Home > Others

BACKDOOR.WIN32.IRCBOT.AFM (Video.exe) Virus processing method _ virus killing

Source: Internet
Author: User
Tags win32
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
File name: Video.exe

File Size: 40960 bytes

AV name: BACKDOOR.WIN32.IRCBOT.AFM (Kaspersky)

Adding shell mode: Unknown

Writing language: Microsoft Visual C + +

Virus type: IRC back door

File Md5:c06d070c232bc6ac6346cbd282ef73ae

Behavioral Analysis:

1. Release virus copy:

%srstemroot%system32\firewall.exe 40960 bytes.

(The filename should be random, not necessarily this).

Compress the replica virus and save it as a compressed package. and randomly named, which may be:

IMG0007. Pictureupload.com
IMG0007
Game
Video
PhotoAlbum

2, modify the registry, starting from:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Registry value:windows Network Firewall TYPE:REG_SZ

Point:%srstemroot%system32\firewall.exe

3, add to the system Firewall ignore list:

Hkey_local_machine\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\ Authorizedapplications\list\list

Key Name:%srstemroot%system32\firewall.exe, to achieve through the wall.

4, the Connection 72.10.167.**IRC server, accepts the remote control, may terminate any process in the controlled end, and uses for the springboard or the DDoS attack.

The following commands may be accepted:

QUIT
Part
JOIN
TOPIC
NOTICE
Privmsg
Ddos
Servu
Serv u
Serv-u
Clone
Flood

5, download other Trojan, technical behavior are similar, randomly named.

6, enumerate local network resources, try to use IPC, print, admin and other sharing spread virus, to the following dictionary guessing users and passwords:

db1234
DatabasePassWord
Databasepass
Dbpassword
Dbpass
Domainpassword
Domainpass
Hello
Hell
Love
Money
Slut
**
**
Exchange
Loginpass
Login
Win2000
Winnt
WinXP
Win2K
Win98
Windows
Oeminstall
Accounting
Accounts
Letmein
Outlook
Mail
Qwerty
Temp123
Temp
Null
Default
Changeme
Demo
Test
2005
2004
2001
Secret
Payday
Deadline
Work
1234567890
123456789
12345678
1234567
123456
12345
1234
Pass
pass1234
passwd
Password
Password1
If successful, copy the virus copy to the other directory, which may be:

C:\Documents and Settings\All Users\documentsc:\windows\system32
C:\Winnt\System32
C:\Windows
C:\Winnt

7, the use of System vulnerability propagation (Lsass, RPC and other vulnerabilities), the IP range of attacks:

124.72.143.173 (starting)-random.

The compromised computer may be propagated to the virus.

8. Try to connect to another server as an administrator, possibly the following unauthorized user name:


Staff
Teacher
Owner
Student
Intranet
Main
Office
Control
Siemens
Compaq
Dell
Cisco
Oracle
Data
Access
Database
Domain
Backup
Technical
Mary
Katie
Kate
George
Eric
None
Guest
Chris
Neil
Brian
Susan
Luke
Peter
John
Mike
Bill
Fred
Wwwadmin
Oemuser
User
Homeuser
Home
Internet
Root
Server
Linux
Unix
Computer
Admin
Admins
Administrat
Administrateur
Administrador
Administrator

If successful, read and attempt to crack the Flashfxp\sites.dat.

The virus file may then be copied to the server.

9, try to steal some cd-key, may be Unreal3, World of Warcraft and so on.


Workaround:

1, download Sreng2.zip


2, restart, press F8 into the safe mode.

3, open Sreng, delete the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

<windows network firewall><c:\winnt\system32\firewall.exe> []

PS: The key value may also be different from the filename. Pay attention to the difference Ah, do not understand, the log sent to the anti-drug zone.

4, be sure to hit the system loopholes.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
stubborn virus regsvr32 virus conficker virus torpig virus macsweeper virus cryptolocker virus lookout virus

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More