Analysis Report on the backdoor of thunder virus inpenhsv c.exe

Since the beginning of August this year, rumors about the manufacture and spread of viruses on the thunder client have been circulating in the industry. More anonymous information sources reported to the media via emails that a built-in malicious program has been spreading through the "Thunder client" with hundreds of millions of installations for nearly two months, and more than 28 million users have been involved.

 

 

It was originally a temporary worker.

Last night, thunder held a press conference in Shenzhen to officially reply to the above rumors. Huang Yu, senior vice president of Xunlei, said that after receiving user feedback, the company organized an investigation and found that Xunlei, a group subsidiary, looked at a department manager to avoid the normal process of the company and privately instructed technicians, unauthorized use of subsidiary resources and fraudulent use of the thunder digital signature, produced a plug-in with malicious programs, originally "temporary.

Thunder Virus

According to the analysis, the "Thunder virus" is located in the C: \ Windows \ system32directory named “inpenhsv c.exe "and has a thunder digital signature. This file has a rogue behavior: without your knowledge, this program will download and automatically install the APK to the mobile phone connected to the current computer, these APK are "9 game chess and card Hall", "91 mobile assistant", "360 mobile assistant", "UU network phone", and "fan Feng app market ".

Inpenhsv c.exe backdoor Analysis

Inpenhsv c.exe has a typical backdoor feature. Compared with other backdoor programs, the virus focuses on background application promotion, including PC applications and mobile Android applications. The virus file has a normal digital signature:

 

 

Inpenhsv c.exe File Information

InpEnhSvc has three major functions:

Function 1: Malicious promotion of mobile apps in the background

Function 2: conventional remote control operations

Feature 3: automatic update and upgrade

Function Points: Main Execution Process

During virus running, a hidden 0-size window will be created, and a notification will be registered to receive changes to hardware devices such as USB, DISK, and COMPORT, A virus receives different remote function numbers to execute corresponding function functions.

InpEnhSvc pre-run Detection

Function 1: Malicious promotion of mobile apps in the background

 

 

Debug InpEnhSvc

.

InpEnhSvc checks whether the configuration file tools. ini exists in the temp directory. If it does not exist, download it from conf.kkklm.n0808.com, and start the promotion and update operations through the configuration file information.

 

 

InpEnhSvc download tools. ini

 

 

InpEnhSvc detection adb Tool

InpEnhSvc checks whether adb and other mobile app promotion tools exist in the temp directory. If not, download them.

InpEnhSvc registers itself as a word plug-in

At this point, you should have a clear understanding of the thunder "virus"-it can be said that it is a very clever and cautious "virus", it will detect whether there are processes under monitoring, if there is no attack. If you do not start the operation, what will the virus do? Let's take a look.

 

 

Camouflage office Process

 

 

Camouflage office Process

 

 

Disguised as a word plug-in

We found that inpenhsv c.exe has a better "means", which registers itself as a word plug-in and automatically loads it as the word starts. From this point of view, inpenhsv c.exe will "white" itself.

Routine remote control operations and updates

Inpenhsv c.exe conventional remote control operations

This function mainly implements eight common remote control functions and executes corresponding functions based on different remote command IDs. The functions are briefly described as follows:

Function 1: download and install a PC Application

Function 2: download and install the Android app

Function 3: add to Desktop shortcuts

Function 4: Add a URL to favorites

Function 5: Set the IE browser Homepage

Function 6: Query and scan the Registry

Function 7: scan the desktop to check whether a specified file exists.

Function 8: Scan favorites to check whether a specified file exists.

The function assignment table is as follows:

 

 

Function Assignment

Automatic update and upgrade

Update the adbsoftware package through http://conf.kkklm.n0808.com/adb.zip.

 

 

Automatic update

Edit comment:

"In Youku Tudou's well-established long-distance race track, we had a hard time working. If we didn't change the quantity, it would be difficult to accomplish the task goal. At the same time, all the wireless products of thunder were not enough, it is difficult to achieve equivalent exchange, but it is difficult to make an exception to take the form of plug-in push for volume change operations." This is the defense of the manager of Thunder "virus", but it seems that this is not just the idea of the manager.

Although thunder gave the public a saying that "the management is lax", I believe that everyone will have a fair judgment in their hearts after reading the analysis of this "virus. The competition on the internet is fierce and cruel, but it is suggested that the people in charge should keep the minimum bottom line. Otherwise, even if users do not expose your ugly behavior, that is, the opponent will not let go of the "opportunity" you handed in ".