Bad u disk virus Worm.Pabug.ck (OSO.exe) Analysis and killing _ virus killing
Source: Internet
Author: User
Virus Name: Worm.Pabug.ck
Size: 38,132 bytes
md5:2391109c40ccb0f982b86af86cfbc900
Adding Shell way: FSG2.0
Written Language: Delphi
How to spread: through mobile media or Web page malicious script propagation
Through the virtual machine operation, and after the Shell OD analysis, its behavior is as follows:
File creation:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\gfosdg.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf
X refers to a non-system drive letter
The%systemroot% is an environment variable, and the default path is the C:\WINDOWS folder for the Windows XP system installed on C disk, which is analyzed with this assumption.
To create a process:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\conime.exe
Use net stop command to end a possible anti-virus software service
Call Sc.exe,
config [corresponding service] start=disabled
Disable these services
The services that are closed and disabled include:
Srservice
SharedAccess (This is the system with its own firewall--I note)
Kvwsc
Kvsrvxp
Kavsvc
Rsravmon
Rsccenter
Among them, in the end of the process of rising services, because rising will pop-up prompts, the virus has been treated accordingly:
Use the Findwindowa function to capture a window titled "Rising Hint"
Use the Findwindowexa function to find the "Yes (&y)" button
Use the SendMessageA function to send information to the system, which is equivalent to pressing this button
Disables or ends the following processes, including but not limited to:
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
Adam.exe
Qqav.exe
Qqkav.exe
TBMon.exe
Kav32.exe
Kvwsc.exe
CCAPP.exe
EGHOST.exe
KRegEx.exe
Kavsvc.exe
VPTray.exe
RAVMON.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
Trojdie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
KWATCHUI.exe
MCVSESCN.exe
MSKAGENT.exe
Kvolself.exe
Kvcenter.kxp
Kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
Kvsrvxp_1.exe
RavService.exe
Create the Noruns.reg and import the registry, and then delete the file. Import Content:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" =dword:b5
Changing the autorun of the drive (not implemented in my virtual machine)
Modify the registry to create a startup item (later items visible in the Sreng log):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<mpnxyl><C:\WINDOWS\system32\gfosdg.exe> [n/A]
<gfosdg><C:\WINDOWS\system32\severe.exe> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><explorer.exe c:\windows\system32\drivers\conime.exe> [n/A]
In order to prevent rising registry monitoring tips, so the dancers to apply:
Use the Findwindowa function to capture the window titled "Rising Registry Monitor Prompt"
Using Mouse_event to control the mouse automatically select Allow modification.
Access to the registry
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
CheckedValue Key
Destroys the ability to display hidden files (this is not implemented in my virtual machine, may be blocked by tiny or SSM by default)
However, after doing so much work to remove the anti-virus software, the author seems to feel not insured, he finally resorted to the "killer":
In the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
To create a subkey with the name of a security software program
Subkeys are created in child keys
"Debugger" = "C:\\windows\\system32\\drivers\\mpnxyl.exe"
Allows these programs to run when they are double-clicked and run virus files Mpnxyl.exe
Shaped like:
These items are clearly visible in the Autoruns log, as well as the procedures that are "ravaged" by this technique:
+ 360Safe.exe C:\windows\system32\drivers\mpnxyl.exe
+ Adam.exe C:\windows\system32\drivers\mpnxyl.exe
+ avp.com C:\windows\system32\drivers\mpnxyl.exe
+ Avp.exe C:\windows\system32\drivers\mpnxyl.exe
+ IceSword.exe C:\windows\system32\drivers\mpnxyl.exe
+ Iparmo.exe C:\windows\system32\drivers\mpnxyl.exe
+ Kabaload.exe C:\windows\system32\drivers\mpnxyl.exe
+ KRegEx.exe C:\windows\system32\drivers\mpnxyl.exe
+ KvDetect.exe C:\windows\system32\drivers\mpnxyl.exe
+ Kvmonxp.kxp C:\windows\system32\drivers\mpnxyl.exe
+ Kvxp.kxp C:\windows\system32\drivers\mpnxyl.exe
+ MagicSet.exe C:\windows\system32\drivers\mpnxyl.exe
+ Mmsk.exe C:\windows\system32\drivers\mpnxyl.exe
+ msconfig.com C:\windows\system32\drivers\mpnxyl.exe
+ Msconfig.exe C:\windows\system32\drivers\mpnxyl.exe
+ PFW.exe C:\windows\system32\drivers\mpnxyl.exe
+ PFWLiveUpdate.exe C:\windows\system32\drivers\mpnxyl.exe
+ QQDoctor.exe C:\windows\system32\drivers\mpnxyl.exe
+ Ras.exe C:\windows\system32\drivers\mpnxyl.exe
+ Rav.exe C:\windows\system32\drivers\mpnxyl.exe
+ RavMon.exe C:\windows\system32\drivers\mpnxyl.exe
+ regedit.com C:\windows\system32\drivers\mpnxyl.exe
+ Regedit.exe C:\windows\system32\drivers\mpnxyl.exe
+ Runiep.exe C:\windows\system32\drivers\mpnxyl.exe
+ SREng.EXE C:\windows\system32\drivers\mpnxyl.exe
+ Trojdie.kxp C:\windows\system32\drivers\mpnxyl.exe
+ WoptiClean.exe C:\windows\system32\drivers\mpnxyl.exe
Delete the card helper's DLL file Kakatool.dll (did so, the results of the virtual machine run and the contents of the program code are matched)
In order to block the "back" of the poisoned people, another despicable method was adopted.
To modify the Hosts file, shielding antivirus software manufacturer's website, the card community "fortunate" to become one of the masked members:
This is the result that later uses Sreng to see, in the program code also has the corresponding content:
Hx1.bat content:
@echo off
Set Date=2004-1-22
Ping * * * localhost > nul
Date%date%
Del%0
Change the date? But it didn't happen in the virtual machine.
Content of Autorun.inf:
[AutoRun]
Open=oso.exe
Shellexecute=oso.exe
Shell\auto\command=oso.exe
If you want to judge from the right menu, unfortunately, the right button menu can not see the exception, whether you double-click or right button, the same will activate the virus!
Tiny also records that the virus shuts down the System Restore service and then opens it. This may result in loss of the restore point.
So far this very bad virus analysis of the behavior of the ending, the following description of the removal method (above the content to see Dizzy members, directly see the removal method can)
The elimination method boils down to a sentence: "Survive in The gap"
IceSword.exe, SREng.exe are banned, but only by renaming the file, you can still run
Autoruns.exe is not in the forbidden ranks.
The other proscribed procedures, the lifting of a step-by-step ban
Specific process:
To end a process:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\conime.exe
The virus was not found to disable Task Manager. You can also use other tools such as PROCEXP, etc.
Use Autoruns to delete the following items (recommended with Autoruns, one is not banned, the second is at a glance, note that the first choice options-hide Microsoft Entries):
+ 360Safe.exe C:\windows\system32\drivers\mpnxyl.exe
+ Adam.exe C:\windows\system32\drivers\mpnxyl.exe
+ avp.com C:\windows\system32\drivers\mpnxyl.exe
+ Avp.exe C:\windows\system32\drivers\mpnxyl.exe
+ IceSword.exe C:\windows\system32\drivers\mpnxyl.exe
+ Iparmo.exe C:\windows\system32\drivers\mpnxyl.exe
+ Kabaload.exe C:\windows\system32\drivers\mpnxyl.exe
+ KRegEx.exe C:\windows\system32\drivers\mpnxyl.exe
+ KvDetect.exe C:\windows\system32\drivers\mpnxyl.exe
+ Kvmonxp.kxp C:\windows\system32\drivers\mpnxyl.exe
+ Kvxp.kxp C:\windows\system32\drivers\mpnxyl.exe
+ MagicSet.exe C:\windows\system32\drivers\mpnxyl.exe
+ Mmsk.exe C:\windows\system32\drivers\mpnxyl.exe
+ msconfig.com C:\windows\system32\drivers\mpnxyl.exe
+ Msconfig.exe C:\windows\system32\drivers\mpnxyl.exe
+ PFW.exe C:\windows\system32\drivers\mpnxyl.exe
+ PFWLiveUpdate.exe C:\windows\system32\drivers\mpnxyl.exe
+ QQDoctor.exe C:\windows\system32\drivers\mpnxyl.exe
+ Ras.exe C:\windows\system32\drivers\mpnxyl.exe
+ Rav.exe C:\windows\system32\drivers\mpnxyl.exe
+ RavMon.exe C:\windows\system32\drivers\mpnxyl.exe
+ regedit.com C:\windows\system32\drivers\mpnxyl.exe
+ Regedit.exe C:\windows\system32\drivers\mpnxyl.exe
+ Runiep.exe C:\windows\system32\drivers\mpnxyl.exe
+ SREng.EXE C:\windows\system32\drivers\mpnxyl.exe
+ Trojdie.kxp C:\windows\system32\drivers\mpnxyl.exe
+ WoptiClean.exe C:\windows\system32\drivers\mpnxyl.exe
This includes some programs, including IceSword, Sreng, Registry Editor, and System Configuration Utility, that are no longer prohibited
To delete or modify a startup item:
Take Sreng as an example
Delete in Startup Project-registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<mpnxyl><C:\WINDOWS\system32\gfosdg.exe> [n/A]
<gfosdg><C:\WINDOWS\system32\severe.exe> [n/A]
Double-click the following items to delete the contents of the Explorer.exe after the value
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><explorer.exe c:\windows\system32\drivers\conime.exe> [n/A]
To delete a file:
Because non-system disks can be dangerous even if the right button is opened, other methods should be used to recommend using IceSword or WinRAR.
Delete:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\gfosdg.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf
System repair and Cleanup:
Expand in Registry
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
It is recommended to delete the original CheckedValue key and create a new normal key value:
"CheckedValue" =dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun the value of the key, whether to change, what to change, depending on the needs of each person, the general default is 91 (16)
The meaning of this key, please search online information, no longer repeat
Cleaning of Hosts files
You can open%systemroot%\system32\drivers\etc\hosts with Notepad to clear what's been added to the virus.
You can also use Sreng to reset in the midpoint of system repair-Hosts file, and then click Save
Finally fixes the service to be destroyed the anti-virus software.
Summary:
From the sample to the method of completion, lasted a full five hours. The reason why this is so detailed is that the virus is quite typical, especially the way it copes with security software. The right key menu does not change, it is also more "hidden" and to remove the trouble of a feature. To deal with this virus, but also in the "enemy" on the basis of flexible use of methods and tools.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
