Analysis of the New avterminator variant (random 7-bit letter virus)

Source: Internet
Author: User

Author: Fresh sunshine (http://hi.baidu.com/newcenturysun)
Date: 2007/07/21 (reprinted please keep this statement)

Avterminator has been rampant for a while. With the joint efforts of anti-virus software vendors, its momentum has been weakened. However, it has recently suddenly found that a small scale of outbreaks have occurred, and users have reported that they have been killed. Today

I got this new variant and analyzed it immediately. It is particularly worth noting that this variant began to download various rogue software (previously, it was generally used to download some Trojans)

Analysis Report:
File: pmovrao.exe
Size: 26816 bytes
MD5: 8A43F7A2EB37728D5D808C4E72B65242
SHA1: A61CB036BC9A851A61E79F815A688DC04603C509
CRC32: 2B59AD2F

Run the command in C: Program FilesCommon FilesMicrosoft Shared
And C: Program FilesCommon FilesSystem generate two random, seven-character combinations of exe
My tests are C: Program FilesCommon FilesSystemgamkqme.exe and
C: Program FilesCommon FilesMicrosoft Sharedvdiwghf.exe

C: Program Filesmeex.exe
C: Program Filessyuhxcx. inf (random 7-character combination)

Delete C: WINDOWSsystem32verclsid.exe
Traverse D ~ Z partition is generated under the root directory
Autorun.infand random 7-Bit Memory combination exe( I am here pmovrao.exe)
No change in the Context Menu

Check whether the following files exist:
If you change the name to a random 7-character letter
Autorun. inf under each partition
MSInfowniapsvr.exe
MSInfoShell.exe
MSInfoShell. pci
System32progmon.exe
System32internt.exe
Webcss.css
Comlsass.exe
IMEsvchost.exe
IMEsmss.exe
Debugdebug.exe
Common Filessvchost. cnc
Common FilesRelive. dll
Internet assumermsvcrt. dll
Internet assumerpluginssyswin64.jmp
Internet assumerpluginssyswin64.sys
Internet assumerpluginssyswin64.tao

Set HKLMSYSTEMCurrentControlSetServicesSharedAccess
HKLMSYSTEMCurrentControlSetServiceshelpsvc
HKLMSYSTEMCurrentControlSetServiceswscsvc
HKLMSYSTEMCurrentControlSetServiceswuauserv
To Disabled

Delete
HKLMSYSTEMControlSet001ControlSafeBootMinimal {4D36E967-E325-11CE-BFC1-08002BE10318}
HKLMSYSTEMControlSet001ControlSafeBootNetwork {4D36E967-E325-11CE-BFC1-08002BE10318}
HKLMSYSTEMCurrentControlSetControlSafeBootMinimal {4D36E967-E325-11CE-BFC1-08002BE10318}
HKLMSYSTEMCurrentControlSetControlSafeBootNetwork {4D36E967-E325-11CE-BFC1-08002BE10318}
Sabotage Security Mode

Modify hklmsoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhiddenshowallcheckedvalue
0x00000000 damage the hidden file

Change C: Program FilesCommon FilesMicrosoft Shared
C: The properties of Program FilesCommon FilesSystem are hidden.

Add the following IFEO Value
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360rpt.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsadam.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAgentSvr.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAppSvc32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsArSwp.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAST.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsautoruns.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavconsol.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavgrssvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAvMonitor.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.com
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsCCenter.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsccSvcHst.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsEGHOST.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFileDsty.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFTCleanerShell.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFYFireWall.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsHijackThis.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiparmo.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsisPwdSvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskabaload.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKaScrScn. SCR
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASMain.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASTask.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAV32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVDX.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPF.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPFW.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVSetup.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVStart.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKISLnchr.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMailMon.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMFilter.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32X.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPfwSvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRegEx.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRepair.com
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKsLoader.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVCenter. kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvDetect.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvfwMcl.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP. kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP_1.kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvol.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvolself.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvReport. kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVScan. kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVStub. kxp
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvupload.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvwsc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP. kxp
HKLMSOFTWAREMicrosoftWindows NTC

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.