Analysis of an infected Trojan Horse (1)

Analysis of an infected Trojan Horse (1)

I,Sample Information

 

Sample name: resvr.exe (virus mother)

Sample size: 70144 bytes

Virus name: Trojan. Win32.Crypmodadv.

Sample MD5: 5E63F3294520B7C07EB4DA38A2BEA301

Sample SHA1: B45BCE0FCE6A0C3BA88A1778FA66A576B7D50895

 

 

 

A virus file in the virus format.

The file name in the format of .doc).xls0000.jpg).rar infected by the virus mother resvr.exeis used as the derived virus.

 

Preview the behavior of the dual virus mother-body resvr.exe

 

1.The Beibei virus mother file resvr.exe itself to the C: \ Program Files \ Common Files \ Microsoft Shared directory to set its properties to System Properties hidden and run to create C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe process.

 

2.In the system "start" menu, add a shortcut for the startup Item of the program "program \ Start \ watermark tag system. lnk "sets C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe as the startup Item.

 

3.Upload documents in the system to infect or encrypt files in the format of .docs.xls;.jpg;.rar.

4.Bind the listening port 40118, which indicates the IP address 0.0.0.0, which can represent all the IP addresses of the local machine.

 

5.Create an x.batfile under the virus mother-body resvr.exefolder, and then run the cmd.exe program to run the X. bat file to delete the virus file itself.

 

Detailed analysis of derivative virus behavior of the three-member virus mother-body resvr.exe

 

1.Obtain the system file directory "C: \ Program Files \ Common Files" and concatenate the string to obtain the file path "C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe ".

 

2.Open the file path through memory ing "C: \ Program Files \ Common Files \ Microsoft Shared \ Index. index under dat. dat file; If Index. the dat file is successfully opened and the Index of the file is determined. if the data in the first two bytes of dat is 0 x, Local Elevation of Privilege is initiated to shut down the computer; if the dword data in the first two bytes is 0x451, the create thread is used to create the dialog box for the "DISPLAY" window size of the operating system desktop and set this dialog box to the top.

 

 

When the first two bytes of the Index. dat file are 0x450, the local process is extracted and the computer is disabled.

 

When the first two bytes of the Index. dat file are 0x451, create a top dialog box.

 

3.Under System File Path "C: \ Documents ents and Settings \ Administrator \" start "Menu \ Program \ Start,COMCreate shortcuts "C: \ Documents and Settings \ Administrator \ Start" Menu \ Program \ Start \ watermark tag system. lnk ".

 

4.Based on the file path, it is determined that the currently running virus process is the virus mother "C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe" and also the virus mother resvr.exeinfected with another file such as .xls.exe, or resvr.exe, which runs in other file paths, that is, under "C: \ Program Files \ Common Files \ Microsoft Shared. For different types of running viruses, the following virus infection documentation and hidden methods are different.

 

5.Corresponding4In, the virus running environment and file tag cause different virus running types, there will be three running cases in the following virus execution process.

Case 1: The currently running virus process is "C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe;

Case 2: The currently running virus process is non-"C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe;

Case 3: The current run of the virus is a derivative virus generated by the virus mother-body resvr.exeinfection .doc127.xls0000.jpg).rar format file. The virus runs differently, and the methods for hiding viruses or encrypting files are also different. The virus will be able to infect files in the "2" way, encrypting files and hiding files, the value of Address [1, 402004] is not-1.

Note:Whether the value of the virus file's judgment mark is-1 in Address [402004]. This mark is included in the virus file, which is the basis for determining the mother of the virus and the derived virus.

 

6.ForCase 1Determine whether the mutex "40S118T2013" exists to prevent two viruses from being infected. If the mutex "40S118T2013" does not exist, the system will traverse the files in the System Logical Disk of the user's computer, infect or encrypt the files with viruses, and then create a socket network connection to use the user's computer as the service server, the virus author remotely controls the user's computer on the client side.

 

 

Traverse all the logical disks of the system, such as C and D, to traverse the files, and then infect the files.

 

The user system's floppy disk "ABCDEFGHIJKLMNOPQRSTUVWXYZ" is traversed to infect the file.

 

The virus will infect the files on the user's disk, and there are two ways to infect the files, the infected ID is 0 xAABBCCDD. Infected files in the infected format.

 

Different infection methods for user files.

 

7.ForCase 2Copy the "resvr.exe" self-contained file of Beibei virus to the file path "C :\\ Program Files \ Common Files \ Microsoft Shared \ resvr.exe" and set the resvr.exe attribute of the virus file to system attribute and hidden attribute. Run the Virus File "C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe" to create the virus path esvr.exe. Upload File itself.

 

8.ForCase 3That is, the running behavior of the infected derivative virus.

Open the "C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe" file, and check whether the returned file is in the path C: \ Program Files \ Common Files \ Microsoft Shared. Then, upload the file to the path C: \ Program Files \ Common Files \ Microsoft shared. then, the file in the format of shellexecutearuntime .doc、.xls、.jpg).rar is displayed.

 

Connect to the local 127.0.0.1 network listening socket to send "7 + Data" Format Commands control the user's computer is the service end (please contactCase 1).

 

Run the released Virus File "C: \ Program Files \ Common Files \ Microsoft Shared \ resvr.exe", delete the file of the current virus process, and end the current virus process.

 

In general, this is not a qualified virus analysis report, because the virus analysis report does not need to be so detailed, the more careful the analysis is, the people who read the report are confused. It's just a personal hobby. I don't want to thoroughly analyze the virus. For your own interests, we hereby thoroughly analyze the virus and take notes. The right to entertain itself.