Trojan downloads followed by the previous steps, and the AOTU virus group was making a comeback (specially killed in April 15 and upgraded to version 1.4)

The following is an analysis report on the latest variant of the extremely rampant AUTO virus in the past two days:

I. Behavior Overview
This EXE is a virus download tool that will:
1) Calculate the service name, EXE and DLL file name by referring to the serial number of the system drive C.
2) Place AUTO virus autorun. inf and auto.exe under each drive and add system and hidden attributes.
3) Place the username "random name .exe" and the released "random name. dll" under system system32 and disguise them as system files with hidden properties.
4) modify the system key value and delete the system hidden file option. As a result, you cannot view the hidden Virus File.
5) modify the system registry and register yourself as a service for startup.
6) Search for the "360" string key value in the Registry Startup key, delete the key, and close the program with ntsd. Check whether the search window contains "Kingsoft drug overlord" and disable it with a simulated operation. Determine whether the Kaspersky file AVP. EXE exists in the process. If yes, modify the system time to invalidate Kabbah.
7) download other viruses from the website file list.
8) Delete the registry information from previous versions of the virus.
9) "random name. dll" will be remotely injected to all processes in the system process

Ii. Execution Process
1. Calculate the 8-bit random service name, exe and dll file name by referring to the serial number of the C drive. (Do you still remember avterminator? First, it is the random 8-digit file name EXE)
2. Search for the current file name is not auto.exe. if you call assumer.exe ShellExecuteA to open the drive.
3. Anti-virus software:
Search for whether the "360" string key value exists in the Registry Startup key. If yes, delete the key so that it cannot be automatically started after 360. And then close the started 360 program.
Check whether there is any Kaspersky process AVP. EXE in the current process. If yes, modify the system time to invalidate Kabbah that relies on the system time for activation and upgrade.
The virus will also try to CLOSE Kingsoft drug overlord's monitoring Prompt window "KAVStart", find it, send the CLOSE message through PostMessageA, and then use findjavaswexa to search Kingsoft drug overlord and send the CLOSE message through SendMessageA, and simulate the user, send and click the mouse button to close the message. However, all the methods mentioned above cannot disable Kingsoft drug overlord.

4. Compare whether the current file running path is a random name under system SYSTEM32. If not, copy its own copy to system SYSTEM32.

5. Inject the DLL into the system process, and release det. bat after running it to delete itself.

6. Inject the virus file into assumer.exe or winlogon.exe and wait cyclically. Use their space to run themselves for concealed operation.

7. Check whether the startup Item contains a 360 string, delete it, and use SeDebugPrivilege to escalate the permission and ntsd to close the program. Check whether the search window contains Kingsoft drug overlord, and disable it with a simulated operation.

8. Modify the data about the folder display status in the Registry and delete the system hidden file option.

9. Search for the Registry Information left by the old version of the virus and delete it to facilitate the upgrade.

10. Download the virus list from the address http://33.xi *** id ** 8.cn/soft/update.txt specified by the virus author, download other viruses according to the list information, download one at a time, delete after running, and then download.

Among the downloaded virus files, there are Trojan Files and network voice communication software of a well-known international brand. In addition, there are 17 Trojan horses for different well-known online games, among these Trojans, some of them also have download functions. If they are successfully connected to the computer, they will cause unpredictable damages.

11.in addition to hacking on the local machine, the virus also releases the existing autovirus files auto.exe and autorun. inf to each disk partition. Autorun. inf refers to auto.exe. As long as you double-click a virus-infected disk with the mouse, the virus will immediately run and search for all disks, including mobile storage such as USB flash drives. If any disk is found to have not been poisoned, the virus will immediately infect it, expand the scope of infection.

Iii. Deletion Methods
Because the virus DLL file is remotely injected to all processes, including system processes, direct deletion is not completely clear. You must delete the DLL, delete the service, restart the service, and delete it at the end of the scan, because the conversion of the virus takes a lot of time, DLL injection cannot be released immediately when the system is started. This is also the best time to clear the virus.

We recommend that you use Kingsoft cleaning experts to add the DLL and EXE named by random 8-digit names to the delete list of file splitters and delete these files permanently at one time. After restarting, fix the residual registry add-on.

4. Auto virus exclusive Tool

: Http://bbs.duba.net/attachment.php? Aid = 16127097.
Auto Trojan group exclusive 1.4 features:

Reference:

1. Image hijacking
2. Handling of msosXXX viruses that make drug overlord monitoring gray
3. Handling auto Trojan package Downloaders
4. Appinit_Dlls Processing
5. Handling of execution hooks

Auto Trojan scan cannot replace drive, bot, or avterminator scan. If the scan is disabled, use drive, bot, or avterminator ".

This exclusive tool can simultaneously clear BOT/avterminator/8749 viruses; fix "image hijacking"; fix Autorun. inf; and fix security mode. After you use the kill tool to scan and kill, use Kingsoft drug overlord to complete the virus removal.
: Http://www.duba.net/zhuansha/259.shtml