Manual repair of a simple PE Append infected virus

PE_DOWNEXEC.O is a new infectious sample just found last week. The virus will infect the exe file and Add a new section named hhqg. Then the virus will modify the eip of the exe file, point to this new section, and then jump back to the original eip.

 

Next we will manually repair the infected files.

 
 

OD loading. we add a memory access breakpoint to the text segment:

 

 

Then press F9 and execute to the following position:

 

 

Therefore, it is determined that the location of 004012A0 is eip.

Next let's take a look at what this new section has done.

OD re-load, one step to the following position, found a function:

 

Enter F7, continue to the single step, and find the function:

 

Enter F7, one step:

 

 


 

Enter F7, one step:

 

 

Enter F7, one step:

 

 

 

 

Okay. Here we found the key code. Loadlibrary and GetProcAddress are called in the new section, and WinExeC and URLDownloadToCacheFileA functions are obtained successively. Let's check what is in the stack:

 

 

The purpose of the new section is to download an exe file from the Internet and then call winexe for execution.

 

Here we will fix it manually:

Use LoadPE to load the infected file, select the new section, and delete it:

 

Then fix the original EIP:

 

 

Click Save and OK.

It has not been completed yet. Such an exe cannot be run. We must re-build the EXE:

 

 

All right, this simple manual repair is complete. Click Run. OK is OK. Because there is no code in the new section, the execution speed is much faster:

 



.

Jason Zhou