Today, we want to analyze a virtual disk tool software. This virus sample seems to be a normal application after running, but when we exit this program, a series of unexpected things will happen in the future.
In the previous rising security monthly, we once wrote a simple analysis article on the Trojan Horse "Red Rice 5 second buy ID device". This flash store is actually a trojan virus promoted by software, after running the program, you can download and install many junk software for a normal system. These junk software cannot be easily detached. Today, we want to analyze a virtual disk tool software. This virus sample looks like a normal application after running, but when we exit this program, a series of unexpected things will happen in the future, the following is a brief analysis of this sample.
Virus Sample Introduction
File: VDrive.exe
Size: 92kb
MD5: CD1F8F81B75D07332E43E023FE7CD559
Rising v16 + reported virus name: Trojan. Win32.Generic. 1677219F
This virus sample 1 is shown, and rising v16 is used to scan and kill this sample 2.
Figure 1: virus sample
Figure 2: rising V16 + found and killed the sample
Virus sample Behavior Analysis
Run vddrive.exe directly under the virtual machine, and a prompt from the right-click menu is displayed, as shown in 3.
Figure 3: after running the virus sample, the "add right" menu prompt is displayed.
Click "yes". The main program interface of the Virtual Disk expert is displayed, as shown in figure 4.
Figure 4: Virtual Disk expert Program Main Interface
As shown in figure 4, this seems to be a normal Virtual Disk expert software, and there is no exception. Let's try to use this software briefly. First, set the virtual file path and click the button shown in 4-1 to bring up the file path dialog box to be set for the virtual disk to be created, as shown in Figure 5.
Figure 4-1: Set the Virtual File Path
Figure 5: set the virtual file path to c: \ to create a folder
Because the virtual machine has only one partition, we create a folder under the root directory of drive c and specify it as the virtual file path. After clicking the "OK" button in figure 5, the virtual file path is successfully set, 6.
Figure 6: set the virtual file path to c: \ create a folder and set the allocable disk to an edisk.
After following the settings in figure 6, click Create to create a virtual disk, as shown in Figure 7. After clicking create, the software prompts "current Virtual Disk E: created successfully ".
Figure 7: Virtual Disk created successfully E:
After clicking "OK" in figure 7, the current virtual disk and its corresponding physical path are displayed, as shown in figure 8.
Figure 8: virtual disk drive letter and physical path displayed by the software
Check my computer and find an edisk, as shown in Figure 9. The virtual disk is successfully created.
Figure 9: Virtual Disk E created by a virtual disk expert:
Double-click to open the Elastic Block Storage, and you will find that the disk can be opened normally without any data, as shown in figure 10.
Figure 10: Open Virtual Disk E:
At this point, we have verified that this virtual disk expert software can normally create a virtual disk. Next, let's take a look at whether the created virtual disk can be deleted normally. The software also provides the normal deletion function. We select the currently used virtual disk and click the delete button, as shown in Figure 11.
Figure 11: delete a Virtual Disk
After you click Delete, the software prompts whether to delete the current Virtual Disk E:, 12.
Figure 12: confirm whether to delete the created Virtual Disk
In this way, it seems that this software is still relatively formal and does not look like a virus. Click "yes" to check whether the created virtual disk can be deleted normally. Then, the software prompts that the current virtual disk has been deleted, as shown in Figure 13.
Figure 13: a message is displayed, indicating that the current virtual disk has been deleted.
Check that my computer disk has only one system drive C, and the created virtual disk E has been deleted, as shown in figure 14.
Figure 14: The created virtual disk E is successfully deleted.
Here we have verified that the creation and deletion functions of this software are normal. You may wonder, at the beginning, why do I demonstrate the functions of the software used by Virtual Disk experts? We didn't see any virus behavior. We have a lot of demos in front, just to prove that the first two functions of the software are normal, which is also a confusing place for the software, but if you think this is a normal Virtual Disk software, it would be a big mistake. Next, let's take a look at the software exit function. You will see some unexpected things. Click the exit button on the main interface of the virtual render expert software. The rising v16fireproof wall installed on the Virtual Machine displays a vdrive.exe online prompt, as shown in Figure 15.
Figure 15: After you click the exit button, rising firewall intercepts the Virtual Disk Expert Software request for networking
Why does a normally used software prompt you to connect to the Internet after the software exits? Suspicious! As shown in Figure 15, vdrive.exe connects to the Internet through port 1140 of the Local Machine and port 80 with the remote ip address of 211.101.12.49. Here, we click "allow networking". After clicking "allow networking", ie will automatically open a hao.6360.info navigation URL, as shown in 16.
Figure 16: After vdrive.exe is enabled, the Internet Explorer automatically opens the URL of hao.6360.info.
In addition, rising firewall intercepts the suspicious program axukr.exe for network operations. Through the local port 1176, the remote ip address must also be connected to port 80 of 211.101.12.49, as shown in figure 17.
Figure 17: The suspicious axukr.exe program is blocked by the rising fire wall.
As shown in figure 17, the path of axukre.exe is probably C: \ Documents ents and Settings \ Administrator \ Desktop \ virus. we directly download axukr.exe from this example. As shown in figure 17-1, this file axukre.exe is available in C: \ Documents and Settings \ Administrator \ Desktop \ virus.
Figure 17-1: Download axukr.exe to the same path as vdrive.exenetwork
After clicking the allow Internet button in Figure 17 and agreeing to connect axukr.exe to the Internet, a prompt is displayed in the lower right corner of the system tray to add "Music FM" to enable the startup item, as shown in Figure 18.
Figure 18: system tray pop-up prompt for adding music FM to boot
After allowing axukr.exe to connect to the Internet, we can quickly download and install the music FM software for the system. At the same time, the system automatically opens a browser to visit the URL hao123 navigation, and prompts whether to set the browser as the default browser. As shown in Figure 19, the system was quickly installed with a dim sum browser, which is the promotion of rogue software! I have never heard of any browser.
Figure 19: The Web browser is automatically opened and the hao123 navigation bar is accessed.
It was because we allowed axukr.exe to connect to the Internet that this promotion software was launched. We downloaded a number of unknown software and quickly installed it into the virtual machine. This caused the virtual machine to become very stuck. This is also one of the features of rogue promotion software. We have only intercepted some installed software. Figure 20 shows the online installation interface of the cool broadcast software we have intercepted.
Figure 20: pop-up online installation interface of codoon
Finally, after installing multiple software for the system, the operating system is overwhelmed, causing the testing virtual machine to automatically restart, as shown in Figure 21.
Figure 21: Automatic System restart
After the VM is automatically restarted and enters the system, we find that there are many software shortcuts on the system desktop, such as music FM, goddess alliance, wuzun, tangmen wuzun, xiaoxin game, xiaoxin calendar, today's news, snacks browser, wjplay, Internet9 9 9 shipping, etc, it is strange that the system is not stuck because so many software have been installed widely, as shown in Figure 22.
Figure 22: The system is promoted to Install Multiple Software
Rising, rising firewall intercepts the system's msiexec.exe request to connect to the Internet. The remote ip address connected through port 1158 of the local machine is port 80 of port 2.20.183.168, as shown in 23.
Figure 23: Prompt for network connection request from rising firewall to msiexec.exe
In this case, we refuse to connect to the Internet or connect to the Internet. We may not be able to download or install any software. Let's take a look at the list of programs installed in the system Start Menu, as shown in 24. There is also a love intelligence 1.9 and other software in the Start Menu.
Figure 24: list of software to be promoted and installed in the Start Menu
This virtual disk expert software is a rogue Promotion Program. The functions of the software can be used normally, which is confusing. If we download and use this software, we will post on the exit button of the program, once you exit, the program will be connected to the Internet and multiple promotion software will be downloaded and installed in the system. As a result, the system becomes stuck and slow, and the browser's homepage will be modified, this increases the number of visits to the website navigation and increases the navigation traffic. As shown in 24-1 and 24-2, we opened the system's IE browser and found that the browser's homepage was changed to hao.6360.info.
Figure 24-1: The system IE browser is tampered with as hao.6360.info
Figure 24-2: the home page of the internet option is changed to hao.6360.info
Let's take a look at the system task manager. by viewing the task manager, we can see that many applications are running, as shown in Figure 25.
Figure 25: Task Manager shows that programs such as virtual disk experts are running
Multiple unknown programs are running in the current process, as shown in Figure 26.
Figure 26: The Process List contains multiple unknown programs, including the Virtual Disk expert virus program
This indicates that after the system is installed and promoted to multiple software, most of these software are written into the system startup Item to enable the system to start up and run. We use xuetr to check which startup items are written, as shown in 27.
Figure 27: startup items for multiple promotional software writes displayed by xuetr
Since there are many installed software, we will not explain how to uninstall it one by one. To put it simply, you can uninstall the software or uninstall it in the control panel add and delete programs, you can use the xutre force delete function to manually delete software that cannot be detached. In addition, you can use the xutre tool to delete the written startup items. For specific operations, refer to the previous articles for actual operations. Next, I will explain how to prevent such rogue promotion software.
How to Prevent malware promotion
How can we prevent the virus of connecting networks and automatically downloading multiple software? Careful personnel should be able to quickly guess the prevention method, that is, install firewall software. As we demonstrated above, after exiting the Virtual Disk expert software, the program will have a networking request. As the Virtual Machine System has installed the rising firewall software, the rising firewall software immediately intercepts the Unknown program networking request. Rising firewall provides two options for unknown programs: allow Internet connection and reject Internet connection. We directly refused to connect vdrive.exe to the Internet, so that the promotion virus cannot be connected to the Internet. The virus program cannot download and install the rogue software to the system. 28. As shown in the above Code, we directly refused to connect to the vdrive.exe request network at the rising fire wall and used the same processing method after the network was checked.
Figure 28: vdrive.exe network rejected
After we rejected the vdrive.execonnection, The vdrive.exe process of the scheduler Task Manager has exited and no abnormal processes are being executed, as shown in 29. This indicates that we have successfully used the rising firewall to prevent the virus of rogue promotion software.
Figure 29: The system task manager does not have vdrive.exe and no suspicious Processes
Therefore, if we encounter a kill-free promotion software virus, the rising firewall is the last line of defense against such viruses after we accidentally run it. Therefore, we recommend that you install a firewall software for the system while installing anti-virus software.