Script virus analysis and manual processing methods disguised as desktop. ini

Desktop. ini is a special configuration file that defines folder-related information. It is created by the system by default and exists in a folder and has system and hidden attributes. The virus demonstrated in this article is actually a vbs script virus. After the virus runs, it creates two virus files, desktop. ini and autorun. inf, under the root directory of the system disk. The script virus uses the desktop. ini file name to disguise itself, making people mistakenly think that it is a normal system file, thus hiding itself.

Basic virus sample information

Next, let's take a look at the script virus disguised as desktop. ini. First, let's take a look at the basic information of the virus sample, as shown in 1.

File: desktop. ini

Size: 12kb

MD5: 02F638045780A73AEB90F4B04BC4DE05

Rising v16 reported virus name: Worm. Script. VBS. Agent. bz

Figure 1: virus sample information

Rising v16 antivirus software reports viruses, as shown in figure 2.

Figure 2: detection and removal of rising v16 antivirus software

Next, let's take a look at the specific content of this desktop. ini, as shown in 3. As shown in figure 3, it cannot be accurately determined that this is a script file, and its content is only a bunch of unreadable English characters. In fact, we can refer to the virus name Worm reported by rising v16. script. VBS. agent. bz shows that there is a Script in the virus name. VBS, which is obviously a script virus. We know that Worm represents worms, Script represents scripts, and VBS represents virus code written using VBS scripts. To further prove that this is a script virus, let's take a look at the specific content of the autorun. inf file, as shown in 4.

Figure 3: Details of desktop. ini

Figure 4: autorun. inf content

Pay attention to the red part in figure 4, which is used to execute the script program. Let's look at the help information of wscript.exe in the command line, as shown in 5 and 6.

Figure 5: Input wscript /? Wscript.exe usage

Figure 6: WScript.exe command line usage

In combination with figure 4, wscript.exe // e: The Script Engine provided later is VBScript. From this point, we can see that desktop. ini is a VBS script virus, and the VBScript engine is required to run destop. ini. Next, let's take a detailed look at the virus behavior of this vbs script virus.

Virus Behavior

Copy desktop. ini and autorun. inf to the root directory of the disk (in this example, drive c), so that we can execute the VBS script virus sample through the command line, as shown in 7.

Figure 7: copy the script virus to the c root directory

This time, we use the regfsnotify.exe tool for analysis. This tool monitors system modifications, such as creating files or modifying the system registry. Each line of the logs output by the sequence starts with a [ADD], [REMOVED], or [MODIFIED] string to indicate the activity type. Similarly, copy regfsnotify.exe to the root directory of the disk, as shown in figure 8.

Figure 8: Copy regfsnotify.exe to the c root directory

You can use the following command lines to run the vbsscript virus sample and the regfsnotify.exe command to monitor script viruses, as shown in Figure 9 and 10.

Figure 9: run the regfsnotify.exe tool in the command line

Figure 10: Run VBS script virus in another command line window

Next, run regfsnotify.exein figure 9, and then run regfsnotify.exe. See Figure 11.

Figure 11: run the regfsnotify.exe tool in the command line window

Run the regfsnotify.exe tool and run the VBS script virus in Figure 10. Press enter, as shown in Figure 12.

Figure 12: Run VBS script Virus

What are captured in the dig command line window, as shown in 13.

Figure 13: script virus running status captured by RegFsNotify.exe

As shown in Figure 13, the regfsnotify.exe tool uses green and white to mark the creation and modification of the program to the system, so that it is easy to distinguish the two. Take the red box 13 as an example. We can see that the autorun. inf and desktop. ini files are created under the c: \ Windows \ Installer directory, and a Microsoft lnk shortcut file is created. This is one of the VBS script virus behaviors. Of course there must be other behaviors. We will analyze them later. The ghost tool captures complete virus behavior. Refer tool.

Figure 14: virus sample execution completed

After returning the regfsnotify.exetool, we found the generated regfsnotify.txt log file under the C-root directory, as shown in Figure 15.

Figure 15: monitoring logs generated by the RegFsNotify.exe Tool

Open regfsnotify.txt directly to view the monitored log content, as shown in Figure 16. It is not very messy to view logs using the default notepad. We can install a Notepad ++ tool and use Notepad ++ to view logs, as shown in figure 17.

Figure 16: Upload the current shard regfsnotify.txt log

Figure 17: Use notepadpolic.txt regfsnotify.txt to log

By comparing figure 16 and Figure 17, you can use Notepad ++ to view the monitoring log clearly. As shown in the red box of 17, the first step of VBS script virus execution is to create rad6c437 in the C: \ WINDOWS \ system32 directory. find the tmp file in the C: \ WINDOWS \ system32directory to verify the regfsnotify.txt log Content. As shown in 18, there is indeed a rad6c437 file in the C: \ WINDOWS \ system32 directory. tmp file.

Figure 18: The rad6c437. tmp file is created in the C: \ WINDOWS \ system32 directory.

What is the use of this tmp file? We use notepad ++ to directly open rad6c437. tmp file, as shown in Figure 19, this rad6c437 is obtained through comparative analysis with figure 3. the tmp file should be a decryption desktop created by the virus. ini script. The desktop. ini shown in figure 3 and rad6c437. tmp in Figure 19 start:
'Http: // www.microsoft.com/isapi/redir.dll? Prd = {SUB_PRD} & ar = runonce & pver = {SUB_PVER} & plcid = {SUB_CLSID}, except desktop. after the above section, ini is garbled and cannot be understood, rad6c437. the above content in tmp is obviously a clear script code. To verify our guesses, let's continue to view the content following rad6c437. tmp.

Figure 19: use notepad ++ to open the content of the rad6c437. tmp File

We found the command line executed by desktop. ini in autorun. inf in Figure 4 in rad6c437. tmp, as shown in 20.

Figure 20: the command line executed by desktop. ini in autorun. inf

Based on the content starting with Figure 19, we can basically conclude that rad6c437. tmp is the VBS script decrypted by the desktop. ini script. With this decrypted VBS script, we can easily analyze the virus behavior of this vbs script. In fact, we can also combine the regfsnotify.txt log for verification analysis.

Else // e: VBScript dekstop. ini.

Figure 21: The 1kbt.exe // e: VBScript dekstop. ini

As shown in Figure 22, the VBS script virus will also create a v.doc file under the C: \ windows \ system32directory. Its content is 22-1.

Figure 22: Create v.doc and write the advcontent to v.doc.

Figure 22-1: v.doc content

As shown in Figure 23, the VBS script virus modifies the system registry. The arrow in the shortcut icon is deleted to make the created shortcut a normal folder.

Figure 23: shortcut deletion icon arrow

As shown in the 23-1 red box, we can see that there are two folders with the same name under the c root directory. In fact, we can clearly see that these two folders do not belong to the same file type, one is a folder, the other is shortcuts.

Figure 23-1: the shortcut Map icon for deleting shortcuts is the same as the system folder icon, which is very confusing.

We continue to look at the contents behind rad6c437. tmp, as shown in 24, the VBS script virus also changes the ie homepage to a http://www.bendot.co.nr, as shown in 24-1.

Figure 24 registry modify ie home page to http://www.bendot.co.nr

Figure 24-1: ie homepage modified

As shown in Figure 25, the VBS script virus is written into the Registry Startup key to enable it to run automatically after it is started or restarted.

Figure 25: startup entry written by VBS script Virus

As shown in Figure 26, the VBS script virus also modifies the registry key value and disables the system registry editor and task manager, which is also a common method of virus.

Figure 26: disable the system registry editor and Task Manager

As shown in 26-1 and 26-2, the system's task manager and Registry Editor are unavailable.

Figure 26-1: unavailable when the task manager is gray

Figure 26-2: run the Registry Editor prompt to be disabled by the Administrator

As shown in 27, the virus also modifies the system folder option and changes the warning information of the hidden file protected operating system file (recommended) to "fandy love yuyun ", this function is also disabled. The purpose of this function is to make it impossible to view the desktop under the root directory of the disk. ini and autorun. inf files, as shown in 27-1.

Figure 27: Disable the Operating System File function for hidden files

Figure 27-1: Modify the file-protected OS file warning to "fandy love yuyun"

Assets // e: VBScript "C: \ WINDOWS \: Microsoft Office Update for Windows XP. sys ".

Figure 28: Write winUpdate startup Item

C: \ WINDOWS \: Microsoft Office Update for Windows XP. sys: What is it? You can simply execute it in the running process. As shown in 28-1 and 28-2, it is a Microsoft. lnk shortcut.

Figure 28-1: Open C: \ WINDOWS \ Microsoft Office Update for Windows XP. sys

Figure 28-2: Microsoft. lnk cannot be opened in windows

The Microsoft. lnk execution content is 28-3, and the desktop. ini script virus is executed.

Figure 28-3: Microsoft. lnk executes the desktop. ini script Virus

The above is the main behavior analysis of the decrypted rad6c437. tmp script virus released by the VBS script virus desktop. ini. In the following example, regfsnotify.txtlog and regfsnotify.exe capture the VBS script virus and create the lnk file and desktop with the same name as the folder in the system folder. ini and autorun. inf file, which can be viewed in combination with figure 15 and Figure 28-3. Figure 15 shows the lnk file written by the virus, while Figure 28-3 shows that the lnk file points to the target to execute the VBS script virus desktop. ini. This makes virus cleanup difficult. If we cannot completely clean these virus files, we will trigger the virus again if we are not careful. The following describes how to handle the VBS script virus.

Figure 29: The regfsnoodle log captures the virus to create a large number of lnk, desktop. ini, and autorun. inf virus files.

Virus Processing

Wscript.exe is included in the process of running the xuetrtool, as shown in Figure 30. Note: wscript.exe is a normal system program. To run the script virus, you need to call this program to execute the script. Therefore, when processing this process, we only need to end this process. Do not end the process and delete the file. This will delete the normal system file, as shown in 31,

Figure 30: wscript.exe in the xuetrprocess

Figure 31: Right-click to end the process

Next, let's take a look at the startup item, as shown in 32. when processing the startup item, we only need to delete the startup Item information, as shown in 33.

Figure 32: startup entry written by VBS script Virus

Figure 33: Right-click the name of a startup Item and choose delete (startup Item information)

The next step is to teach rising v16 anti-virus software. This type of virus can be handled directly using anti-virus software. As shown in Figure 34, use rising v16 to search for the virus files on the entire disk.

Figure 34: script virus detected by rising v16

Set desktop. ini and autorun. after using anti-virus software to scan and kill inf, the remaining lnk shortcuts are actually useless. We can use the built-in search to process these lnk files and specify the search criteria, as shown in Figure 35, search for all lnk files and delete them.

Figure 35: Create a 1 kb shortcut for the searched Virus

Next, we use the rising security assistant to fix the Registry Editor, task management, and lnk arrow icons. As shown in 36, the rising security assistant scanned the exceptions.

Figure 36: Exceptions detected by rising Security Assistant

As shown in 37 and 38, the Registry Editor and Task Manager are restored after being repaired by the rising security assistant.

Figure 37: the system registry editor can be opened normally

Figure 38: Task Manager returns to normal

Open the system registry editor, and manually fix the modified hidden file protected operating system file, as shown in Figure 39.

Figure 39: superden den prompt for virus Modification

The path of the Registry and the modification method 40 are shown. The value of the parameter is the WarningIfNotDefault value of HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, the two key values should be the same, as shown in Figure 41.

Figure 40: Restore superden den prompt information

Figure 41: SuperHidden prompts that the information is restored to normal

Note that the value of the UncheckedValue of HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden is also changed to 0. The default value is 1, we can change it to the default value 1, so that superden den is completely fixed.

Finally, we use the Security Assistant's locking function to lock the home page, as shown in Figure 42.

Figure 42: Use rising security assistant IE to protect and lock the Home Page

The page locking effect is 43.

Figure 43: locking the ie homepage is hao.rising.cn