Recently popular bamboo Trojans

Last Update:2014-08-29 Source: Internet

Author: User

Tags net command

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Recently popular bamboo Trojans
I encountered many similar scenarios some time ago:

Without knowing it, a netizen finds that his computer is locked, and such information will appear during startup,

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F42013-0.png" alt = "1"/& gt; & lt;/p & gt;

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F44948-2.png" alt = "2"/& gt; & lt;/p & gt;

This type of bad means is very worrying. Generally, users who do not know the computer may be helpless. Finally, they can only contact the ransomware for a password.

This method is mainly used to modify the Administrator's password through the net command.

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F42405-4.png" alt = "3"/& gt; & lt;/p & gt;

Set information related to the Registry to remind the recruiter to contact the extortion contact.

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F44129-6.png" alt = "5"/& gt; & lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F4HN-7.png" alt = "6"/& gt; & lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F42A5-8.png" alt = "7"/& gt; & lt;/p & gt;

This method was quickly killed by various soft interceptions to identify and kill, so the trojan author achieved the goal through the second method.

The second method does not contain net-related commands, but uses the NetUserSetInfo api to set the password.

Breakpoint for this function (broken twice, one is the name, and the other is the password ):

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F42138-12.png" alt = "8"/& gt; & lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F45123-13.png" alt = "9"/& gt; & lt;/p & gt;

On msdn, we found:

NET_API_STATUS NetUserSetInfo (LPCWSTR servername, // if it is Null, it indicates that the local computer is used. LPCWSTR username, // points to a string pointer, for example, 0016ACE0, pointing to the string "Administrator ". DWORD level, // different levels, indicating that different data information is stored in the buf LPBYTE buf, and // data is stored. LPDWORD parm_err );

Level parameter description

Level

[In]

Specifies the information level of the data. This parameter can be one of the following values.

When the parameter in level is 1011, Specifies the full name of The user. the buf parameter points toUSER_INFO_1011 Structure.

typedef struct _USER_INFO_1011 {LPWSTR usri1011_full_name;} USER_INFO_1011,*PUSER_INFO_1011,*LPUSER_INFO_1011;

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F45023-16.png" alt = "10"/& gt; & lt;/p & gt;

0016CE88 in memory

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F4K47-18.jpg" alt = "22"/& gt; & lt;/p & gt;

After modification is successful.

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F444L-20.jpg" alt = "33"/& gt; & lt;/p & gt;

When The parameter in level is 1003, Specifies a user password. The buf parameter points toUSER_INFO_1003 Structure.

typedef struct _USER_INFO_1003 {  LPWSTR usri1003_password;} USER_INFO_1003,  *PUSER_INFO_1003,  *LPUSER_INFO_1003;

0012FC24 points to such a structure.

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F4G48-22.png" alt = "13"/& gt; & lt;/p & gt;

00171820 in memory, corresponding unicode: bu

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F4L46-24.png" alt = "14"/& gt; & lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F435D-25.jpg" alt = "fe195a73387aa0c8bbbb9d8388cf3552"/& gt; & lt;/p & gt;

Therefore, the locked password is "bu", which is entered successfully.

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F435b-28.png" alt = "16"/& gt; & lt;/p & gt;

Second, now 360 security guards can completely intercept it.

& Lt; img class = "alignCenter" src = "http://www.bkjia.com/uploads/allimg/140829/045F41G0-30.png" alt = "17"/& gt; & lt;/p & gt;

Most of these Trojans are spread through QQ groups or emails. The trojan author lurks into some game groups, changes the trojan name to a tempting name, and then uploads the trojan, such as CF free gun-free and non-toxic software, free qcoin and so on, it is easy to download and run by netizens.

The Trojan horse in this article comes from a recruit user. After helping him solve the problem, he summarized the common Trojan techniques.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More