Another way to crack the virus

I helped my friends kill the virus a few days ago, and I caught the virus by the way. Today, we will conduct a reverse analysis on it to see how it works.

Environment Description: a virtual machine with Windows XP is installed.
Object: a USB flash drive Virus
Tools:
PEID (shell Check Tool)
Ollydbg (Dynamic Disassembly tool)

I. Seduce the enemy and discover the virus

1. This is a USB flash drive virus. First, run it on the virtual machine to make itself poisoned. After being poisoned, you can use the "safely delete Hardware" icon on the taskbar to delete the USB flash drive. A message is displayed, "You cannot stop the general-purpose volume device. Please stop the device later ". This is inevitable because the virus is running and the USB flash drive device is called by the virus.

2. Next, let's take a look at the files created by viruses on the hard disk. Because most of the virus files are hidden attributes, you must first show the hidden files to the system. Open "my computer" and select "Folder Options" in the "Tools" menu ", under "Advanced Settings" on the "View" tab, select "Show System Folder content" and "show all files and folders ", deselect the "Hide extensions of known file types" check box. After this check box is set, the general hidden files are displayed.

3. Open "my computer" and go to the root directory. Experience tells us that this is not to be opened directly by double-clicking. Right-click the drive letter and you will see that the first item is "Auto" (normally "open "), select "Resource Manager" to enter the disk root directory.

Obviously, a file is added to the root directory. The file is autorun. inf and the directory is RECYCLER. Its icons are the recycle bin icon and they are hidden attributes. The recyclerdirectory contains two files, info.exe and desktop. ini, which are hidden attributes.

Double-click the autorun. inf file and you will see the following:
[Autorun]
Auto =
Open =
Shellautocommand#rew.erinfo.exe
Shellopencommand#rew.erinfo.exe
ShellopenDefault = 1
Shellexplorecommand#rew.erinfo.exe
Evaluation: This USB flash drive virus is tricky. First, it hides itself under an icon similar to "recycle bin". In addition, it automatically runs by double-clicking the drive letter through autorun. inf.
Double-click the desktop. ini file and you will see the following:
[. ShellClassInfo]
CLSID = {645ff040-5081-101b-9f08-00aa002f954e}
Comment: Change Your icon to the "recycle bin" icon, which is more concealed.

2. Open the left and right bows and dissect the virus

1. Shell check

Through the above check, it is clear that info.exe should be a virus file. If you want to know the working mechanism of the virus and find a way to clean the virus, disassembly is a good note. Use PEID to check whether the virus is shelled. The virus is not shelled.

2. Disassembly

Even if there is no shell, you can directly use the ollydbg‑info.exe Virus File for disassembly. Of course, you can also use other static disassembly tools. After being fully loaded, you can view the api functions called by the program and view the string to understand the features of the virus. The string viewing method is the most basic and relatively simple and commonly used. Method to view the string using the plug-in. In the pop-up window, you can see the character information in the program. Generally, some File Names and registry information are found.

Protocol 1 "may be the name of the file disguised by the virus or the key and key value to be written to the Registry address above. The following ": ecyclerinfo.exe?,“ecycleru.exe" should be the files released to the USB flash drive. Then, where are the remaining "_ sv_cmd _ \ _ u_.exe”and cmd_sv_cmd_u.exe" released? Let's ignore this and continue to look down and see what other strings can tell us what information.
Html ### zoom ">

The "recyclerdesktop. ini" file is familiar to everyone. It is a way to disguise folders as recycle bin icons. "Contents" should be the content in desktop. ini. Next, we recommend that you use autorun‑auto‑open‑shellautocommand‑re‑erinfo.exe
Shellopencommand=recyclerinfo.exeshellopendefa=1nshellexplorecommand=recyclerinfo.exe "is the content of the autorun. inf file in the USB flash drive. The info.exe program in the recycleris automatically run when the snapshot of autorun.infis is opened. Svchost.exe, which is the name of the system file, is displayed as a virus to confuse people.

In the command line, enter svchost.exe:
Cd
Dir/a/s svchost.exe
Note: The lifecycle command is used to search for all files under the System Disk named svchost.exe.

The normal svchost.exe file should be 14 kb in size, so svchost.exe under the C: windowssystemfolder should be a virus, and all the files in C: windows are virus files, the _ sv_cmd _ in the preceding string is used to back up virus files.

The rest should be the key value in the registry. According to the information in the disassembly string, go to the Registry address "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows kernel, C: windowssystemsvchost.exe", then C: windowssystemsvchost.exe is not a virus address. It was originally run on its own after it was started.

3. Clear viruses

1. End the process

There are 6 svchost.exe processes in the worker task manager, one of which must be a virus process. Which one is? If the system's svchost.exe process is completed, the system will shut down.

Method 1: Enter the following command in the command line:
Tasklist/svc