Analysis and Elimination of storm 1 virus

A few days ago, rising company found through "cloud security" system data analysis that the online popular "Storm 1" (Worm. script. VBS. autorun. be) the amount of virus infection continues to grow. During January 1-3, 50 thousand computers were infected, and the growth rate was still accelerating. According to reports, after the virus is infected, the computer will experience abnormal slow speed, all normal folders are hidden, the optical drive is timed to pop up, and the screen of the user's computer will be locked with a skeleton picture.
Virus description:

This is a malicious worm that is written by VBS scripts, encrypted and self-deformed, and spread through a USB flash disk.

Virus behavior analysis:

1. Auto-Deformation

The virus first executes the strreverse () function to obtain the decryption function of the virus.

 

The decryption code is as follows:

 

This Code reads the comments of the script file and decrypts it.

 

After the virus is decrypted and run, the virus will generate a new key, encrypt the virus code, and then copy it.

Therefore, after each virus run, its file content is completely different from that before the virus runs.

2. self-replication

The virus traverses each disk and writes Autorun. inf and. vbs files to its root directory. When you double-click the disk, the virus file is triggered to run.

Virus will copy wscript.exe of the system to C: WindowsSystemsvchost.exe

If it is in the FAT format, the virus copies itself to C: WindowsSystem32 and the file name is a random number.

If it is in NTFS format, the virus will be appended to the following file through the NTFS file stream.

C: Windowsexplorer.exe

C: WindowsSystem32smss.exe

 

3. Modify the Registry

Virus modifies the following registry key values and points them to the virus file. When a user runs an inf, bat, cmd, reg, chm, hlp file, opens Internet Explorer, or double-click my computer icon, a virus file is triggered to run it.

HKLMSOFTWAREClassesinffileshellopenCommand

HKLMSOFTWAREClassesatfileshellopenCommand

HKLMSOFTWAREClassescmdfileshellopenCommand

HKLMSOFTWAREClassesegfileshellopenCommand

HKLMSOFTWAREClasseschm. fileshellopenCommand

HKLMSOFTWAREClasseshlpfileshellopenCommand

HKLMSOFTWAREClassesApplicationiexplore.exe shellopenCommand

HKCRCLSID {871c5316-42a0-1069-a2ea-08002b30309d} shellOpenHomePageCommand

HKEY_CLASSES_ROOTCLSID {20D04FE0-3AEA-1069-A2D8-08002B30309D} shellopenCommand

The virus also modifies the following registry key values to invalidate the "show hidden files" option in the folder options.

Hklmsoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhiddennohiddencheckedvalue

Hklmsoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhiddenshowallcheckedvalue

Viruses will delete the following key values, so that the Hidden arrows on the shortcut icons disappear.

HKCRlnkfileIsShortcut

The virus modifies the following registry key values to enable automatic operation of all disks.

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutorun

The virus modifies the following key values so that the virus can be automatically started upon startup.

HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsload

4. Traverse folders

The virus recursively traverses the folders of each disk. After traversing the folder, the folder is set to "Hide + system + read-only. At the same time, create a shortcut with the target directing to the vbs script and the parameter directing to the folder hidden by the virus.

Because the Registry modified by the virus will invalidate the option to view hidden files, it will also shield the small arrow of the shortcut icon, so it is very confusing, so that users mistakenly think that the folder is opened.

5. Disable the pop-up optical drive

Every time the month and day in the system date are equal (for example, January 1 ...... And so on), when the virus is activated, the optical drive will be turned on and off every 10 seconds. The number of times the optical drive is enabled is determined by the current month. (For example, every time a virus is activated on July 6, January 1, the drive will be turned on and off once. Every time a virus is activated on July 6, February 2, the optical drive will be turned on and off twice ).

6th, mstha.exe will be used to display the image, and the computer will be locked, making the user unable to operate.

 

7. If you discover regedit.exe?taskmgr.exe and other processes, call the ntsd command to end the process, so that you cannot open the Registry Editor, task manager, and other basic system tools.

Anti-Virus method:

Use the tool to remove all wscript.exe and the process with the path C: windowssystemsvchost.exe.

Run regedit, open the Registry Editor, and find HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsload to view the path to which the content is directed. Run the del command under the command line to delete the script file.

Use the NTFS file flow-related tool to delete file streams that are attached to assumer.exeand smss.exe.

Use the file association repair program to repair the file association that has been modified by the virus.

Delete the autorun. inf and vbs files under the root directory of each disk.

We recommend that you use the anti-virus software to automatically scan and kill viruses.