Virus Trojan scan: Behavior Analysis of pandatv burning

Virus Trojan scan: Behavior Analysis of pandatv burning
I. Preface

To analyze the behavior of the pandatv virus, we use Process Monitor v3.10.

Behavior Analysis Aims To write virus killing programs. Of course, due to various restrictions in the real environment, we may not be able to discover all the behaviors of viruses, which I will explain in this article.

 

Monitoring and Analysis on the process tree of panda.exe

Here, I copy the virus and Process Monitor v3.10 to the previously configured Virtual Machine and back up them. Then, enable Process monitor, Add "panda.exe" to the filter's "Process Name" in the condition, and run the virus. First, you can view the Process tree:

Figure 1 process tree

In the progress tree, we can find out spoclsv.exe ". Another step was to launch cmd.exe twice ". The first command to run is cmd.exe/c net share C $/del/yclock. The idea is to delete the network share of the c drive in the command line. After the command is completed, close cmd.exe. Because my system only has one drive C, I believe this virus will shut down the network sharing of All the disks in the system. The second running command is cmd.exe/c net share admin $/del/y. The sharing of the system root directory is canceled here. Then we can summarize the two virus behaviors:

Virus Behavior 1: The virus creates a process named “spoclsv.exe. The path of the Process file is "C: \ WINDOWS \ system32 \ drivers \ spoclsv.exe ".

Virus behavior 2: Use the net share command in command line mode to cancel sharing in the system.

 

Monitoring and Analysis on the registration registry of "panda.exe"

For registry monitoring, we found that there is only one thing to note:

 

 

Figure 2 "panda.exe" writes data to the Registry

Registry has no substantial impact.

 

Siro Monitoring and Analysis of the "panda.exe" File

For file monitoring, there is only one note:

Figure 3 create a file

When "C: \ WINDOWS \ system32 \ drivers" is implemented, the next task is to monitor the process.

 

Monitoring and analysis of the “spoclsv.exe Registry on November 5

Here, the process named “spoclsv.exe is added to the filter for analysis. In general, viruses produce many operations. Therefore, for the convenience of discussion, I will only list several operations for display each time, and other operations will be excluded from the filter. First, you can view the "RegDeleteValue" Operation:

Figure 4 monitor the "RegDeleteValue" Operation in the Registry

It can be seen that the virus program has deleted the self-boot items of almost all security tools at that time, including:

 

Virus Action 3: delete the startup Item of the security software in the registry.

 

Then, only "RegCreateKey" and "RegSetValue" are retained for analysis:

Figure 5 create a self-starting item

It can be seen that the virus program creates a self-startup Item for itself, so that each time the computer starts to execute itself, there are:

Virus behavior 4: Create "svcshare" in the Registry "HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run" for "C: \ WINDOWS \ system32 \ drivers \ spoclsv.exe "virus program.

Next we will see:

Figure 6 hide a file

You can set the location of the Registry to hide files. After setting, even if you select "show all files and folders" in "Folder Options", the hidden files cannot be displayed:

Virus behavior 5: Modify the registry so that hidden files cannot be displayed through common settings. The location is: HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL. The virus sets the CheckedValue to 0.

Now, the Registry is basically analyzed.

 

Monitoring and analysis of the “spoclsv.exe file in cat6

File Monitoring mainly depends on whether the virus copies itself to another directory, or what files have been created and deleted. The monitoring is as follows:

 

 

Figure 7 Monitoring File Operations

As shown in the figure, the virus file creates spoclsv.exe.exe in "C: \ WINDOWS \ system32 \ drivers.pdf", and creates “setup.exe and "autorun. inf, and create "Desktop _. ini file. Since the SHOWALL items in the Registry are set after these files are created, the hidden files cannot be displayed. Therefore, we have reason to believe that the attributes of these files are "hidden, so there are:

Virus behavior 6: add your own beibeibeito the root directory and name it as paisetup.exe. At the same time, create "autorun. inf" for virus startup. The attributes of these two files are "hidden ".

Virus behavior 7: Create a hidden file named "Desktop _. ini" in some directories.

 

7. Monitoring and Analysis on the “spoclsv.exe Network

Currently, only network monitoring is performed to check whether the virus is connected to the Internet:

Figure 8 Monitoring Network Operations

From the monitoring results, we can see that the virus will send and receive information to "124.16.31.148", and constantly try to connect to "10.0.2.X", that is, other computers in the LAN, so there are:

Virus behavior 8: send packets to other machines in the LAN.

 

VIII. Summary

So far, we have summarized the eight-point behavior of the virus. During the analysis, I basically mentioned it in a word, mainly because the virus is relatively simple, it is also invisible to the Process Monitor. However, please note that the above eight points do not represent all the behaviors of viruses, because more detailed conclusions can be obtained through reverse analysis. Through the above analysis results, we can write the exclusive killing tool, which will be detailed in the next article.