Analysis of an infected Trojan virus (II.)

Dragon Snow

0x1 Preface

In front of the infected Trojan virus resvr.exe virus behavior of the specific analysis of an infected Trojan virus analysis (a), but feel not enough, do not take this infection Trojan virus behavior of the highlights to analyze a little regret. The following for the infection of the Trojan virus infection, Trojan Horse and infected file recovery several aspects of the specific analysis and explanation, intuitive experience of the virus infection, Trojan nature.

analysis of Trojan Horse of 0x2 virus---Remote control user's computer

As already analyzed in the previous analysis, the infected Trojan virus creates a socket socket on the user's computer as the service side, waiting for the virus author to connect to the client side. In this way, the virus author can remotely control the user's computer (the "control" is the meaning of the operation) also said, the virus author can send the user's computer through the Socket Socket Control command cmdmsg, directing the virus Resvr.exe to the user's computer malicious damage.

Virus Resvr.exe on the user's computer to create a listening binding to the ip=127.0.0.1 socket port number is 40118, the user's computer becomes the virus author can control the service server.

after the local listener socket created by the virus Resvr.exe succeeds , it waits for the control command sent by the client of the virus author to cmdmsg the user's computer for malicious action.

Virus author of the user's computer remote control operation has 9 sets of commands and the user's computer control more than the operation, the latter will be detailed analysis of each remote control command operation. The recvcmdmsgbuffer data format for the control commands sent by the virus author client is "dwcmdmsg+ data Content" which is the first 8 of the data received byte is the specific command type that the virus author controls the user's computer, which is the following 9 sets of command types.

Control operation for group 1th Dwcmdmsg=0x3eb :

It is simple to send feedback to the client side of the virus author about the results of the control operation, such as 21 43 65 87 (4 bytes) of data.

Control operation for Group 2nd dwcmdmsg=0x450 :

Based on the data sent by the virus author client, the C:\Program Files\Common Files\Microsoft Shared\Index.bat file is created, and the system locally powers off the user's computer for a moment to conceal it.

Control operation for Group 3rd dwcmdmsg=0x451 :

Create a C:\Program Files\Common Files\Microsoft Shared\index.bat file based on the data from the client side of the virus author, and then create the pop-up dialog box that the thread uses to create the bottom-right corner of the user's system desktop.

Control operation for Group 4th dwcmdmsg=0x455 :

Set the current virus process infected user files infected with the way the tag 0xAABBCCDD, traverse the user's computer all the logical disk files to "Encrypt" the way infected users all files. Create a thread to infect the user's computer with a . doc,. xls,. jpg,. rar file in the "ABCDEFGHIJKLMNOPQRSTUVWXYZ" .

The user file infection Mode 1, the user file of the first 0x400 bytes for XOR-XOR encryption processing.

Infected with user files 2, only the user's . doc,. xls,. jpg,. rar files are infected.

Control operation for Group 5th dwcmdmsg=0x453 :

Create C:\\Program Files\\Common Files\\Microsoft Shared\\x.bat files using the command data that the thread used to create the DOS intrusion. Execute a DOS intrusion command on the user's computer to create a system with greater permissions to log on to the account guest.

Control operation for Group 6th dwcmdmsg=0x458 :

The create thread is used to get resource data for the current virus process resource type Rt_rcdata and resource name resourcename = 0x69=105 , creating "Message.exe" File and then run the virus file Message.exe create the virus process. For virus file Message.exe, later detailed analysis.

Control operation for Group 7th dwcmdmsg=0x7 :

for the control command "7", should be familiar with it. The previous virus analysis mentioned that the virus mother Resvr.exe infected file generated by the derivative virus will send command data "7". Specific virus behavior is to the virus author client side or virus mother Resvr.exe infected file generated by the client side of the derivative virus sent "7+ file path " in the specified file path . doc,. xls,. jpg,. rar The infected author or the derived virus.. doc,. xls,. jpg,. rarformat of the file for infection.

Control operation for Group 8th dwcmdmsg=0x452 :

Post a WM_CLOSE message to the Pop-up dialog box created in the lower-right corner of the user's desktop in 0x451 to close the pop-up dialog box created in the lower-right corner of the user's desktop.

Control operation for Group 9th dwcmdmsg=0x454 :

The create thread is used to create the "C:\\Program Files\\Common Files\\Microsoft Shared\\x.bat" file and run the X.bat file to exit the guest system login account .

analysis of 0x3 released virus file Message.exe

Play a MessageBox dialog box, and then create a x.bat file to delete the virus process file Message.exe itself, exiting the virus process.

Too much, typesetting looks messy, personal notes only.

To be honest, it's not a good thing to write too much detail on a viral analysis report. The more detailed you write, the more confused it is for the small white who looks at the virus analysis report. Virus Analysis report is not to show off, as long as 360 of the analysis report, simple to the virus behavior to understand. For the reverse of the virus, of course, IDA pseudo-code quality compared to look at the pseudo-code, do not want to show that they are very cow, get some assembly, because that means nothing, the role of the tool is to improve efficiency is not to show off.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Analysis of an infected Trojan virus (II.)