Simple Analysis of a USB flash drive Virus

USB flash drives, a mobile storage device, provide great convenience for people to store data due to its advantages such as small size, large capacity, and easy to carry. But thanks to this convenience, the virus also has a chance to take advantage of it. Have you ever taken a USB flash drive to print a photo outside and used it again, what happens when I find my computer poisoned?

The USB flash drive virus is also a headache for enterprises in the LAN environment. Due to the random plugging and use of USB flash drives by employees, the USB flash drive virus is often rampant in the LAN environment, it brings a lot of trouble to enterprise network administrators. The USB flash drive virus we analyzed today will hide the data on the USB flash drive and generate a Malicious Shortcut on the USB flash drive. If we enable this shortcut, this will trigger virus execution.

Virus Sample Introduction

First, let's take a look at the information about the virus sample:

File :~ % PHENOVECNYE. ini

Size: 23 M

MD5: 69213684f5c155aad52d0a6c8e41e2fa

Rising V16 +: Worm. Win32.Agent. aym

This virus sample 1 is shown, and rising v16 + detects and removes this sample 2.

Figure 1: virus sample

Figure 2: rising V16 + virus sample detection and removal

Virus samples are just a lnk shortcut, not ~ % PHENOVECNYE. ini. let's cancel the hidden display of the system and try again. Click "Tools"> "folder", as shown in Figure 3. deselect the "Hide protected operating system files" check box (recommended) and select "show all files and folders" under "hide files" and "folder.

Figure 3: unhide A System File

After the system hides the file, check the virus sample. Many files are added to the folder, as shown in figure 4.

Figure 4: The virus sample is displayed after the system hides the file ~ % PHENOVECNYE. ini

Let's analyze the lnk file briefly, right-click lnk and choose Properties, as shown in Figure 5.

Figure 5: Viewing the properties of an lnk shortcut file

We can see that the target type of this lnk shortcut is the application, and the target is % hoMEdrive % \ WINDOWS \ System32 \ rundll32.exe ~ % PHENOVECNYE. ini, lnk. As shown in figure 6, this formula is originally used to run the rundll32.exe of the system ~ % PHENOVECNYE. ini. You may be a bit strange ,~ %Phenovecnye.iniis only an INI file. How can I use rundll32.exe to run this plugin? Next, let's analyze it ~ % PHENOVECNYE. ini file to see what file type it is.

Figure 6: view the attributes of the lnk shortcut. The target is % hoMEdrive % \ WINDOWS \ System32 \ rundll32.exe ~ % PHENOVECNYE. ini

We use the winhex tool to open ~ % PHENOVECNYE. ini file. In the winhex string display area, we can see the MZ header, the standard pe File Header, as shown in 7.

Figure 7: winhex display ~ The % PHENOVECNYE. ini file is actually an executable program.

Winhex is just a description ~ The % PHENOVECNYE. ini file is an executable program, but is it a dll or exe or a driver? Let's use the IDA tool to view the output point of the file, as shown in figure 8. IDA shows ~ The Exports of % PHENOVECNYE. ini are DLLEntryPoint ~ % PHENOVECNYE. ini is a dll file. We know that to execute a dll file, we need to use the system's rundll32 application. Sometimes, we also need to add the dll running parameters to run the dll. So sometimes we can't just identify the file type by viewing the file extension, and some virus files may pretend to be normal system file names to confuse everyone. How can this problem be identified? Simply open the file in notepad and check the file header to find out the file type.

Figure 8: IDA view ~ The Exports of % PHENOVECNYE. ini are DLLEntryPoint.

Virus Behavior Analysis

In this virus behavior analysis, we use the SFF tool. Execute C: \ ATI \ mongost.exe.

Figure 9: rundll32.exe run C: \ ATI \ mongost.exe

After the rule is enabled, SSF monitors the rule to allow st.exeto create an upload path named st.exe, as shown in 10.

Figure 10: allows you to create an upload st.exe

As shown in figure 10, the PIDs of the two mongost.exeare different. mongomongost.exe creates a zombie process at the same time, and this zombie process is its own. Click here to allow. SSF monitors C: \ ATI \ mongost.exe and runs C: \ mongoe ~ 1 \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ seynhbuoetjzoetnzoepfqgvpfqkeyne.com, as shown in 11.

Figure 11: allowed to run C: \ release E ~ in st.exe ~ 1 \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ seynhbuoetjzoetnzoepfqgvpfqkeyne.com

Summary :~ To run the com virus program, as shown in Figure 12.

Figure 12: ssfintercepts com virus program behavior in the temporary directory of mongost.exe

After the supervisor is allowed to run, SSF also monitors seynhbuoetjzoetnzoepfqgvpfqkeyne.com and also creates its own zombie process seynhbuoetjzoetnzoepfqgvpfqkeyne.com, as shown in 13.

Figure 13: seynhbuoetjzoetnzoepfqgvpfqkeyne.com

Week, as shown in figure 14.

Figure 14: seynhbuoetjzoetnzoepfqgvpfqkeyne.comrun wupdmgr.exe

Wupdmgr.exe is short for windows update manger and is an automatically upgraded program. Next, we can download the virus program seynhbuoetjzoetnzoepfqgvpfqkeyne.comto call the wupdmgr.exe program to do something bad. Memory data, as shown in Figure 15.

Figure 15: Modify wupdmgr.exe memory data and inject

After we allow it, SSF monitors the same virus behavior prompt, as shown in 16.

Figure 16: two attempts allow modification of wupdmgr.exe memory data

After wupdmgr.exememory data is modified, SSF monitors wupdmgr.exe and writes a startup Item named 47801 under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer \ Run, as shown in figure 17.

Figure 17: wupdmgr.exe create startup Item 47801

.

Figure 18: virus sample file mongost.exe written after running

Figure 19 shows a virus sample ~ % PHENOVECNYE. ini: The Virus File seynhbuoetjzoetnzoepfqgvpfqkeyne.com written in the temporary directory of the system.

Figure 19: seynhbuoetjzoetnzoepfqgvpfqkeyne.com

Prepare the memory data and start it up to prepare for the next step of the virus.

Figure 20: The xuetrprogress shows that wupdmgr.exe is running.

For more information about the startup item, the name of the startup Item written to wupdmgr.exe is 47801, and the execution path is C: \ Documents ents and Settings \ Administrator \ Local Settings \ Temp \ ccwaaiehv. bat, as shown in 21.

Figure 21: startup entry written by wupdmgr.exe

Right-click the startup Item to locate the Startup File, as shown in Figure 22. Let's take a look at what the bat file is.

Figure 22: locate the Startup File

The startup Item file shown in Figure 23 is a ccwaaiehv. bat that is set to be hidden.

Figure 23: detected Virus File ccwaaiehv. bat

Open the ccwaaiehv. bat file in notepad and check the batch processing content. It is found that ccwaaiehv. bat is actually a pe file, as shown in 24.

Figure 24: ccwaaiehv. bat file header is in the MZ standard pe format

We extracted the ccwaaiehv.batand cmdst.exe files and used rising V16 + to scan and kill the two samples. As shown in Figure 25, rising V16 + reported viruses to these two files.

Figure 25: V16 + virus samples

When the memory data of wupdmgr.exe is modified and the startup Item 47801 is written, the virus has run. Next, we will further trigger the virus and take a look at the subsequent behavior of the virus. How can this problem be triggered? According to the name of the virus lnk shortcut "my mobile (4 GB)" and figure 4, we guess this virus sample may be intended for the mobile storage device USB flash drive, in this case, we have inserted a normal USB flash drive into the infected environment, as shown in Figure 26, which is a removable disk normally inserted by the real machine.

Figure 26: normal USB flash drive

We switched the USB flash drive to the virtual machine in the infected environment. Before switching to the infected environment, we enable the capture function of processmonitor, which allows processmonitor to capture some virus behaviors after the USB flash drive is switched to the infected environment. As shown in 27, when the intact USB flash drive is switched to the infected environment, the data on the USB flash drive is invisible, and there is only one shortcut for HB1_CCPA_X6 (8 GB.

Figure 27: there is only one 2 kb shortcut left for data on the USB flash drive

Let's take a look at what virus behaviors are captured by the processmonitor tool and how the virus hides the USB flash disk data. The behavior of the worker.

Figure 28: The pid of wupdmgr.exe displayed by processmonitoris 2000

Next we will set the rules to pid to 2000, operation to write, and operation to set the registry value. How to set the filter rules is not described in detail. I have read our previous article, I believe everyone should have mastered it. As shown in Figure 29, we add three filter rules.

Figure 29: set filtering rules

After setting the rules, we can see that the file desktop. ini and Thumbs. db are written to the USB flash drive (drive letter: E :), as shown in Figure 30.

Figure 30: wupdmgr.exe writes the file desktop. ini and Thumbs. db to the USB flash drive.

You can also modify the ShowSuperHidden and Hidden values of HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced in the system registry, as shown in 31, figure 32 and 33 show the modified key value data.

Figure 31: wupdmgr.exe modify the registry value

Figure 32: Change the ShowSuperHidden value to 0 and check to hide the protected operating system file (recommended)

Figure 33: change the value of Hidden to 2, and select "do not show Hidden files and folders ".

Writes virus files to the USB flash drive ~ % YZUAWLLH. ini, as shown in 34.

Figure 34: wupdmgr.exe writes a virus file ~ % YZUAWLLH. ini

The written virus file and the one we run earlier ~ % PHENOVECNYE. ini file names are different, but they all belong to the same virus program. At the same time, the processmonitortool caught wupdmgr.exe writing lnk shortcuts to the USB flash drive, as shown in 35.

Figure 35: lnk shortcut written by wupdmgr.exe with the name and size of the USB flash drive as the file name

Right-click the lnk shortcut attribute on the USB flash disk and find that it is also run through the system rundll32 ~ % YZUAWLLH. ini: The method is the same as the virus sample described in this example, as shown in 36.

Figure 36: lnk shortcut attributes on a USB flash drive

Virus Processing

The above is the behavior analysis of the virus sample. Next we will talk about how to manually handle the virus. Use the xuetrtool for processing. As shown in the following code, use xuetrto initiate wupdmgr.exe and then delete the startup Item and file written by the virus sample, as shown in Figure 38.

Figure 37: javaswupdmgr.exe Process

Figure 38: delete startup Item 47801 and corresponding file written by virus

Delete the ATI folder created under the C root directory, as shown in 39.

Figure 39: Delete the ATI folder written by the virus

Next, restore the Registry Key Modified by the virus sample, as shown in Figure 40. Use the xuetr registry to locate HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, change the value of ShowSuperHidden to normal 1, 41.

Figure 40: Restore the registry value of ShowSuperHidden modified by the virus

Figure 41: Change the normal ShowSuperHidden key value to 1

42. Use the xuetr tool to restore the HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Hidden registry value of the virus modification, as shown in figures 43.

Figure 42: Restore the registry value of the Hidden modified by the virus

Figure 43: Change the normal key value of Hidden to 1

After the registry entry is changed to a normal value, we can see the virus file hidden on the USB flash disk and a file similar to the USB flash drive icon, as shown in Figure 44.

Figure 44: virus files written to the USB flash drive and hidden USB flash drive data

Open the folder similar to the USB flash drive icon, as shown in Figure 45. All the USB flash drive data is here.

Figure 45: All USB flash drive data similar to the USB flash drive icon

Next, delete the virus file written by the virus on the USB flash drive, right-click the file written by the virus on the USB flash drive, and choose delete from the shortcut menu, as shown in Figure 46.

Figure 46: delete virus files on a USB flash drive

After deletion, the folder similar to the USB flash drive icon is left, as shown in Figure 47. The data on the USB flash drive cannot be deleted. How can I restore a normal USB flash drive? Re-plug the USB flash drive, as shown in 48. At this point, we have manually processed the virus.

Figure 47: remaining folders similar to the USB flash drive icon

Figure 48: after re-plugging the USB flash drive, the USB flash drive returns to normal

Rising V16 + virus prevention methods

To illustrate how to use rising V16 + to prevent such viruses. With the previous analysis of the virus behavior, the system wupdmgr.exememory data is modified and a self-contained route wupdmgr.exe is created. Then, we will use the system reinforcement custom rule of rising V16 + to add a file access rule to monitor any program access or modify c: \ windows \ system32 \ wupdmgr.exe with a prompt, 49.

Figure 49: add file access rules to rising v16 + to monitor c: \ windows \ system32 \ wupdmgr.exe

You also need to remove the default Optimization Options of system reinforcement from the program files that contain the vendor's digital signatures by default and the program files that default release the security authentication of rising cloud security, as shown in Figure 50.

Figure 50: Default Optimization Options for canceling system reinforcement

Run the virus sample again and disable rising file monitoring before running the sample. Later, rising V16 + system reinforcement intercepts suspicious programs trying to open c: \ windows \ system32 \ wupdmgr.exe, as shown in 51.

Figure 51: Suspicious program opened c: \ windows \ system32 \ wupdmgr.exe

Figure 51 shows that a virus sample is re-run. The virus sample is in the temporary directory of the system and a 32-bit com virus file is created. In the following example, the virus file catalyst.exe is created on the C drive and the virus file catalyst.exe is written, as shown in 52. The virus file catalyst.exe is written in C: \ ati.exe, which indicates that the virus is running.

Figure 52: run the virus sample again and write the Virus File mongost.exe in C: \ ati.

Figure 52-1shows that the virus file mongost.exe creates a 32-bit com file in the temporary directory of the system.

Figure 52-1: 32-bit random com virus file written to the temporary system folder

Figure 52 and Figure 52-1 fully indicate that the virus has been running. In rising V16 +, the system reinforces and intercepts the virus sample to attempt to open c: \ windows \ system32 \ wupdmgr.exe, note that system reinforcement is blocked by default. After we do not select a processing method, system reinforcement automatically blocks this action. Wupdmgr.exe does not exist in the previous system progress using the xuetrtool, as shown in 53.

Figure 53: No wupdmgr.exe is available in the previous project

Continue to view the startup Item and find that HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer \ Run is not written into the suspicious startup Item, as shown in 54.

Figure 54: xuetr shows no suspicious startup items

Insert the USB flash disk to the infected environment and test it to see if the data of the USB flash disk is hidden and becomes a shortcut. As shown in Figure 55, after the USB flash drive is inserted, everything is normal, indicating that the set rules can successfully intercept the sample.

Figure 55: Insert a USB flash drive to the infected environment. Everything works properly on the USB flash drive.

The rest is easy. manually delete the two useless virus samples created by the virus, as shown in Figure 56.

Figure 56: two useless virus samples deleted from the recycle bin