Analysis and Handling of the crazy free girl Virus

Source: Internet
Author: User

 
Analysis of Lhsurdj.exe Virus
[Background information]
Virus name: Worm. Win32.AutoRun. elc
Virus alias: Crazy free girl Virus
Virus File Information

File: lhsurdj.exe MD5: 4F7D28EB58510D05149FE566972BDD51 SHA1: javascrc32: 4D7CD431 shell: FSG2.0 → bart/xt [Overlay]

Affected Systems: WIN9X/ME/NT/2000/XP/2003
Virus Type: Worm
Virus size: 39125 Bytes
Transmission Mode: manually download its server
[Features]
  • The virus file itself is automatically deleted after execution.
  • If the window title contains "virus", the window will be closed automatically. For example, if you create a folder named "virus xxx", double-click the folder and close the window; the Word file with "virus" is also closed.
  • "Tools" → "Folder Options" → "show all files" on the "View" Page cannot be set, that is, the single option "show all files and folders" is missing (as a result, hidden files cannot be seen ).

 
  • Hijack Registry Editor and Most antivirus software images.
  • Virus processes cannot be ended, which is a rogue software.
  • The icon of the file is in JPG format.
  • Since the emergence of the AutoRun variant in the worm family, it has always brought us a lot of trouble. The new family variant "Crazy free girl" virus has brought great help to the family. To further expand its power, the computer will generate a large number of virus files in the system directory after being infected by crazy free girls, and will generate autorun like family variants. the inf file causes repeated infections.
  • Virus Behavior
  • Released files
    C:\windows\system32\lhsurdj.exeC:\windows\system32\eohuylj.exeC:\windows\system32\eohuylj.infC:\windows\system32\musz1s.dllC:\windows\system32\musz2s.dllC:\windows\system32\uuygec.dllC:\windows\system32\uuygec.nls

    The root directory of each disk contains lhsurdj.exe and autorun. inf
    Uuygec. dll and uuygec. nls also modify the creation time to hide themselves. Clear all virus files. As long as one file is not deleted, it will still generate and load the previous virus files after restart.
     
    Registry:
    Added the items generated for the above files and the startup items; destroyed the "show hidden files" function:
    HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced
    Change ShowSuperHidden to 0x00000000.

    Image hijacking is performed on software that views processes or files, such as most anti-virus software and ice blades.
    In the process, lhsurdj.exeand eohuylj.exe are mutually exclusive and play the role of process daemon.
    When the network is connected, other Trojan viruses will be downloaded from the specified website.
     

    [Analysis]

  • Process Analysis, enable "Windows Task Manager" (two processes in red circle)

 
When procexp.exetool is enabled, you can also see eohuylj.exe and lhsurdj.exe (red shading)
We can see that their "Description" and "company name" are blank.

Attempts to disable the process, but the process is invalid and will be automatically generated (neither can be used with the "Task Manager)
Features of rogue software
  • Start the Registration Table handler program named autoruns.exe"
  • Normal processes can use the "option" to "verify the code signature"
    Note that on the "image hijacking" page, you can see that the virus has loaded a large string of program names and enabled shielding.
    "All" Page (if anti-virus software is available, it can be defended)

     
    [Clearing method]
    1. Use the "Wsyscheck" tool (if the image is hijacked, you can start it by renaming it first)
    On the "Process Management" page, you can view the two virus processes and record the image path, which is the storage path of the virus files and can track their storage locations on the disk.

    Select "End selected process" or "suspend selected process" (key step)
     
    2. Click the "File Management" page to view the disk root directory and these paths.
    You can sort by creation time to further discover and analyze related suspicious files, such as autorun. inf in the root directory of each drive letter and related suspicious files (such as the lhsurdj.exe file)

     
    The file C: \ autorun. inf and C: \ WINDOWS \ system32 \ enhuylj. inf are
    [AutoRun] shell \ open = open (& O) shell \ open \ commandcmdlhsurdj.exe shell \ open \ Default = 1shell \ cmde = Resource Manager (& X) shell \ cmde \ commandcmdlhsurdj.exe

     



     

    Musz1s. dll and musz2s. dll are also released files.
    The most difficult to find is uuygec. dll and uuygec. nls. The file creation time is modified. Delete these files one by one,
    Follow the "security check" page to get relevant documents within a limited time
     
    Use autoruns.exe to remove two virus items in the Registry HKEY_Local_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run (the preceding check box is removed)
    Press F5 (refresh) and it will not be automatically checked.
     
    3. Use regedit in the Registry Editor to check all key-value options of lhsurdj.exeand eohuylj.exe. Delete
     
    4. Use the Registry Editor regedit to search for all items that use uuygec. dll as the key value:
    HKEY_Local_MACHINE \ SYSTEM \ ControlSet001 \ Session Manager has
    PendingFileRenameOperarions, content:
    \?? \ C: \ WINDOWS \ System32 \ uuygec. dll \?? \ C: \ Documents and Settings \ student \ Start Menu \ Program \ Start \ eohuylj.exe \?? \ C: \ WINDOWS \ System32 \ uuygec. nls \?? \ C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \ Start \ lhsurdj.exe \?? \ C: \ WINDOWS \ System32 \ RavExt. dll \?? \ C: \ WINDOWS \ System32 \ bsmain.exe

     

    Delete this item.
     
    5. Restore the "Resource Manager" implicit File Viewing function:
    HKEY_Local_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
    Explorer \ Advanced \ Folder \ Hidden \ SHOWALL
    Create a Dword-type key value CheckedValue 1 to export it to the showall. reg file.
     
    [Others]
    1.360 this file can be detected, object: C: \ WINDOWS \ system32 \ enhuylj.exe
    Threat: Generic. Malware. SP! Pk! G. A679068E: the file has been deleted.
     
    2. Search for fuzzy search using regedit
    HKEY_CURRENT_USER \ Software \ Microsoft \ Search Assistant \ ACMru \ 5603 000 eoh *. exe001 lhsur *. exe

     

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.