SysLoad3.exe trojan virus analysis and Removal methods _ virus killing

Before use, please break the network, delete the system directory of SysLoad3.exe and 1.exe,2.exe,..., 7.exe, with IceSword delete the temporary directory of the several dynamic libraries. You can run this recovery program when there are no iexplore.exe and Notepad.exe processes in the task Manager.


Special note: Run the process, do not run other programs, it is possible that you run the program is poisonous!!

[b] Two: The following are analysis and manual removal methods:

Yesterday afternoon to work overtime, found that the behavior of the book is quite bizarre. Looking at task Manager, there are several IE processes and several Notepad processes somewhat suspicious. Then look at the registry and add the Startup entry: SysLoad3.exe, under the Windows system directory. Alas, I do not use anti-virus software, generally in the Trojan is to kill and kill, but this trojan is very annoying, obviously affect the use. Trojan Horse program to do so Earth, it is too inconceivable. Users know that there is interference, how the Trojan Ah! Do not know what the author thinks ~ ~

If it's so annoying, kill him! Don't be verbose, Ida waits. I analyzed the 1.0.6 version, the program logic is relatively simple, see what he did ~ ~
1. Start by creating a startup entry in the registry: System boot Check, adjust to debug permissions, and then create a iexplore.exe process and a Notepad.exe process.

2. It is natural to inject the code into the remote process ~ ~, the author injected the way is relatively simple. Design of the time to change their own loading address, not 0x400000, but with a very unusual address (0x13150000), is estimated to use both Notepad and iexplore have been tested, you can confirm that the address will not be occupied. Then according to the PE information to take out the required space size (0x7000), from IExplore and Notepad allocated the space, and finally the entire program copy the past, address correction these are all free. Finally, of course, the Trojan's favorite function CreateRemoteThread ~ ~

3. Well, after finishing the work, Sysload3.exe will have nothing to do. Next is IExplore and Notepad.

4. The first is iexplore work, this time Notepad also has an important task. It checks to see if it is a body or an infected body. If the infected body, you need to put the procedure before the infection to work, so that the user will not be found. The thread then waits for the notification (Named event:mysignal). What's iexplore doing this time? Then look.

5.Iexplore (the name is really long, the back is called IE good ~) First to create a named Mutex:mydownload, tell the back of the brother: I am here, you all have a rest. Then create the mysignal Event and place it in a no signal state. Then officially began to work: IE is the task of the virus file to the latest configuration information to take down, according to the new configuration information update local virus version. First download the configuration file from the Http://a.2007ip.com/css.css, and save it in the local name called Config.ini.
The format and comments for the configuration file are as follows:

Code:
[Config]
version=1.0.6
Num=7: Here is how many tasks (up to 20) are listed below, each task is to take the file down, there is a local name is the EXE with the same name
1=/article/uploadfiles/200704/20070402104202734.gif
2=/article/uploadfiles/200704/20070402104203328.gif
3=/article/uploadfiles/200704/20070402104203803.gif
4=/article/uploadfiles/200704/20070402104203144.gif
5=/article/uploadfiles/200704/20070402104204500.gif
6=/article/uploadfiles/200704/20070402104204618.gif
7=/article/uploadfiles/200704/20070402104205415.gif
Updateme=http://a.2007ip.com/5949645046.exe; update Sysload3.exe itself
Tongji=http://if.iloveck.com/test/tongji.htm: Alas, statistics, the author thinks this thing is so NB? and to count ....
Hos=/article/uploadfiles/200704/20070402104206386.gif;


It's a great place! The author painstakingly collected a lot of rogue website name, give us to plant the time of the Trojan, by the way give me
They have also been shielded from these sites. All recorded in the Hosts file, all the cost-resolution! Although it is not clear that the author's intention is to fight against competitors (other Trojans, hehe ~) or really serve the serving, in any case, praise the author ~~!! Although the trojan killed, this function I will continue to use, estimated that the author will update ~ haha ~ ~

Well, after the task has been completed, IE students rest ~ ~

6.Nopepad.
This bad guy doesn't do good things on the way out, from Z to a, and one to infect other documents, including exe,asp,aspx,htm,html,php, well, like that. This is the place that this trojan is very disgusting to me.
A. The process of its EXE infection is as follows (don't look at it!) ）：
First, it still traverses all the files. After finding an EXE, check that its last 4 bytes are not 0x12345678. If it is, then this is the brother, the next one.
What do you do after you find one that's not infected? Nature is the infection he pulls ~ ~ ha haha ~ ~. Attention to see Oh, here is the key: The Sysload3.exe copy a, called Tempicon.exe, why is the icon it? No hurry, you can see the reason immediately. Tempicon have later, the target program icon resources out, inserted into the tempicon inside, in this case, Tempicon looks like the same as the target. The next step, is to save the target program, so there is a tempload.exe, the file is a copy of the Tempicon, and then put the target program immediately behind. Finally, add 8 of their own identification information, the first four bytes to indicate the length of the Trojan itself, the last four bytes is the previous said 0x12345678;
B.web related files are handled very similar, temporary files are temphtml~, and a rogue JavaScript file is inserted in the middle:


Infected with the entire hard drive, there is no 50 seconds scan once and no U disk, floppy disk and so on the drive hanging. Hang up. Generates a autorun.inf in the root directory, copying a copy of the SysLoad3.exe past, relatively simple.

Oh, it looks like the partition where the system directory resides does not go through.

Well, finish the call!

The basic process is like this ~. To recover, just write a small program, traversing the hard drive of the EXE, according to the end of the document (Countdown 第8-4个 Byte pointed out the length of sysload_stub, according to the last 4 bytes whether 0x12345678 to determine whether it is infected files) can be restored birds ~ ~ ~ As for other libraries like Gizo0.dll,lgsy0.dll,msxo0.dll,rav20.dll, remove them from the explorer process with IceSword, then you can delete the ~!

Overall, the Trojan to join a configuration file This idea is very good ~ new development of a trojan, let them to download ~ hehe. However, many times to see the author in the use of Creatfile, the return value is always judged by 0, strange ~ is not invalid_handle_value??? Should be able to exclude the possibility that the author does not know, in the use of FindFirstFile, the author is used invalid_handle_value comparison. I read less, who knows, please leave a message to tell me, thank you ~ ~.

Analysis of the process is very troublesome, alas ~ Fortunately, the author sent a Trojan not to forget attached to a joke:i will by one BMW this year! if the author rely on this can be by BMW, so our mood is not a lot of joy ha ~ ~ ~ ~ ~ ~
Special Kill Tools