Analysis and Handling of the crazy free girl Virus

 
Analysis of Lhsurdj.exe Virus
[Background information]
Virus name: Worm. Win32.AutoRun. elc
Virus alias: Crazy free girl Virus
Virus File Information

File: lhsurdj.exe MD5: 4F7D28EB58510D05149FE566972BDD51 SHA1: javascrc32: 4D7CD431 shell: FSG2.0 → bart/xt [Overlay]

Affected Systems: WIN9X/ME/NT/2000/XP/2003
Virus Type: Worm
Virus size: 39125 Bytes
Transmission Mode: manually download its server
[Features]

• The virus file itself is automatically deleted after execution.
• If the window title contains "virus", the window will be closed automatically. For example, if you create a folder named "virus xxx", double-click the folder and close the window; the Word file with "virus" is also closed.
• "Tools" → "Folder Options" → "show all files" on the "View" Page cannot be set, that is, the single option "show all files and folders" is missing (as a result, hidden files cannot be seen ).

 

• Hijack Registry Editor and Most antivirus software images.
• Virus processes cannot be ended, which is a rogue software.
• The icon of the file is in JPG format.
• Since the emergence of the AutoRun variant in the worm family, it has always brought us a lot of trouble. The new family variant "Crazy free girl" virus has brought great help to the family. To further expand its power, the computer will generate a large number of virus files in the system directory after being infected by crazy free girls, and will generate autorun like family variants. the inf file causes repeated infections.
• Virus Behavior
• Released files
  

  C:\windows\system32\lhsurdj.exeC:\windows\system32\eohuylj.exeC:\windows\system32\eohuylj.infC:\windows\system32\musz1s.dllC:\windows\system32\musz2s.dllC:\windows\system32\uuygec.dllC:\windows\system32\uuygec.nls

  
  The root directory of each disk contains lhsurdj.exe and autorun. inf
  Uuygec. dll and uuygec. nls also modify the creation time to hide themselves. Clear all virus files. As long as one file is not deleted, it will still generate and load the previous virus files after restart.
   
  Registry:
  Added the items generated for the above files and the startup items; destroyed the "show hidden files" function:
  HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced
  Change ShowSuperHidden to 0x00000000.
  
  Image hijacking is performed on software that views processes or files, such as most anti-virus software and ice blades.
  In the process, lhsurdj.exeand eohuylj.exe are mutually exclusive and play the role of process daemon.
  When the network is connected, other Trojan viruses will be downloaded from the specified website.
   
  
  [Analysis]


• Process Analysis, enable "Windows Task Manager" (two processes in red circle)

 
When procexp.exetool is enabled, you can also see eohuylj.exe and lhsurdj.exe (red shading)
We can see that their "Description" and "company name" are blank.

Attempts to disable the process, but the process is invalid and will be automatically generated (neither can be used with the "Task Manager)
Features of rogue software

• Start the Registration Table handler program named autoruns.exe"
• Normal processes can use the "option" to "verify the code signature"
  Note that on the "image hijacking" page, you can see that the virus has loaded a large string of program names and enabled shielding.
  "All" Page (if anti-virus software is available, it can be defended)
  
   
  [Clearing method]
  1. Use the "Wsyscheck" tool (if the image is hijacked, you can start it by renaming it first)
  On the "Process Management" page, you can view the two virus processes and record the image path, which is the storage path of the virus files and can track their storage locations on the disk.
  
  Select "End selected process" or "suspend selected process" (key step)
   
  2. Click the "File Management" page to view the disk root directory and these paths.
  You can sort by creation time to further discover and analyze related suspicious files, such as autorun. inf in the root directory of each drive letter and related suspicious files (such as the lhsurdj.exe file)
  
   
  The file C: \ autorun. inf and C: \ WINDOWS \ system32 \ enhuylj. inf are
  

  [AutoRun] shell \ open = open (& O) shell \ open \ commandcmdlhsurdj.exe shell \ open \ Default = 1shell \ cmde = Resource Manager (& X) shell \ cmde \ commandcmdlhsurdj.exe

   

  
  
   
  
  Musz1s. dll and musz2s. dll are also released files.
  The most difficult to find is uuygec. dll and uuygec. nls. The file creation time is modified. Delete these files one by one,
  Follow the "security check" page to get relevant documents within a limited time
   
  Use autoruns.exe to remove two virus items in the Registry HKEY_Local_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run (the preceding check box is removed)
  Press F5 (refresh) and it will not be automatically checked.
   
  3. Use regedit in the Registry Editor to check all key-value options of lhsurdj.exeand eohuylj.exe. Delete
   
  4. Use the Registry Editor regedit to search for all items that use uuygec. dll as the key value:
  HKEY_Local_MACHINE \ SYSTEM \ ControlSet001 \ Session Manager has
  PendingFileRenameOperarions, content:
  

  \?? \ C: \ WINDOWS \ System32 \ uuygec. dll \?? \ C: \ Documents and Settings \ student \ Start Menu \ Program \ Start \ eohuylj.exe \?? \ C: \ WINDOWS \ System32 \ uuygec. nls \?? \ C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \ Start \ lhsurdj.exe \?? \ C: \ WINDOWS \ System32 \ RavExt. dll \?? \ C: \ WINDOWS \ System32 \ bsmain.exe

   

  Delete this item.
   
  5. Restore the "Resource Manager" implicit File Viewing function:
  HKEY_Local_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
  Explorer \ Advanced \ Folder \ Hidden \ SHOWALL
  Create a Dword-type key value CheckedValue 1 to export it to the showall. reg file.
   
  [Others]
  1.360 this file can be detected, object: C: \ WINDOWS \ system32 \ enhuylj.exe
  Threat: Generic. Malware. SP! Pk! G. A679068E: the file has been deleted.
   
  2. Search for fuzzy search using regedit
  

  HKEY_CURRENT_USER \ Software \ Microsoft \ Search Assistant \ ACMru \ 5603 000 eoh *. exe001 lhsur *. exe