Home > Cloud Computing > Cloud Security

Analysis and detection of the malicious udisc virus oso.exe

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Virus name: Worm. Pabug. ck
Size: 38,132 bytes
MD5: 2391109c40ccb0f982b86af86cfbc900
Shelling method: FSG2.0
Programming Language: Delphi
Transmission Mode: Spread through mobile media or malicious web scripts


The behavior is as follows:

File Creation:
% Systemroot % \ system32 \ gfosdg.exe
% Systemroot % \ system32 \ gfosdg. dll
% Systemroot % \ system32 \ severe.exe
% Systemroot % \ system32 \ drivers \ mpnxyl.exe
% Systemroot % \ system32 \ drivers \ conime.exe
% Systemroot % \ system32 \ hx1.bat
% Systemroot % \ system32 \ noruns. reg
X: \ OSO.exe
X: \ autorun. inf
X indicates a non-system drive letter.
% Systemroot % is the environment variable. For Windows XP system installed on drive C, the default path is C: \ WINDOWS Folder. The following assumptions are used for analysis.

Creation process:
% Systemroot % \ system32 \ gfosdg.exe
% Systemroot % \ system32 \ severe.exe
% Systemroot % \ system32 \ drivers \ conime.exe

Use the net stop command to end possible anti-virus software services

Call SC .exe,
Config [corresponding service] start = disabled
Disable these services

Ended and Disabled services include:
Srservice
Sharedaccess (this is the built-in firewall-note)
KVWSC
KVSrvXP
Kavsvc
RsRavMon
RsCCenter

When the rising service is completed, the virus is handled as a prompt is displayed:
Use the FindWindowA function to capture the window titled "rising prompt"
Use the FindWindowExA function to find the "Yes (& Y)" button.
Use the SendMessageA function to send information to the system, which is equivalent to pressing this button

  • 1
  • 2
  • 3
  • 4
  • 5
  • Next Page
[Content navigation]
Page 1: Analysis and Removal of the virus oso.exe Page 1: Analysis and Removal of the virus oso.exe
Page 1: Analysis and Removal of the virus oso.exe Page 1: Analysis and Removal of the virus oso.exe
Page 1: Analysis and Removal of the virus oso.exe

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More