.00404010 ; Buffer = ZoneLock.00404010
0040264A CALL <JMP.&KERNEL32.GetSystemDirectoryA>
0040264F PUSH ZoneLock.00405544 ; src = “\”
00402654 PUSH ZoneLock.00404010 ; dest = “C:\WINNT\system32”
00402659 CALL <JMP.&CRTDLL.strcat>
0040265E ADD ESP,8
00402661 LEA ECX,DWORD PTR DS:[404540]
00402667 OR EAX,FFFFFFFFListing 8.3 The backdoor program’s installation function. (continued)
Reversing Malware 291