"Cover letter" virus/Worm behavior In-depth analysis _ Web surfing

Describe:
Program name: worm.wantjob.57345 "cover Letter"
Program type: Virus/Worm
Exploit: MIME vulnerability
(http://www.microsoft.com/technet/security/bulletin/ms01-020.asp)
Virus behavior: Self-duplication, spread via email, spread through network sharing, infect executable files (including screensavers),
Destroying local files
Affected systems: All 32-bit versions of Windows.

Detailed description (based on Win2K platform):

The program has a rare dual-program structure, divided into worm parts (network propagation) and virus parts (infected files, corrupted files).
Both are separate parts of the code and may be written separately. The combination of the two is very interesting, the author first write good Worms
Section and then add the binary code of the virus portion to the Worm section at a specific location to get the final virus/worm program.

The full wantjob executes only the worm part of the code the first time it is run, as follows:

1, copy itself to "\winnt\system32\krn132.exe", and set the system, hidden, read-only properties.
(Files that set both system and hidden properties under Windows 2000 are not visible in the resource manager, even if you select the
"Show all files and folders." When you deselect hide protected operating system files (recommended), you are visible. ）

2, "\winnt\system32\krn132.exe" registered as "Krn132" service, and set to boot automatically run.

3, read all "htm", "html" files, and extract email addresses from the Internet Temp folder, using a MIME vulnerability like Nimda
to add itself to the message and send it to all the obtained addresses.
The subject of the message is set to one of the following:
"Hi" "Hello" "How are?" Can you help me? "" We want Peace "
" Where would you go? "" Congratulations!!! "" Don ' t Cry "" Look at the Pretty "
Some advice on your shortcoming" "Free XXX Pictures" "A Free Hot porn site"
Why Don ' t you reply to me? ' How about have dinner with me together? " The
Never kiss a stranger
content is empty, but there is a comment in the encoding:
!--=20
I ' m sorry to do so,but it ' helpless to say.
I want a good job,i must support my parents.
Now you are have seen my technical capabilities.
How much I year-salary now? NO more than $5,500.
What Do you have this fact?
Don T Call my names,i have no hostility.
Can you help me?
-->

4, search your network Places, discover that writable shared directories randomly generate a filename and encrypt the virus itself, using that file name
to replicate the virus. Generation rules for file names:
The first part of the randomly generated name is a letter or number, and the last one is ".",
The second part is selected in HTM, Doc, JPG, BMP, Xls, Cpp, Html, MPG, MPEG.
The third part complements the EXE as an extension.

5, Krn132.exe each boot will be in the directory: "%Temp%" and "\winnt\temp\" to create a copy of their own,
The filename is preceded by a k, shaped like "K871.exe", "K2.exe", or "Ka.exe".

The full wantjob will also set the virus to execute the virus at the next boot when it is first run, as follows:
6, change part of the encoding and copy to "\winnt\system32\wqk.dll", and set the system, hidden, read-only properties.

7, in the registry, write the following key values
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Appinit_dlls" = "Wqk.dll"
Register the Wqk.dll as a module that must be loaded when the system starts. The virus is loaded as a dynamic link library The next time the boot is turned on.
exists in all system processes. Because you do not have your own PID, you cannot see it in the Task Manager or terminate it.
This is the hacker commonly used a method of hiding backdoor, Microsoft Knowledge Base Q134655 and Q125680 elaborated this problem in detail.

The next time you boot up, the Wqk.dll is loaded and Wantjob is run as a virus:

1, traversing the hard drive, looking for PE files, and infection.

2, check the local time, if the time is January 13, then immediately start 26 break thread, with the data in memory to cover the hard disk
All files.

3, Wqk.dll each boot will be in the directory: "\winnt\system32\" in the creation of a copy of itself,
The file name is "Wqk.dll" plus a number, shaped like "wqk.dll6", "wqk.dll23".

No matter how it works, Wantjob will do some self-protection measures:

1, check the process, if found that some anti-virus software in (AVP, NAV, NOD, MacFee, etc.) in operation, the software process
Terminate.

2. Keep writing to the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"Appinit_dlls" = "Wqk.dll"
Even if the key value is removed manually, it will be written back in a minute.

All the above mentioned are wantjob under the Win2K situation, under the Winnt situation is similar. And under the Win9x, there is a slight
The same, mainly:
1, because Win9x does not exist "service" so wantjob does not register "Krn132" service. But in the registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Write "krn132" = "C:\WINDOWS\SYSTEM\krn132.exe"
2, there is no "Wqk.dll" under the System folder, and substituting Wqk.exe, and in the registration form
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Write "Wqk.exe" = "C:\WINDOWS\SYSTEM\Wqk.exe"

Solution:

In Win9x under the best boot into DOS mode, in DOS antivirus. Then clear the relevant registry key values.

Because of the particularity of Wantjob, all anti-virus software currently cannot be completely eliminated under Win2K, because Wqk.dll is always
Any program is loaded in memory before it is run, and the registry key value cannot be deleted, so you need to follow these steps:
1, end all Krn132.exe process.
2. Delete "\winnt\system32\krn132.exe" and all copies of the temporary folder mentioned above.
3, delete or disable the "Krn132" service.
4. In the registration form [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Add the following key values:
@= "cmd/c" Attrib-s-h-r \winnt\system32\wqk.dll "&" Del \winnt\system32\wqk.dll ""
(When the system starts, this key value takes precedence over the mentioned "Appinit_dlls" load) and then reboots the system to run the anti-disease
The Poison software is killing the whole hard drive.
Or:
Boot the system with a clean floppy disk that supports NTFS, or boot the system with the Windows 2000 installation CD, and choose Repair Windows 2000
Install the option, and finally start the Recovery Console. Delete Wqk.dll. Use anti-virus software that can be started from the console
The entire hard drive. (Prior to this, please contact your anti-virus software vendor to upgrade your latest virus profile)
5, the normal boot system, delete the relevant registry key values.

Whenever possible, it is strongly recommended that you either reload the system after you format the hard disk or restore it with a backup system.

Preventive measures:
1, for the MIME vulnerability: Open IE's "tool-->internet option--> security--> Custom Level--> file Download" select "Disabled."
You can also install IE's Service Pack 2, or upgrade to IE6.
2. Properly set permissions and passwords for shared directories.
3, do not open suspicious mail, especially not to open in HTML.

Problems:

1, Wantjob in what language to write?

Because the program will encode itself, so the original program has no obvious features, but the virus part of the code is complete, separated
Can be seen with the MS Visual C + + v6.0 compiled, combined with the size of the program, may be used c++/asm mixed programming.

2. How do I know if I have contracted wantjob?

Mainly check whether there are suspicious documents, detailed in the above.

3, loading in the memory of the Wqk.dll really can not detect it?

Wqk.dll loaded into memory, the system reaction will be significantly slow, hard drive rotation.
Using a tool from Sysinternals.com ListDLLs.exe can view the modules loaded by the system, using the following format command:
"Listdlls-d"
Whether the system is currently loaded with Wqk.dll

4, I use some decompile tool analysis Wantjob, why failed?
Wantjob are not generated directly by the compile-link tool, but are manually encoded, so some tools can go awry. You can try.
W32dasm.

5, I used w32dasm successfully decompile the wantjob, but why many strings look strange?
Wantjob a simple single table substitution code for some strings, such as F->c,l->t,k->s. Like "rwky64" is actually
It's "base64."

6, Wantjob and Nimda, Sircam compared to, that harm greater?
Obviously, the wantjob speed is not Nimda fast, but will certainly be quicker than Sircam. It can infect files, and it can destroy files,
Harm should not be much smaller than Nimda, causing economic losses may be greater than Nimda