Ghost virus Analysis Report

1. Ghost and shadow virus Overview
This is a trojan download device that uses ring3 to restore kernel hooks, infect disk boot zones (MBR), and multiple methods to end anti-virus software. After being completely infected, it is a stubborn virus that does not see suspicious files, does not have a startup item, and cannot be solved by common reinstallation systems.

Ii. Ghost and shadow virus analysis

1. Virus startup Method

Infect MBR to get the boot right above the operating system --> HOOK file operation interrupted, search NTLDR file (main target xp, 2003 System) hook --> hook the kernel function to load the driver first and execute the virus driver --> other later operations (such as downloading Trojans and counting the number of infections)

 

Figure 1 Changes of MBR before and after ghost Infection

Figure 2 disk sector change after poisoning

2. Generate some files

% ProgramFiles % MSDNatixx. sys (work-driven)

% ProgramFiles % MSDNatixi. sys (responsible for writing other files to the boot zone)

% ProgramFiles % MSDN00000000 (Trojan downloader)

% ProgramFiles % MSDNatixx. inf (driver installation script

% ProgramFiles % MSDNatixi. inf (driver installation script)

The above files will be deleted after they are used.

3. Ring3 restore various hooks

Read the original KiServiceTable table, restore the SSDT table, and restore other specific hooks.

4. End Kaspersky (R3)

The Kabbah process unexpectedly exits by ending the Kaspersky event handle BaseNamedObjectsf953EA60-8D5F-4529-8710-42F8ED3E8CDC.

5. Stop Other kill software (R3)

Obtain the company name of the antivirus software process, perform hash calculation, and compare it with the built-in soft-kill HASH value. If the same, the process ends.

6. Create a shortcut named adult player on the desktop and point to the porn site, and change IE homepage to http://www.ttjlb.com/

7. Erase the starting thread address to prevent manual Detection

8. Find the explorer process and insert the user-state apc to download the virus Trojan.

9. enumerate the process object and compare the company name of the file corresponding to the process. It is found that the thread object needs to be obtained against the process and the thread is terminated. At this time, the soft process is killed and exited abnormally.

10. infect the boot area and write other files to the boot area.

Hidden loading is difficult to detect, and repeated infections are difficult to clear

11. Trojan download function

Download the trojan for popular games such as Warcraft, DNF, and fantasy westward journey.

12. Create a shortcut named adult player on the desktop, point to a porn site, and change IE homepage to http://www.ttjlb.com/

Iii. Possible symptoms after infection

1. The computer is very stuck, and the operating procedures are obviously stuck. Common anti-virus software cannot be opened normally. At the same time, the problem still cannot be solved after repeated system reinstallation.

2. After the system file is infected with the virus, the system prompts that the corresponding dll cannot be found or the system function is abnormal.

Rpcss. dll, ddraw. dll (this is the system dll that is often modified by Trojans)

3QQ number is stolen and can be used by hackers to spread advertisements.

4 Warcraft, DNF, tianlong Babu, fantasy westward journey, and other game accounts are stolen

5. The iexplore.exe process exists in the process and points to an abnormal website.