Virus Trojan scan: Analysis of hexadecimal code of QQ Trojan Horse stealing

Virus Trojan scan: Analysis of hexadecimal code of QQ Trojan Horse stealing
I. Preface according to my personal habits, I will use some automated tools before using reverse analysis of viruses such as IDA Pro and OllyDBG, through static or dynamic analysis methods (see virus Trojan scan and removal Article 008th: Summary of virus scan and removal of pandatv), we can gain a certain understanding of virus behavior. In this way, in subsequent reverse analysis, I will be able to generate a "first-in-first" mentality, and be able to smoothly analyze the disassembly code. This article describes how to understand the target virus through static analysis, and to see what information we can get by observing its hexadecimal code, this is another way to process virus files.
2. Check the additional data to analyze the virus, or start with Shell check. PEiD is still used here:

Figure 1 view viruses with PEiD
It can be found that the virus is compiled by Delphi and there is additional data (Overlay ). I once mentioned the problem of additional data in technical interview summary Article 003rd: cheetah mobile anti-virus engineer part3, but I should repeat it here with this virus.
Some special PE files have some data after the official data of each block, which does not belong to any block. Because PE files are mapped to memory by block ing, the data cannot be mapped to memory. The additional data is called overlay ). The start point of the additional data can be considered as the end of the last block, and the end point is the end of the file. You can use PEiD to view the block information of the virus:

Figure 2 view the block information of a virus
As shown in figure 2, the file offset value at the end of the last block is calculated as DE00h + 9C00h = 17A00h. Open the target file with a hexadecimal tool (Hex Editor Neo is used here), jump to 17A00h, and you will find that there is still a piece of data, which is the additional data, as shown in 3:


Figure 3 view additional data
Only by observing the additional data in this way can we not know the role of this data segment, which usually needs to be determined by reverse analysis. In fact, the append data usually needs to be paid special attention when shelling, because when the file with the append data is shelled, The append data must be pasted back. If the file has a pointer to access the append data, it must also be corrected. Now we can be sure that this virus must use the File pointer function so that the virus can use this additional data.
3. view the ASCII code information contained in the virus because the virus program itself is not large, even if you directly observe the ASCII code value represented by its hexadecimal code for analysis, it does not take too much time, which can also achieve preliminary analysis of the virus. Of course, we can see more garbled characters that are not easy to judge, so here we only analyze the complete English words that can judge its function. Step by step from top to bottom, to the first identifiable position:

Figure 4
Here is the registry key of the Delphi Runtime Library. Through this, we can judge that this program was compiled by Delphi. Continue searching:

Figure 5
Many API functions are available here. You can query MSDN or other related information about the specific functions of each function. By creating a snapshot (createconlhelp32snapshot), the virus searches for information about processes, threads, and modules in the current system, heap32ListFirst & Heap32ListNext ). The function here may be to check whether the current process contains anti-virus software. If so, stop it. Of course, you cannot make a detailed judgment here, only reverse analysis is required. The following are:

Figure 6
Obviously, this is a batch processing file named hx1.bat, whose content is (including code comments ):

@ Echo off set date = 2004-1-22
Rem sets the current date to "2004-1-22" ping ** localhost> nul
Rem tests the local network system and shields the output content of the command from date %
Del % 0 rem Delete batch processing itself

The following are:

Figure 7

The virus calls the RegisterServiceProcess API function to register or cancel a process as a service. After the user logs out, the service process can still run. However, this function can only be run in Windows 9X, which is invalid in subsequent operating systems. Continue analysis:

Figure 8

Here, the program uses autorun To Enable Automatic startup, and through the form of an exe and pif file, to lure everyone to click, thus getting infected. Here, pif is a shortcut file format. This class cannot display its pif suffix even when "Hide extensions of known file types" is disabled. After double-clicking the file, the system calls to execute the file pointed to by the shortcut. The pif virus uses the features of this type of files to trick users into executing the targeted virus files. Continue analysis:

Figure 9

The Chinese characters appear here. Based on experience, the virus may use the corresponding API functions to find whether the title bar of the current process or running program contains these Chinese characters, to determine whether anti-virus software exists. If it exists, disable it. Of course, more accurate answers can be obtained only through reverse analysis. Next, the program ends the anti-virus software service, that is, set start to disabled. Next we can see the names of many security software:

 

Figure 10

The virus attempted to prohibit the running of these security software. As you can see in the previous article, the virus at least used the image hijacking method to prohibit the soft-killing operation. Maybe it also used other methods, this also requires reverse analysis to produce accurate answers. The following are:

Figure 11

There are many security websites, so there is a reason to believe that the virus also needs to block these websites. The most common method of shielding is to modify the Hosts file. Hosts is a system file without an extension. It can be opened using notepad and other tools. Its function is to associate some common website domain names with their corresponding IP addresses to a "Database ", when a user enters a URL in the browser to log on to, the system will first automatically find the corresponding IP address from the Hosts file. Once found, the system will immediately open the corresponding webpage. If not found, the system then submits the website address to the DNS domain name resolution server for IP Address Resolution. In Windows NT/2000/XP/Vista/7/8 (Microsoft NT operating system), its default location is % SystemRoot % \ system32 \ drivers \ etc \, but it can also be changed. This is also the path first parsed in Figure 11. If we write the following content in Hosts:

127.0.0.1 # website A 0.0.0.0 # website B to be blocked

In this way, when the computer resolves domain names A and B, it will resolve them to the IP address of the local machine or the wrong IP address, to shield websites A and B. This virus program should use the first method. Below are:

Figure 12

The noruns. reg file is created and imported to the Registry. The function is to modify the autorun attribute of the drive to enable the "Automatic run" function. Continue analysis:

Figure 13

Obviously, viruses are the startup items that add themselves to the Registry, hidden icons, and image hijacking settings. They are not described here because of their simplicity. The following are:

Figure 14

The program copies itself to the drive letter other than drive C, and then:

Figure 15

This is suspected to be all the API functions used by the virus. Because there are many API functions, we will not analyze them here. I personally think this is not very important, because according to the previous analysis, we already have a lot of knowledge about viruses. Experienced anti-virus engineers can have a deeper understanding of the virus, but here they will be omitted to save space. Next:

Figure 16

The virus program hides another PE file, parses the red box position in Figure 16, and the binary format of 0xA18E (note that the figure shows a small end) is 1010000110001110, its 13th-bit (counted from 0) is 1, indicating that it is a DLL file. As you can see, the virus program seems to have generated a dynamic link library file. The following analysis is for this dynamic link library:

Figure 17

The action here is POST, so the browser encapsulates form data into the http body and sends it to the server. If no type = file control exists, use the default application/x-www-form-urlencoded. That is to say, some characters (user information) are transmitted to the server so that the virus writer can receive them. The following are:

 

Figure 18

Obviously, this virus is related to QQ, because many QQ program names appear here, so you can suspect it as a QQ Trojan. Continue analysis:

Figure 19

Here it seems that you want to send an email and there are:

Figure 20

Query IP addresses. Continue analysis:

Figure 21

It can be considered that this is to defraud the user's QQ number and password and send it to the hacker. There is no obvious cause for analysis, so the hexadecimal code analysis of the Trojan is over.

Iv. Summary

It can be seen that we can obtain a lot of information only by analyzing the ASCII code contained in the virus sample. It is mainly to be patient, be diligent, communicate with others, and accumulate experience. I hope that you will not be afraid of computer viruses until now, and find out your favorite methods of detection and removal.