Security Information-ghosting Virus

In the past, it was often said that it was okay to reinstall the system if the system was poisoned. But now, this sentence will be history. In March 15, the Kingsoft security lab named"GhostingComputer virus. The virus is parasitic on the disk Master Boot Record (MBR). Even if the system is formatted and reinstalled, the virus cannot be cleared. When the system restarts again, the virus is loaded before the operating system kernel. When the virus runs successfully, no exception is found in the process and the system startup add-on. The virus is likeGhostingIn the same way on the computer that has been poisoned, the ghost is not scattered ".

 

Ghost virus Analysis Report

1. Ghost and shadow virus Overview
This is a trojan download device that uses ring3 to restore kernel hooks, infect disk boot zones (MBR), and multiple methods to end anti-virus software. After being completely infected, it is a stubborn virus that does not see suspicious files, does not have a startup item, and cannot be solved by common reinstallation systems.

Ii. Ghost and shadow virus analysis
1. Virus startup Method
Infect MBR to get the boot right above the operating system ----> HOOK file operation interrupted, search NTLDR file (main target xp, 2003 System) perform hook ----> hook kernel functions to load drivers first and execute virus drivers ------> other later operations (such as downloading Trojans and counting the number of infections)
Figure 1. MBR changes before and after ghost infection.
 
Figure 2 disk sector change after poisoning
 

2. Generate some files
% ProgramFiles % \ MSDN \ atixx. sys (work-driven)
% ProgramFiles % \ MSDN \ atixi. sys (responsible for writing other files to the boot zone)
% ProgramFiles % \ MSDN \ 000000000 (Trojan download)
% ProgramFiles % \ MSDN \ atixx. inf (driver installation script
% ProgramFiles % \ MSDN \ atixi. inf (driver installation script)
The above files will be deleted after they are used.

3. Ring3 restore various hooks
Read the original KiServiceTable table, restore the SSDT table, and restore other specific hooks.

4. End Kaspersky (R3)
Kaba process exits unexpectedly by ending Kaspersky event handle BaseNamedObjects \ f953EA60-8D5F-4529-8710-42F8ED3E8CDC.

5. Stop Other kill software (R3)
Obtain the company name of the antivirus software process, perform hash calculation, and compare it with the built-in soft-kill HASH value. If the same, the process ends.

6. Use hive technology to bypass the anti-DDoS pro and install a hardware-like driver to bypass other anti-DDoS pro interceptions.

7. Erase the starting thread address to prevent manual Detection

8. Find the explorer process and insert the user-state apc to download the virus Trojan.

9. enumerate the process object and compare the company name of the file corresponding to the process. It is found that the thread object needs to be obtained against the process and the thread is terminated. At this time, the soft process is killed and exited abnormally.

10. infect the boot area and write other files to the boot area. Hidden loading is difficult to detect, and repeated infections are difficult to clear.

11. Trojan download function
Download Trojan horse for popular games such as DNF and fantasy westward journey.

12. Create a shortcut named player on the desktop, point to a website, and change IE homepage to http://www.ttjlb.com/

Possible symptoms after infection 3
1. The computer is very stuck, and the operating procedures are obviously stuck. Common anti-virus software cannot be opened normally. At the same time, the problem still cannot be solved after repeated system reinstallation.

2. After the system file is infected with the virus, the system prompts that the corresponding dll cannot be found or the system function is abnormal.
Rpcss. dll, ddraw. dll (this is the system dll that is often modified by Trojans)
 
3. the QQ number is stolen and can be used by hackers to spread advertisements.

4 Warcraft, DNF, tianlong Babu, fantasy westward journey, and other game accounts are stolen

5. The iexplore.exe process exists in the process and points to an abnormal website.

6 desktop appears a shortcut named player pointing to a website and modifying IE's first page to http://www.ttjlb.com/