Virus Trojan killing actual combat No. 014: The manual killing of U-disk virus

This series of tutorials is copyright "I spring and Autumn" All, reproduced please indicate the source.

for video tutorials, please visit "I Spring" (www.ichunqiu.com).
virus found on USB stick

Some time ago need to copy the point data to the virtual machine, as usual, plug in my USB flash drive, and in the virtual machine settings to choose the connection USB drive. Oddly enough, this time the connection is longer than usual and the AutoPlay window appears:

Figure 1 Auto Play window

After scanning, came to the USB drive open type Selection window:

Figure 2

I used to use a USB flash drive in my virtual machine, and I never had a "autoplay" situation. However, I did not care this time, selected "Open folder to view files." But strange files were found on the USB stick:

Figure 3

The red box of these files, it is very strange, because they are using the folder icon, seemingly a folder, but after the file name followed by an ". exe" small tail. Admittedly, I did have these four folders on my USB stick, but I don't remember adding a little tail like ". exe" to them. A real folder without a small tail is not found. This makes me very skeptical, so I look at the properties of these files separately:

Figure 4

This shows that these four are not folders, but are application-to-zero, and their size is consistent. See here, you can basically determine, my USB stick is in the virus.

try to kill the virus manually

Preliminary analysis, the virus will disguise itself as my USB stick in the original folder, which tempted me to click. So is the original folder deleted or hidden? You may want to adjust the settings inside:

Figure 5

You will then be able to see the hidden files and folders:

Figure 6

In the red box is the virus program, the blue box is my original folder. It can be seen that they are only set to be hidden, but not deleted, it seems that the virus is more humane. Through the settings, in addition to showing out my original folder outside. The third row in the fourth column appears a file named Autorun.inf, and the fourth column of row four appears a folder icon, called Recycle.exe file, it seems that this file is likely to be a bunch of the following four files. Open Autorun.inf and see what it's about:

[AutoRun]

Open=recycle.exe

Shell\1= Open (&o)

Shell\1\command=recycle.exe

shell\2= browse (&B)

Shell\2\command=recycle.exe

Shellexecute=recycle.exe

Obviously, each time the USB stick automatically plays, will run Recycle.exe this program. Now you can try to remove Autorun.inf, Recycle.exe, and four other virus files, then unplug the USB flash drive, then reconnect the USB drive in the virtual machine. This thought the virus will not appear again, but the "AutoPlay" dialog box appears again, open the USB flash drive, the virus that was deleted once again tenacious back. This can only indicate that the virus has an impact on our operating system, and should analyze the virus changes to the system.

For the sake of simplicity, this time use "burner" to help us analyze. Take a look at how it modifies the registry and where it hides itself:

Figure 7 Registry Monitoring

It appears that the virus created the self-boot project under run. However, the name of the virus in my virtual machine is different from the name provided by "Burner", and it appears that the virus may have randomly named itself, so this location needs to be removed. Then look at the file monitoring:

Figure 8 File Monitoring

Similarly, the name of the virus file in my virtual machine system is inconsistent with the name in it, but it's OK, after all, it's fixed. However, you should first use the Task Manager to end the virus process and then remove the virus ontology:

In this way, we succeeded in solving the virus by purely manual means.

Two knowledge of the supplementary description

Finally, two more questions need to be added. The first problem is that we need to explain "autoplay". In fact, the principle of the U disk Virus transmission technology is the virus first turn on the auto-play function, and then write to the USB stick virus program and Autorun.inf file, Autorun.inf file records the user chooses which program to open the USB stick file. If Autorun.inf points to a virus program, Windows runs the program, causing the virus to occur. The settings for the Auto play function of the USB stick are in the registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer the position of the "NoDriveTypeAutoRun" key value below this path. For XP systems, this value defaults to 0x91:

Figure 10

This 0x91 represents the sum of all device values that are forbidden to run automatically. Converting 0x91 to binary is 10010001, where each bit represents a device, and in a Windows system, different devices are represented by different values in the following table:

In the table above, the value "0" indicates that the device is running, and "1" indicates that the device is not running. As you can see, by default, Windows disables 80H, 10H, and 01H devices from running automatically, and these values add up to exactly 16 of the 91 in the binary. From this point of view, because the device value of the U disk is 04H, then in fact, as long as we will "NoDriveTypeAutoRun" the key value set to 0x91+0x04, that is 0x95, you can disable the Auto play function of the U disk.

The second question to note is that I was able to find the virus file, mainly because of the name of the virus with a ". exe" small tail. In fact, we can set the file extension to always fail to display. Found in the registry

The Uncheckedvalue item in the Hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidefileext, set its value to 1, File extensions cannot be displayed, regardless of how they are changed in Folder Options. I believe if the author of the virus knows this and applies it to the virus, then I'll take it in a minute.

Summary

I personally feel that as long as we usually develop a sense of crisis, so even if our computer does not install any antivirus software, the virus is also difficult to exploit. Of course, I still suggest that you, it is best to install antivirus software, and timely update the virus database, do not give malicious program any opportunity.

Virus Trojan killing actual combat No. 014: The manual killing of U-disk virus