Manual cleanup of buffalo Downloaders

Last week, I showed you the interfaces of the "Buffalo" downloader version 3.0 and version 3.5. I believe this will impress you.

The following is a detailed analysis of the buffalo downloading Trojan:

Buffalo v3.5X Analysis Report

We recommend that you use the Chinese name "Buffalo". This version is the latest version.

1. Execution Process

1. The following virus is released in the system:

%Systemroot1_system32nwizs.exe
% SystemRoot % system32hook_nwizs.dll
% UserProfile % Local SettingsTempnwizs
%Systemroot1_system32nwizs.txt
%Systemroot1_system32svchost.exe
% SystemRoot % system32driversBeep. sys

2. modify the system registration table and add the virus main file nwizs.exe to the startup Item to enable startup. However, the virus hides its own file and registry startup project, and the file and registry key value cannot be seen by common software.

In addition, nwizs.exe also has function modules such as IFEO image hijacking, damage the secret key value of the registry, set the IE start page, and submit the local information to the virus author. However, after testing, this sample is not used.

3. Create two svchost.exeinstances and run the program in the system. As a result, multiple svchost.exe instances also exist in the normal system at the same time. This creates some confusion for the user and makes it impossible for the common user to determine which process to terminate.

4. Create AUTO virus autorun. inf and nwizs.exe on all drives.

5. Use the generated hook_nwizs.dll generated before the virus is loaded to hide its own files and registry key values.

6. After the virus runs, it is difficult for users to find that the system has been passive.

7. release a random name consisting of five characters in the % UserProfile % Local SettingsTemp directory. tmp file (xxxxx. tmp) to replace the % SystemRoot % system32driversBeep. in this way, the SSDT table can be quietly restored without the system prompt, so that the computer has active defense anti-virus software ineffective.

8. Check the system desktop process iexplore.exe, find and close the closed software process, and test that the virus is able to successfully attack kavstart.exe. When kwatch.exe is installed, the computer blue screen will be restarted.

9. Close the window with a fixed pattern, such as nwizs.exe, Kingsoft drug overlord, exclusive kill, and Jiangmin. You can close the window by directly sending the close command and simulating the user's sending the mouse message. Once tested, the virus cannot close the Overlord window.

10. Download the virus to unzip systemroot1_system32nwizs.txt. The viruses downloaded from this list will be hidden in the % UserProfile % Local SettingsTemp directory.

Virus download list: http://520sb.cn/dir/index_pic/list.txt]

Microsoft.exe (BOT, exclusive killer)
Hosts.exe (the hosts file is immune to many URLs)
Arp.exe (Buffalo V2.1, but it is invalid)
Cq.exe (Crouton contains the black and wooden horse fei.exeand the legendary hacker lj.exe)
Wow.exe (Warcraft account theft Trojan)
Ddos.exe (the DDOS tool will attack all the addresses pointed to in config.txt in the file)

Ii. Deletion Method

1. Manually uninstall the virus. In the case of a network disconnection, select a route to open the menu and enter nwizs.exe-clear. In about one minute, your anti-virus software can activate the anti-virus service. (This virus is a downloader and does not exclude other viruses that have been downloaded, if other viruses make anti-virus software unavailable, we recommend that you download Kingsoft drug overlord's drive killing tool for pre-processing ).

2 enter regedit in the start run to open the registry, search for dsniu, In the HKEY_CURRENT_USERSoftwareMicrosoftDsNiuInjectDown V3.5-V, View "PID1" =, "PID2" =.

PID1 and 2 are equivalent to the pseudo svchost.exe PID. The two processes are in the single daemon status and can end in a certain order (that is, PID1 = 123, PID2 = 456, If you end 123 first, then 456 again, now that the process is re-running again, you can immediately end 456 first and then 123. When the two pseudo svchost.exe files are completed, HOOK_nwizs.dll will be automatically uninstalled. Of course, it is best that you have a tool to end them at the same time. The process manager provided by Kingsoft cleaning experts can end the two virus processes at the same time .)

At this time, you can also see nwizs.exe, delete % systemroot % system32hook_nwizs.dll, and delete systemroot1_system32nwizs.exeto the nwizs.exe and autorun. inf files in each partition.

Use Kingsoft cleaning expert again to completely clear the residual virus add-ons.

Iii. Summary

This version of buffalo is a powerful virus download tool, which is well done against anti-virus software. It can lead to a blue screen of Kingsoft drug overlord user system, release the armed forces with active defense functions to kill software, and prevent users from seeking help through the network. The virus author deliberately equipped the virus against multiple virus software and began to sell the download tool online to provide VIP services for the Trojan horse authors.

4. Information about http://520sb.cn sites

The website for querying this 520sb.cn is hung on the website with the IP address 210.183.133.194. The website is a Korean Enterprise Website and may have been controlled by hackers.

The download list for virus reading is

Http://520sb.cn/dir/index_pic/list.txt
Http://count.5111yes.cn/dir/index_pic/mm/microsoft.exe
Http://count.5111yes.cn/dir/index_pic/mm/cq.exe
Http://count.5111yes.cn/dir/index_pic/mm/wow.exe
Dos.exe "> http://2.520sb.cn/ddos.exe

The IP address of count.20.1yes.cn is 60.190.253.163. The server is located in Hangzhou telecom data center of Zhejiang Province and belongs to Hangzhou liansheng Electronics Co., Ltd. Apparently, this server is hacked.