Analysis of a Trojan trojan virus (2) Analysis of the Trojan trojan virus
I. Basic Information
Sample name: hra33.dll or lpk. dll
Sample size: 66560 bytes
File Type: Win32 dll file
Virus name: Dropped: Generic. ServStart. A3D47B3E
Sample MD5: 5B845C6FDB4903ED457B1447F4549CF0
Sample SHA1: 42e93156dbeb527f6cc213372449dc44bf477a03
This sample file is the virus file C: \ WINDOWS \ system32 \ hra33.dll that was released to the user's system C: \ WINDOWS \ system32 directory by the Trojan mother. In the previous Trojan analysis, the behavior of the virus parent process Rub. EXE loading the dynamic library hra33.dll was not analyzed.
Ii. Sample Behavior Analysis
1.Find the string resource ". Net CLR" named 0x65 from the resource of the current Virus File hra33.dll ".
2.Determine whether the virus process file is "hrl %. TMP" (% represents another character.
3.Determine whether the mutex semaphore ". Net CLR" already exists to prevent the second execution of virus behavior.
4.Find the resource with the Resource Name 0x66 in the resource of the current Virus File hra33.dll, which is actually a PE file.
5.If the mutex semaphores ". net CLR "already exists and is in the temporary file path of the user system" hrl %. TMP "(% indicates other characters) if the file does not exist, use the resource named 0x66 to release the virus file" hrl % "in the temporary file path of the user system. TMP ", such as hrl65.tmp.
6.The virus file hrl65.tmp is successfully released in the temporary file directory of the user system. Run the Virus File hrl65.tmp and create the virus process hrl65.tmp.
7.Call the {lstrcmpiA} function to check whether the currently running virus module is an lpk. dll file.
8.If the currently running module is a virus file lpk. dll, ". EXE "file and compressed package {". RAR "} or {". ZIP ". EXE file for dll hijacking. To analyze the dll hijacking of the virus module.
8.1Create threads separately, traverse files in the user's computer's removable hard drive, network drive, CD-ROM drive (not distinguished from read-only and read-write CD-ROM drive), for the back facing {". EXE "} program to prepare for dll hijacking.
8.2If the file traversal in the user's computer is above, the traversal is {". EXE "} file, copy the virus module File lpk. dll to this {". EXE "} file directory, dll hijacking.
8.3If the file traversal in the user's computer is above, the traversal is {". RAR "} or {". for the compressed package file in ZIP "} format {". EXE "} file dll hijacking, copy the virus module File lpk. dll to {". EXE "} file directory.
9.If the currently running virus module is not the virus file lpk. dll, then the library file {C: \ WINDOWS \ system32 \ lpk is dynamically loaded. dll} and perform lpk. dll file initialization, directly forward the dll to hijack the system library file lpk. prepare the dll.
Iii. Summary of virus Behavior
1.Find the string resource ". Net CLR" named 0x65 from the resource of the current Virus File hra33.dll ".
2.Determine whether the virus process file is "hrl %. TMP" (% represents another character.
3.Determine whether the mutex semaphore ". Net CLR" already exists to prevent the second execution of virus behavior.
4.Find the resource with the Resource Name 0x66 in the resource of the current Virus File hra33.dll, which is actually a PE file.
5.If the mutex semaphores ". net CLR "already exists and is in the temporary file path of the user system" hrl %. TMP "(% indicates other characters) if the file does not exist, use the resource named 0x66 to release the virus file" hrl % "in the temporary file path of the user system. TMP ", such as hrl65.tmp.
6.The virus file hrl65.tmp is successfully released in the temporary file directory of the user system. Run the Virus File hrl65.tmp and create the virus process hrl65.tmp.
7.Call the {lstrcmpiA} function to check whether the currently running virus module is an lpk. dll file.
8.If the currently running module is a virus file lpk. dll, ". EXE "file and compressed package {". RAR "} or {". ZIP ". EXE file for dll hijacking. To analyze the dll hijacking of the virus module.
8.1Create threads separately, traverse files in the user's computer's removable hard drive, network drive, CD-ROM drive (not distinguished from read-only and read-write CD-ROM drive), for the back facing {". EXE "} program to prepare for dll hijacking.
8.2If the file traversal in the user's computer is above, the traversal is {". EXE "} file, copy the virus module File lpk. dll to this {". EXE "} file directory, dll hijacking.
8.3If the file traversal in the user's computer is above, the traversal is {". RAR "} or {". for the compressed package file in ZIP "} format {". EXE "} file dll hijacking, copy the virus module File lpk. dll to {". EXE "} file directory.
9.If the currently running virus module is not the virus file lpk. dll, then the library file {C: \ WINDOWS \ system32 \ lpk is dynamically loaded. dll} and perform lpk. dll file initialization, directly forward the dll to hijack the system library file lpk. prepare the dll.
Reference URL:
Http://blog.sina.com.cn/s/blog_8cb9886a01018hzz.html
Http://www.xuebuyuan.com/1929372.html
Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.