Drive virus analysis

Virus introduction:

This is a download virus. It will close some security tools and anti-virus software and prevent them from running. It will also constantly detect windows to close some anti-virus software and security auxiliary tools and disrupt the security mode, delete some anti-virus software and real-time monitoring services, remotely inject the virus to other processes to start the terminated process, and repeatedly write the Registry to damage the system security mode. The virus will release Autorun under each partition. INF to achieve self-running.

Virus features:

1. virus is injected by modifying the DLL list items loaded by the system by default, and a global hook is set after the injection. use Remote Process injection and check whether security software and management tools are available. By enumerating the process name, you can search for the following keywords to disable the process:

Rav avp twister kv watch kissvc scan guard

When a window with a keyword is found, a large number of spam messages are sent to the target window, which leads to a false state when it cannot be processed, when the target window receives the quit, destroy, and wm_endsession messages, it exits unexpectedly. You can use the window text function and the getwindowthreadprocessid function to monitor the specified text window. Then, a message is sent to close the window or the process is ended by using the terminate process function, there is no innovation in how to disable anti-virus software by virus, but the keyword is shorter, so that some processes or windows with similar names are also closed.
After the virus runs, the following file is generated:
C: \ windows \ system32 \ com \ LSASS. exe
C: \ windows \ system32 \ com \ netcfg.000
C: \ windows \ system32 \ com \ netcfg. dll
C: \ windows \ system32 \ com \ SMSs. exe
C: \ windows \ system32 \ 894729.log
C: \ windows \ system32 \ dnsq. dll
C: \ windows \ system32 \ ntfsus.exe
C: \ Documents and Settings \ All Users \ Start Menu \ Program \ Start \~. EXE
Or in the C: \ Documents ents and Settings \ User Name \ Start Menu \ Program \ Start the following

Netcfg. dll injects IE and connects to the network to download Trojans.
And register as a browser add-on
[Ifobj control]
{D9901239-34A2-448D-A000-3705544ECE9D} <c: \ windows \ system32 \ com \ netcfg. dll, 506>

Dnsq. dll inserts some processes and monitors c: \ windows \ system32 \ com \ LSASS. EXE. if the process is terminated, it will be restored immediately.
And will monitor ~. EXE. If the file is deleted, rewrite it immediately.

894729. log is the pagefile. pif file.
A driver will also be generated on drive C, which should be used for permission elevation.
Prohibit reading pagefile. pif, autorun. inf, c: \ Boot. ini, c: \ windows \ system32 \ drivers \ hosts under the root directory of each disk in an exclusive manner

C: \ Boot. ini cannot be written, so xdelbox and other software are deprecated.

2. Modify the hidden attributes of the Registry damage folder option so that hidden files cannot be displayed.
Change HKU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ showsuperhidden to 0x00000000

3. Delete the security mode setting value in the Registry to destroy the security mode.
Delete the following key
HKLM \ System \ controlset001 \ Control \ safeboot \ minimal \ {4d36e967-e325-11ce-bfc1-08002be10318}
HKLM \ System \ controlset001 \ Control \ safeboot \ Network \ {4d36e967-e325-11ce-bfc1-08002be10318}
HKLM \ System \ CurrentControlSet \ Control \ safeboot \ minimal \ {4d36e967-e325-11ce-bfc1-08002be10318}
HKLM \ System \ CurrentControlSet \ Control \ safeboot \ Network \ {4d36e967-e325-11ce-bfc1-08002be10318}
The virus repeatedly rewrites the registry, and invalidates cleaning experts, AV terminator, and other tools to fix the security mode before the virus is completely cleared.

4. Release a netapi00.sys driver file in the C: Drive directory to hide and protect itself.

5. invalidate the Software Restriction Policy

Delete the HKLM \ SOFTWARE \ Policies \ Microsoft \ Windows \ safer key and its subkeys in the Registry to invalidate the setting of the Software Restriction Policy in the Group Policy. Apparently, the virus was improved based on the cleanup methods of some technical netizens, because some netizens suggested configuring a Software Restriction policy to prevent the drive virus from running.

6. Constantly Delete the key values of the Registry to destroy the security mode, anti-virus software, and active defense services, making it impossible for many active defense software and real-time monitoring to be enabled again.

7. virus files autorun. inf and pagefile. PIF are released in the root directory of each hard disk partition and removable disk to achieve self-running. And open these two files in exclusive mode, so that they cannot be directly deleted, accessed and copied.

8. Virus in order not to allow some security tools to start on their own, the entire run item and its subkeys of the Registry are deleted, and all the image hijacking items are deleted (the intention is unknown, probably to prevent virus immunity using image hijacking ).

9. Release the following files:

%SystemRoot%\system32\Com\smss.exe %SystemRoot%\system32\Com\netcfg.000 %SystemRoot%\system32\Com\netcfg.dll %SystemRoot%\system32\Com\lsass.exe

Then run SMSs. EXE and lsass.exe. multiple smss.exe and LSASS. exe will be displayed in the process, which will be synchronized with the normal process of the system to confuse the Administrator with viewing the process.

10. The virus is loaded by restarting and renaming the pending rename operations string in the Registry HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Control \ backuprestore \ keysnottorestore.

The virus changed the 0357589.log file under c: \ by modifying the Registry (0357589 is an unfixed number) to ~ under the "Start" folder ~. Exe.664406.exe (664406 is not fixed ).

The execution priority of restart rename is higher than that of the traditional self-start (HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run). After the restart is complete, delete or rename the user. In this way, self-launch is extremely concealed, and existing security tools cannot be detected. Avterminator exclusive cannot completely clear this drive variant for this reason!

11. The virus automatically downloads the latest version and other virus Trojans to run locally.

12. Viruses will infect all executable files in other directories except the System32 directory.

In addition, the files in the compressed package will be infected. If winrar.exe is installed on the machine, it will be called to release rar.exe to a temporary folder, and the files in the infected package will be packaged again.

This virus is too creative, but it is ignored by many people. The original safe WinRAR compressed package, virus decompressed and infected before packaging.

Infection Route:

1. Self-running of removable disks

2. Other downloadable files with viruses or infected files

3. malicious website download

4. Intranet ARP attacks

Manually clear:

First, delete the pendingfilerenameoperations value under HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Control \ Session Manager to invalidate the restart rename! (It is suspected that the virus will soon make it invalid, just as before, repeat and delete this key value in the interval .)

Then power off the machine or reboot abnormally (in short, it cannot be shut down normally !).

Why? Directly unplug the power cord. Because the new Virus Variant writes a virus to the startup item when it is shut down, and commits suicide when it is turned on, the general anti-virus software cannot find it, but the illegal shutdown can make it unable to generate a virus when it is shut down.

After the restart, do not open the drive letter. (use the resource manager well. Do not double-click the drive letter.) Delete the autorun. inf and pagefile. pif files in each partition under the CMD command line. Then scan the virus in full mode using the virus or antivirus software, because the virus can infect other EXE programs except the System32 directory, making it difficult to manually delete the virus, we recommend that you upgrade anti-virus software to complete anti-virus.