Virus sample from: http://boolom.com/update.exe
After update.exe is run, a bunch of viruses (including "Weijin") enter the system.
However, the most difficult side of these viruses is not Wei Jin, but C: windowssystem32RAVWM624. dll and C: windowssystem32SvTime. dll.
The prefix is inserted into the lsass.exe process. The latter has an imperceptible Registry Write-back function.
In fact, it is not difficult for the recruiters to exploit the ICESWORD. In this post, we will discuss the use of the ICESWORD anti-virus method (because many people are not familiar with the ICESWORD anti-virus operation ).
After the virus is detected, the SRENG log shows the following exception startup items and service items:
Start the project
Registry
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
<TIMHost> <C: windowsTIMHost.exe> [N/A]
<Cmdbcs> <C: windowscmdbcs.exe> [N/A]
<Load> <C: windowsuninstallundl132.exe> []
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
<MSDEG32> <LYLoader.exe> [N/A]
<MSDWG32> <LYLoadbr.exe> [N/A]
<MSDCG32> <LYLeador.exe> [N/A]
<MSDOG32> <LYLoador.exe> [N/A]
<MSDSG32> <LYLoadar.exe> [N/A]
<MSDMG32> <LYLoadmr.exe> [N/A]
<MSDHG32> <LYLoadhr.exe> [N/A]
<MSDQG32> <LYLoadqr.exe> [N/A]
<RavMonWm> <C: 127e ~ 1aohelinLOCALS ~ 1TempRAVWM. EXE> [N/A]
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{88A46432-969E-4F5E-913D-3AAF4B6A3051}> <C: windowssystem32SvTime. dll> [N/A]
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}> <C: Program FilesInternet assumerpluginssystem64.sys> [N/A]
Service
[Telephonyl/WindowsDown] [Stopped/Auto Start]
<C: windowssystem32sservet.exe> <N/A>
[Windows DHCP Service/WinDHCPsvc] [Stopped/Auto Start]
<C: windowssystem32undll32.exe windhcp. ocx, input> <Microsoft Corporation>
Delete the above startup items and service items based on the previous manual anti-virus experience. After the system is restarted, delete the virus file to get started.
However, this is not the case!
As mentioned above, most virus files can be deleted successfully after restart, but several virus dll files cannot be deleted.
Use autoruns to view the startup Item again and find:
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{88A46432-969E-4F5E-913D-3AAF4B6A3051}> <C: windowssystem32SvTime. dll> [N/A]
This startup Item still exists!
Then mongoer.exe and the soft process module are removed. The following virus modules still exist:
C: windowssystem32zerwx. dll
C: windowssystem32wkufd. dll
C: windowssystem32wkjbj. dll
C: windowssystem32hjtdx. dll
C: windowssystem32whtpd. dll
C: windowssystem32wgfdl. dll
Go back to the Process Section of the SRENG log and find the following rules:
[PID: 1012] [C: windowssystem32svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[PID: 612] [C: windowsExplorer. EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C: windowssystem32GetsFiles. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[PID: 1404] [C: Program FilesRisingRavRavTask.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 7]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[PID: 1388] [C: windowssystem32ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[PID: 2024] [C: Program FilesTiny Firewall Proamon.exe] [Computer Associates International, Inc., 6.5.3.2]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[PID: 2236] [C: Program FilesRisingRavRavmon.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 45]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[PID: 2660] [C: Program FilesTiny Firewall promo-tool.exe] [Computer Associates International, Inc., 6.0.0.52]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[PID: 2620] [C: Program FilesSREng2SREng.exe] [Smallfrogs Studio, 2.3.13.690]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[PID: 3968] [C: windowssystem32conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
[PID: 2188] [C: Program FilesTiny Firewall ProUmxTray.exe] [Computer Associates International, Inc., 6.5.1.59]
[C: windowssystem32zerwx. dll] [N/A, N/A]
[C: windowssystem32wkufd. dll] [N/A, N/A]
[C: windowssystem32wkjbj. dll] [N/A, N/A]
[C: windowssystem32hjtdx. dll] [N/A, N/A]
[C: windowssystem32whtpd. dll] [N/A, N/A]
[C: windowssystem32wgfdl. dll] [N/A, N/A]
According to the process log above, the recovery of the startup Item C: windowssystem32SvTime. dll may be re-written before shutdown by one of the following virus modules:
C: windowssystem32GetsFiles. dll
C: windowssystem32zerwx. dll
C: windowssystem32wkufd. dll
C: windowssystem32wkjbj. dll
C: windowssystem32hjtdx. dll
C: windowssystem32whtpd. dll
C: windowssystem32wgfdl. dll
Therefore, use autoruns to delete [hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{88A46432-969E-4F5E-913D-3AAF4B6A3051}> <C: windowssystem32SvTime. dll> [N/A]
Then, immediately press the reset button (that is, restart the computer chassis) (do not give the chance to rewrite the registry for viruses ).
After the restart, delete the remaining dll one by one!
Of course, the application (.exe) That was infected by the threat software also needs to kill the virus components. Rising's latest virus database can complete this task.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
