Three Characteristics of bin Laden mail and two infection Modes

According to the latest analysis results of Kingsoft anti-virus emergency response center, three characteristics of bin Laden mail and two transmission modes are obtained.

Bin Laden's mail has the following characteristics:

1. Search for the ICQ website to obtain the email address, and use SMTP protocol to send the email with the virus anonymously.
2. The virus exploits the MIME vulnerability of Outlook. When we preview a virus-infected email, the script w code in the virus email will be executed. If the Outlook browser used on the computer has this vulnerability, the computer will be infected.

3. the email contains an attachment named BINLADEN_BRASIL.EXE, the attachment of the virus is actually an executable file, but the worm is set to the file type of audio/x-wav. Therefore, if Outlook has a vulnerability after receiving the mail, outlook will regard the attachment as a sound file and execute it directly.

Characteristics of bin Laden's virus infection:

It has two ways of infection. The first mode of infection is not deformed, but the file entry address is changed to 0 and the MZ part of the file header is modified, add the hex EB 4A after the "MZ" mark, which, together with "MZ", can form the following command:

DEC EBP

POP EDX

JMP 40004E)

At the 4E offset of the MZ header, some code is added to the virus so that it can run in the following virus. The last part of the virus is not encrypted and not deformed.

In the second mode, the MZ header is not modified, but a special deformation technique is used to convert all the virus body code to generate the transformed code, which makes static analysis impossible. Virus deformation code puts the decoded code into the stack, and finally jumps into the stack to run! In fact, the virus code in the stack is the same as the code after the first infection method. In addition, the virus needs to find some commands (558BEC83EC) in the file, and then, the virus changes it to a relative CALL, so that you can gain control.

Regardless of the first or second mode of infection, the virus checks the file information: query the file length, if it is less than 24576 bytes or (file length-7)/101 can be divisible, no infection. In addition, if the Partition Table of the file is abnormal, the virus will not be infected.

Note: because there is no alignment file during virus infection, the infected file may not run in WinNT, Win2K, and WinXP (the system prompts an invalid Win32 Program). Of course, after virus removal, the file can be restored to normal.

Kingsoft drug overlord's online upgrade package on September 18 has been added to the virus detection and removal to prevent the virus from being attacked by Bin Laden. Please go to website www.iduba.net to upgrade to the latest version.