Analysis and Removal of malicious udisk viruses worm.pabug.ck(oso.exe)

Virus name: Worm. Pabug. ck

Size: 38,132 bytes
MD5: 2391109c40ccb0f982b86af86cfbc900
Shelling method: FSG2.0
Programming Language: Delphi
Transmission Mode: Spread through mobile media or malicious web scripts

The behavior is as follows:

File Creation:
% Systemroot % \ system32 \ gfosdg.exe
% Systemroot % \ system32 \ gfosdg. dll
% Systemroot % \ system32 \ severe.exe
% Systemroot % \ system32 \ drivers \ mpnxyl.exe
% Systemroot % \ system32 \ drivers \ conime.exe
% Systemroot % \ system32 \ hx1.bat
% Systemroot % \ system32 \ noruns. reg
X: \ OSO.exe
X: \ autorun. inf
X indicates a non-system drive letter.
% Systemroot % is the environment variable. For Windows XP system installed on drive C, the default path is C: \ WINDOWS Folder. The following assumptions are used for analysis.

Creation process:
% Systemroot % \ system32 \ gfosdg.exe
% Systemroot % \ system32 \ severe.exe
% Systemroot % \ system32 \ drivers \ conime.exe

Use the net stop command to end possible anti-virus software services

Call SC .exe,
Config [corresponding service] start = disabled
Disable these services

Ended and Disabled services include:
Srservice
Sharedaccess (this is the built-in firewall-note)
KVWSC
KVSrvXP
Kavsvc
RsRavMon
RsCCenter

When the rising service is completed, the virus is handled as a prompt is displayed:
Use the FindWindowA function to capture the window titled "rising prompt"
Use the FindWindowExA function to find the "Yes (& Y)" button.
Use the SendMessageA function to send information to the system, which is equivalent to pressing this button

Prohibit or stop the following processes, including but not limited:
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
Adam.exe
Qqav.exe
Qqkav.exe
TBMon.exe
Kav32.exe
Kvwsc.exe
CCAPP.exe
EGHOST.exe
KRegEx.exe
Kavsvc.exe
VPTray.exe
RAVMON.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie. kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
KWATCHUI.exe
MCVSESCN.exe
MSKAGENT.exe
Kvolself.exe
KVCenter. kxp
Kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe

Create noruns. reg, import the Registry, and then delete the file. Imported content:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer]
"NoDriveTypeAutoRun" = dword: b5
Change the autorun mode of the drive (not implemented in my VM)

Modify the registry and create a startup Item (projects that are later visible in the SREng log ):
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
<Mpnxyl> <C: \ WINDOWS \ system32 \ gfosdg.exe> [N/A]
<Gfosdg> <C: \ WINDOWS \ system32 \ severe.exe> [N/A]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
<Shell> <assumer.exe C: \ WINDOWS \ system32 \ drivers \ conime.exe> [N/A]

To prevent rising registry monitoring prompts, we recommend that:
Capture the window titled "rising registry monitoring prompt" using the FindWindowA Function
Use the mouse_event control mouse to automatically select to allow modifications.

Access the Registry
[HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ currentversion \ explorer \ advanced \ folder \ hidden \ showall]
CheckedValue key
Destroy the function of displaying hidden files (this is not implemented in my virtual machine and may be blocked by TINY or SSM by default)

However, after doing so much work to remove anti-virus software, the author seems to feel that it is not safe, and he finally made a "killer ":
In the Registry
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options]
Create a subitem named by the security software program

Create a subkey
"Debugger" = "C: \ WINDOWS \ system32 \ drivers \ mpnxyl.exe"
These programs are converted to the running virus file mpnxyl.exe
Shape:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ avp.exe]
"Debugger" = "C: \ WINDOWS \ system32 \ drivers \ mpnxyl.exe"

The logs of autoruns clearly show these projects and programs that are "broken" by such techniques:
+ 360Safe.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Adam.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Avp.com c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Avp.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ IceSword.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Iparmo.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Kabaload.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ KRegEx.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ KvDetect.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ KVMonXP. kxp c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ KvXP. kxp c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ MagicSet.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Mmsk.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Msconfig.com c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Msconfig.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ PFW.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ PFWLiveUpdate.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ QQDoctor.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Ras.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Rav.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ RavMon.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Regedit.com c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Regedit.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Runiep.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ SREng. EXE c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ TrojDie. kxp c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ WoptiClean.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe

Delete the dll file kakatool. dll of the card assistant. (the result of running the virtual machine and the content in the program code are verified)

In order to block the "back-to-back" of the poisoned person, another mean method was adopted.
Modify the hosts file to block the website of anti-virus software vendors. The kaka community is "lucky" to become one of the blocked members:
This is what we later saw with SREng, and the corresponding content in the program code is also available:

127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com

In addition:

Hx1.bat content:
@ Echo off
Set date = 2004-1-22
Ping ** localhost> nul
Date %
Del % 0

Date changed? But not in the Virtual Machine

Autorun. inf content:
[AutoRun]
Opentracing oso.exe
Shellexecutew.oso.exe
Shell \ Auto \ commandpolicoso.exe

If you want to identify from the right-click menu, unfortunately, there is no exception in the right-click menu, whether you double-click or right-click it, it will also activate the virus!

TINY also records that the system restores the service after the virus is disabled. This may cause loss of restore points.

So far, the behavior analysis of this very bad virus has come to an end. Next we will introduce the cleanup method (the above content shows dizzy members, just look at the cleanup method)

The cleanup method comes down to one sentence: "survival in the cracks"
Icesword.exe1_sreng.exe is disabled, but you only need to rename the file to run it.
Autoruns.exe is not banned.
Other banned programs are removed step by step.

Specific process:

End Process:
% Systemroot % \ system32 \ gfosdg.exe
% Systemroot % \ system32 \ severe.exe
% Systemroot % \ system32 \ drivers \ conime.exe
No Task Manager is disabled for this virus. You can also use other tools such as procexp.

Use autoruns to delete the following items (we recommend that you use autoruns. One is not banned, and the other is clear at a glance. Select Options-Hide Microsoft Entries First ):
+ 360Safe.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Adam.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Avp.com c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Avp.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ IceSword.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Iparmo.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Kabaload.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ KRegEx.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ KvDetect.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ KVMonXP. kxp c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ KvXP. kxp c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ MagicSet.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Mmsk.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Msconfig.com c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Msconfig.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ PFW.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ PFWLiveUpdate.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ QQDoctor.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Ras.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Rav.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ RavMon.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Regedit.com c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Regedit.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ Runiep.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ SREng. EXE c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ TrojDie. kxp c: \ windows \ system32 \ drivers \ mpnxyl.exe
+ WoptiClean.exe c: \ windows \ system32 \ drivers \ mpnxyl.exe

In this way, some programs, including IceSword, SREng, Registry Editor, and system configuration Utility, are no longer prohibited.

Delete or modify a startup Item:
Using SREng as an Example
In "Start Project"-"Registry", delete:
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
<Mpnxyl> <C: \ WINDOWS \ system32 \ gfosdg.exe> [N/A]
<Gfosdg> <C: \ WINDOWS \ system32 \ severe.exe> [N/A]

Double-click the following item to delete the content after "cmd.exe" in the "values" field.
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
<Shell> <assumer.exe C: \ WINDOWS \ system32 \ drivers \ conime.exe> [N/A]

Delete an object:
Because a non-system disk may be dangerous even if you right-click it and choose another method. We recommend that you use IceSword or WINRAR.
Delete:
% Systemroot % \ system32 \ gfosdg.exe
% Systemroot % \ system32 \ gfosdg. dll
% Systemroot % \ system32 \ severe.exe
% Systemroot % \ system32 \ drivers \ mpnxyl.exe
% Systemroot % \ system32 \ drivers \ conime.exe
% Systemroot % \ system32 \ hx1.bat
% Systemroot % \ system32 \ noruns. reg
X: \ OSO.exe
X: \ autorun. inf

System repair and cleaning:

Expand in Registry
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL]
We recommend that you delete the original CheckedValue key and create a new normal key value:
"CheckedValue" = dword: 00000001

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer]
The value of NoDriveTypeAutoRun, whether to change, and why, depending on the needs of each user, usually 91 by default (hexadecimal)
The meaning of this key. Please search for online materials and will not go into details here

HOSTS file cleanup
You can use NotePad to open % systemroot % \ system32 \ drivers \ etc \ hosts to clear the content added by the virus.
You can also use SREng to "reset" in "System Repair"-"HOSTS file" and then click "save"

Finally, the anti-virus software damaged by the service is fixed.

Summary:
It took five hours to complete the process from getting samples to writing methods. The reason for this is that the virus is quite typical, especially several methods for dealing with security software. The right-click menu does not change. It is also a feature that is "hidden" and troublesome for clearing. To deal with this virus, you must also use methods and tools flexibly on the basis of "know yourself and know yourself.