Detailed description (based on Win2K platform ):
This program has a rare dual-program structure, divided into worms (network transmission) and virus (infected files, damage files ).
The two parts of the Code are independent and may be written separately. The combination of the two is very interesting. The author first writes the Worm
And add the binary code of the virus part to the worm part in a specific location to obtain the final virus/worm program.
The complete wantjob only executes part of the worm code at the first run, as follows:
1. copy itself to \ WINNT \ System32 \ krn132.exe and set the system, hide, and read-only attributes.
(Files with both system and hidden properties set in Windows 2000 are invisible in the resource manager, even if you select
"Show all files and folders ". Deselect "Hide protected operating system files (recommended .)
2. Register "\ WINNT \ System32 \ krn132.exe" as "Krn132" and set it to run automatically upon startup.
3. Read all "htm" and "html" files in the Temporary internet folder and extract the email address from them. This worm uses
Similarly, the MIME vulnerability is used to add itself to the email and send it to all obtained addresses.
The subject is set to one of the following:
"Hi" "Hello" "How are you ?" "Can you help me ?" "We want peace"
"Where will you go ?" "Congratulations !!!" "Don't Cry" "Look at the pretty"
"Some advice on your portable coming" "Free XXX Pictures" "A free hot porn site"
"Why don't you reply to me ?" "How about have dinner with me together ?"
"Never kiss a stranger"
The content is empty, but there is a comment in the Code:
4. Search for network neighbors and find that a writable shared directory will randomly generate a file name and encrypt the virus itself.
Copy the virus. File Name generation rules:
The first part randomly generates letters or numbers, and adds a ".",
The second part selects one in Htm, Doc, Jpg, Bmp, Xls, Cpp, Html, Mpg, and Mpeg.
The third part is to add exe as the extension.
5、krn132.exe creates a copy of itself in the directory "% Temp %" and "\ WINNT \ Temp \" every time it is started,
The file name starts with "k", such as" k871.exe1_1_k2.exe1_or ka.exe ".
When a complete wantjob is run for the first time, a virus is set to execute at the next boot, as shown below:
6. Change Part Of The encoding, copy it to \ WINNT \ System32 \ Wqk. dll, and set the system, hide, and read-only attributes.
7. Write the following key values in the Registry
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
"AppInit_DLLs" = "Wqk. dll"
Register Wqk. dll as a module that must be loaded when the system starts. During the next boot, the virus is loaded as a dynamic link library,
Exists in all system processes. Because you do not have your own PID, you cannot see or terminate the task manager.
This is a common method for hackers to hide backdoor. The Microsoft Knowledge Base Q134655 and Q125680 discuss this issue in detail.
At the next boot, Wqk. dll is loaded and wantjob runs as a virus:
1. traverse the hard disk, find the PE file, and infect it.
2. Check the local time. If the time is January 1, January 13, 26 destructive threads will be started immediately, and data in the memory will be overwritten on the hard disk.
All files.
3. Wqk. dll creates its own copy in the directory \ WINNT \ System32 \ every time it is started,
The file name is "Wqk. dll" and a number, such as "Wqk. dll6" and "Wqk. dll23 ".
No matter how it runs, wantjob will take some self-protection measures:
1. Check the process. If some anti-virus software (AVP, NAV, NOD, macloud, etc.) is running
Termination.
2. Constantly write data to the Registry
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
"AppInit_DLLs" = "Wqk. dll"
If this key value is removed manually, It will be written again immediately.
All of the above mentioned are wantjob in Win2K, and the situation in WinNT is similar. In Win9X, there is no such thing.
Same:
1. Because Win9X does not have a "service", wantjob does not register the "Krn132" service. But in the Registry
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
Write "krn132" = "C: \ WINDOWS \ SYSTEM \ krn132.exe"
2. wqk.dll.zip wqk.exe is replaced with wqk.exe and
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
Write "Wqk.exe" = "C: \ WINDOWS \ SYSTEM \ Wqk.exe"
Solution:
In Win9X, it is best to start the system to enter the DOS mode and disable the virus in DOS. Then, clear the related registry key values.
Due to the special nature of wantjob, none of the current anti-virus software can be completely cleared in Win2K, because Wqk. dll is always in
Before running any program, it is loaded in the memory and cannot delete the key values of the Registry. Therefore, follow these steps:
All the krn132.exe processes in the 1st worker.
2. Delete "\ WINNT \ System32 \ krn132.exe" and all copies in the Temporary Folder mentioned above.
3. delete or disable the "Krn132" service.
4. In the registry [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
Add the following key values:
@ = "Cmd/c" attrib-s-h-r \ WINNT \ System32 \ Wqk. dll "&" del \ WINNT \ System32 \ Wqk. dll ""
(When the system starts, this key value takes precedence over the "AppInit_DLLs" mentioned above) and then restarts the system to run Anti-Virus
Virus software detects and removes the entire hard disk.
Or:
Start the system with a clean floppy disk that supports NTFS, or start the system with a Windows 2000 installation CD, and choose to repair Windows 2000
The Installation option, and then start the "fault recovery console ". Delete Wqk. dll. Use anti-virus software that can be started from the console to scan and kill
The entire hard disk. (Contact the anti-virus software vendor to upgrade the latest virus feature library)
5. Start the system normally and delete the related registry key values.
If possible, it is strongly recommended to format the hard disk and reinstall the system, or use the backup system to restore it.
Preventive measures:
1. For MIME vulnerabilities, choose tools> internet Options> Security> Custom Level> File Download from IE and select disable ".
You can also install IE Service Pack 2 or upgrade it to ie6.
2. Set the permission and password for the shared directory properly.
3. Do not open suspicious emails, especially HTML emails.
FAQs:
1. What language does wantjob use?
Because the program will re-Code itself, the original program does not have obvious features, but some of its virus code is complete, after separation
It can be seen that the program is compiled using MS Visual C ++ v6.0 and determined based on the program size. The C ++/ASM hybrid programming method may be used.
2. How do I know if I have been infected with wantjob?
Check whether there are any suspicious files. For details, see the preceding section.
3. Is the Wqk. dll loaded in the memory imperceptible?
After the Wqk. dll is loaded into the memory, the system response will be obviously slow, and the hard disk will be rotated for no reason.
Use listdlls.exe, a tool of sysinternals.com, to view the modules loaded by the system. Run the following command:
"Listdlls-d"
Whether Wqk. dll is loaded.
4. I used some decompilation tools to analyze wantjob. Why did it fail?
Wantjob is not directly produced by the compilation link tool, but is manually encoded. Therefore, some tools may fail. You can try it.
W32dasm.
5. I used W32dasm to decompile wantjob, but why do many strings look strange?
Wantjob performs simple single-Table replacement encoding for some strings, such as F-> C, L-> T, K-> S. Like rwky64
Is "base64"
6. What makes wantjob more dangerous than Nimda and Sircam?
Obviously, wantjob does not spread faster than Nimda, but it must be faster than Sircam. It can infect files and corrupt files,
The harm should not be much smaller than Nimda, causing greater economic losses than Nimda.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
