I came back to the lab today and found several strange things in the USB flash drive... 1:
Because my computer has never hidden the file suffix, And the folder still has a. EXE suffix.
I think it is strange that I try to remove the. EXE file after the folder, as shown in Figure 2:
Oh, that's all I know. My computer does not show hidden files and folders.
I select show all files and folders to see my original folder. For example, 3:
I thought I knew how the virus works.
Let's guess what will happen after this so-called "folder" with. EXE suffix is run? Hey, you can see the contents of your original folder.
Before I knew that my original folder was hidden, I thought that the folder with the. EXE suffix "folder" put all my original content in it.
Therefore, the folder with the. EXE suffix can run normally, but by pointing to the hidden original folder, it is not
Put it in it, and then run the. EXE file while running the "folder" with the suffix.
(PS: As for what is smart in this EXE, don't ask me what it is)
At first, I thought that the virus was only a "folder". Later I guessed that it was probably because the PE file checked the shell with PEID and saw 4:
Sure enough, I guess this is not a folder, but a PE file, that is, a file, but an icon disguised as a folder.
The author of this virus is still very good at thinking about spreading the virus. I admire this expert.
However, the author is "Kind", but only hides your folder and does not delete or destroy the content in the folder.
(Don't look for me, the virus ran into my USB flash drive, and I was helpless, so the dishes went evil ..)
The virus sample is as follows:
Download 1:Http://www.rayfile.com/files/113a5bcc-95b1-11dd-80fd-0014221b798a/
Download 2:Http://www.91files.com /? Q1HT1SA67EXW78QADUK3
The content in autorun. ini is attached as follows:
[AutoRun]
Opendesknotepad.exe
Shell1 = open (& O)
Shell1command#notepad.exe
Shell2 = browse (& B)
Shell2command#notepad.exe
Shellexecuteappsnotepad.exe
By the way, the working principle of the virus is as follows:
Similar to the common autorun virus, the USB flash drive is infected by autorun. ini. The difference is that when you run the USB flash drive
The content in autorun. ini will also be executed. The notepad.exe function is that when you enable the USB flash disk
After any folder, it will hide your folder and generate an EXE file with the same name as the hidden folder.
That is, the structure of the virus is the same as that of notepad.exe.
Summarize the characteristics of the virus:
This is also a USB Flash Drive autorun virus, but its principle is not the same as the original one. It is a variant autorun virus.
The size of PE files disguised as folders is 1.44 MB (1,514,606 bytes)
Disguise PE file shelling yodas Protector v1.02 (PEID check case for reference only)
After running the virus, a 612ECE. EXE process will be added to the process (which may be random)
Location of the file C: WINDOWSsystem322F486D (or random)
The generated PE file and the functional structure of the virus are the same. After the virus is run, the autorun. inf file in the same directory will be executed.
The basic method to prevent this USB flash drive virus:
1) do not hide the file suffix on the computer;
2) the computer must set to display hidden files;
3) do not double-click the USB flash drive and right-click it (this is common sense );
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
