Grey pigeon variant Win32.Hupigon. aqc Analysis Report

Analyze the virus belt clearing Solution

Virus name: Backdoor. Win32.Hupigon. aqc

Virus Type: Rear category

File MD5: 45AF12FEE7E3077156FC5B3CD0B8836F

File length: 245,825 bytes

Infected system: windows 98 or later

Shelling type: nSPack 3.1

Virus description:

The virus is a gray pigeon variant. After the virus runs, copy itself to the system directory and rename it as UMWdfa.com, and delete itself. Create a service and start it at random. Create the process UMWdfa.com to download the virus file and connect to the network to wait for the connection from the virus control side. After the connection is successful, the user's machine will be remotely controlled.

Behavior Analysis:

1. After the virus runs, copy itself to the system directory and delete itself:

% System32 % MicrosoftUMWdfa.com

2. Modify the registry value to modify the default Internet Settings:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePathsDirectory
New: String: "C: Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent. IE5"
Old: String: "C: Documents and settingscommandrelocal SettingsTemporary Internet FilesContent. IE5"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePathspath1CachePath
New: String: "C: Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent. IE5Cache1"
Old: String: "C: Documents and settingscommandrelocal SettingsTemporary Internet FilesContent. IE5Cache1"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePathspath2CachePath
New: String: "C: Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent. IE5Cache2"
Old: String: "C: Documents and settingscommandrelocal SettingsTemporary Internet FilesContent. IE5Cache2"

3. Create a service and start the service at random:

Service name: Windows UMWdfa

Display name: Windows User Modb Driver Frame

Description: Enables Windows user mode drivers.

Path of the executable file: C: WINDOWSsystem32MicrosoftUMWdfa.com

Start mode: automatic

4. Download related virus files from the connected network:

Protocol: TCP

Address: www.jjxhsf-com (210.51.12.206: 80)

Port: 80

Process: UMWdfa.com

5. Create the UMWdfa.com process to connect to the network and wait for the virus control terminal (192.168.18.3: 5680) to connect. After the connection is successful, the user's machine will be remotely controlled.

Note:

% Windir % mongodws directory

% DriveLetter % logical drive root directory

% ProgramFiles % default system program installation directory

% HomeDrive % partition of the current startup system

% Documents and Settings % root directory of the current user document

% Temp % current user TEMP cache variable; Path:

% Documents and Settings % current user \ Local SettingsTemp

% System32 % is a mutable path;

The virus queries the operating system to determine the location of the current System32 folder;

In Windows2000/NT, the default installation path is C: WinntSystem32;

In Windows 95/98/Me, the default installation path is C: WindowsSystem;

In Windows XP, the default installation path is C: WindowsSystem32.

Clear Solution:

1. You can use the CERT Trojan line to completely clear the virus (recommended). Please download www.antiy.com from the CERT website.

2. manually clear the file according to the behavior analysis and restore the relevant system settings. We recommend that you use ATool, ATool: www.antiy.com or http://www.antiy.com/download/index.htm.

(1) Use the CERT Trojan defense line or the "Process Management" in the ATool to disable virus processes.

(2) Forcibly delete virus files

% System32 % MicrosoftUMWdfa.com

(3) restore the registry project of the virus modification, and delete the registry entry added by the virus.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePathsDirectory
New: String: "C: Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent. IE5"
Old: String: "C: Documents and settingscommandrelocal SettingsTemporary Internet FilesContent. IE5"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePathspath1CachePath
New: String: "C: Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent. IE5Cache1"
Old: String: "C: Documents and settingscommandrelocal SettingsTemporary Internet FilesContent. IE5Cache1"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePathspath2CachePath
New: String: "C: Documents and SettingsLocalServiceLocal SettingsTemporary Internet FilesContent. IE5Cache2"
Old: String: "C: Documents and settingscommandrelocal SettingsTemporary Internet FilesContent. IE5Cache2"

(4) disable the Windows UMWdfa service.