Detailed analysis report on drive viruses

Source: Internet
Author: User
The drive virus is an infectious virus written by MFC. After the virus runs, the netapi000.sys virus driver is released in the root directory of the C drive. This driver is used to restore ssdt and remove all the hooks mounted to anti-virus software. Then, release the virus file smss.exe?netcfg.dll=netcfg.00020.lsass.exe in the comfolder under system32.pdf. Then the program exits and runs the just-released lsass.exe. Copy the producer and dnsq. dll, and then perform the following operations:
1. Download the script HTTP from the following URL: // www. *****. *****/*. htm ,......
2. Generate a window named "MCI program com application.
3. The program will delete all key values under the software/Microsoft/Windows/CurrentVersion/run key of the Registry.
4. Search for a window with the following keywords, find a window with the following keywords, and send a message to it to exit: rsravmon, mcshield, pavsrv...
5.start the regsvr32.exe process and inject the dynamic library netcfg. DLL to the process.
6. traverse the disk and add autorun. inf and pagefile. PIF to all disks so that users can run viruses while opening the disk.
7. Run the CALCs command to start the virus process to obtain full control permissions, so that other processes cannot access the process.
8. infect the executable file. When you find an executable file, place the normal file in your last section and encrypt the normal file with the seed value of the virus.
Smss.exe is used to implement process protection. After the program runs, it performs the following operations:
1. Create a mutex named xgahrez to prevent multiple instances from running in the process.
2. Create a window named msictfime SMSs, which will respond to the three messages:
(1) wm_queryendsession: When you receive this message, the program will delete all the key values under the registry software/Microsoft/Windows/CurrentVersion/run.
(2) wm_timer: this program will set a clock to search for the "MCI program com application" window every 0.2 seconds. If it cannot be found, it will run the virus program.
(3) wm_cap_start: When receiving this message, it sends an Exit message to it.
3.copy lsass.exe to the root directory of the C drive and name it 037589.log. copy the file to the startup directory for Automatic startup. Dnsq. dll attaches a global message hook and injects itself into all processes. This dynamic library is mainly used to hook APIs and rewrite the registry. After the dynamic library is loaded, the following operations are performed: (1)) lsass.exe+smss.exe+alg.exe; If yes, exit.
(2) The APIS enumprocessmodules in hook psapi. dll, OpenProcess and closehandle in kernel32.dll make antivirus software unable to scan and kill virus processes.
(3) traversal: If the input path is lsass.exe0000smss.exe0000alg.exe, it exits directly. If it is another process, it creates a thread, which performs the following operations every 2 seconds:
A. modify the following key values so that you cannot see the hidden protected system file hkey_current_usersoftware/Microsoft/Windows/CurrentVersion/Explorer/advanced showsuperhidden = 0 B. delete the following registry key values so that you cannot enter safe mode HKEY_LOCAL_MACHINE system/controlset001/control/safeboot/minimal/{delimiter} HKEY_LOCAL_MACHINE system/CurrentControlSet/control/safeboot/minimal/{delimiter} HKEY_LOCAL_MACHINE system/controlset001/control/safeboot/Network/{4d36e967-e325-11ce-bfc1-08002be10318} HKEY_LOCAL_MACHINE system/CurrentControlSet/control/safeboot/Network/{detail}
C. Delete the following registry key to invalidate HKEY_LOCAL_MACHINE software/Microsoft/Windows NT/CurrentVersion/Image File Execution options
D. Read the following registry key value to determine whether the current system allows automatic operation of mobile devices. If not, change it to allow HKEY_LOCAL_MACHINE software/Microsoft/Windows/CurrentVersion/policies/explorer NoDriveTypeAutoRun
E. Modify the following registry key to invalidate HKEY_LOCAL_MACHINE software/Microsoft/Windows/CurrentVersion/Explorer/advanced/folder/superhiddentype = radio
F. add the following registry key so that the system will add the dynamic library to most processes. HKEY_LOCAL_MACHINE software/Microsoft/Windows NT/CurrentVersion/Windows appinit_dlls = % System %/dnsq. DLL.
G. Run the CALCs command to start the virus process to obtain full control permissions, so that other processes cannot access the process.
H. Find a window with the following keywords. If the window is found, send a message to it and exit it:
Sreng introduction, 360 safe, wood, AntiVir ,... Netcfg. dll is mainly used to download files. After the dynamic library is loaded, the virus program hxxp will be downloaded from the following URL: // js.k0102.com/data.gif. check the window for "MCI program com application". If the window does not exist, run the Downloaded Program.
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.