Unknown worm analysis and solutions

Terminator Lab. For more information, see the source. Thank you! Rescue Center http://bbs.s-sos.net


Contents


1. Virus features: 2
2. Virus Description: 2
Iii. Behavior Analysis: 2
Iv. Solution: 4

Appendix 1 weak password dictionary List 5
Attachment 2. Some anti-virus software and firewall processes 5
Attachment 3. modify registry key content 6
Annex 4 Analysis of Attacks 7
Appendix 5. Final interceptions of worm attacks 8




I. Virus features:
Sample name: fwupdat.exe. Fig
Sample size: 213 KB (218,624 bytes), 257 KB (263,168 bytes), 259 KB (265,216 bytes)
Virus Type: worm/Backdoor
2. Virus description:
A collection of IRC backdoor, worm functions in one, through network sharing and operating system vulnerabilities (MS03-026, MS02-061, MS03-007, MS04-011, etc.) spread the virus.

The virus attempts to log on to the target system with a weak password. After the virus runs, load yourself to the Registry Startup item so that you can continue to run it on the next boot. The virus is also infected on the computer.

Open a backdoor to receive instructions from attackers and connect to a specific IRC server to notify them of the existence of the virus. The virus scans machines in the CIDR Block and guesses the shared password.

Wide resources can easily cause LAN congestion. It uses the IRC server to receive commands from attackers, such as installing/uninstalling backdoors, downloading and running files, killing processes, and running proxy servers.

Attackers can steal accounts of popular games and conduct DDoS (Denial of Service) Attacks on specified IP addresses.
There are already multiple variants. Modify multiple registry keys to disable anti-virus software and reduce system security.
Iii. Behavior Analysis:
1. copy itself
% System32 % fwupdat.exe (variant name: configure.exe 、sslms.exe)

2. Generate a. bat batch file under the C-drive root directory. The function is to redirect the registry key value ECHO to Temp1.reg and use the command START/WAIT

REGEDIT/S % temp % 1.reg the Registry content to be modified is quietly imported into the registry.
(Note: The related a. bat content is saved as a.bat.txt)

3. Load itself to the Registry auto-start item to automatically run the worm upon startup.
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionRunServices
SoftwareMicrosoftOLE
SYSTEMCurrentControlSetControlLsa

4. Try a weak password scan to log on to the target host. (For the weak password list, see Attachment 1)
5. Scan the system to terminate antivirus software and firewall processes. (For the process list, see Appendix 2)

6. Use findpassto obtain the Administrator account in the winlogon.exe process space (this method applies to Win2000/XP systems)

7. connect to an IRC server and wait for the malicious connection to receive control. The command is described as follows:
The IRC command is as follows:
JOIN % s create or JOIN the chat room
NICK // change the alias
PART // indicates the reason for exiting the chat room
QUIT // exit
Operations on the target host:
Download files
Initiate a Denial of Service (DDOS) attack
Execute basic IRC commands
Execute system scan

8. Modify multiple registry keys to disable Microsoft firewall and automatically update functions to reduce system security. (For more information, see Appendix 3)

9. DDOS Denial-of-Service (DoS) attacks, such as Syn flood, Wonk flood, UDP flood, and Ping flood (see appendix 4)

10. Listen to Keyboard Events and capture account and password information;





Iv. solution:
Although the user's computer has installed the Norton Antivirus software, it still suffers from worms. In this process, not only can it be cleared, but it cannot be prevented!
The comprehensive PC virus solution includes two aspects: anti-virus and anti-virus. Anti-Virus is a type of prevention and Immunity in anti-virus. Anti-Virus is a virus detection and removal tool.

Currently, all anti-virus software technologies on the market are similar, except for the differences in the update speed and quantity of the virus feature Library and the performance of the virus detection and removal engine. Frequent replacement and removal by users

Virus software does not help. Because the emergence of new viruses is too fast, old viruses are changing, and hackers and rogue software are joining in. Of course, only installing anti-virus software is a little weak, so

It is necessary to enhance the computer's anti-virus capabilities and provide pre-immunization and anti-virus functions.
Why are more and more people installing anti-virus software installed with firewalls? Why? It is because anti-virus software does not have the anti-virus capability. And "firewall"

This security system is used to prevent attacks and prevent intrusions. It is also part of the anti-virus function "Preventing hacker intrusion and Preventing System Vulnerability attacks.
Currently, anti-virus software is installed on computers, and anti-virus capabilities are weak. The main function of anti-virus software is to enhance computer's resistance to viruses and combat hacker intrusion and traffic.

License Software interference.
Clear and then consolidate:
1. Use the killing tool of the Terminator Lab sample to clear it;
2. Use the Security regression in "End-Stop antivirus software" to quickly return the system to a standard compliant system security status;
3. Use the "Process Management" and "self-launch" management provided by "security analysis experts" to clear the worms with the above features.
4. configure a firewall policy to intercept abnormal network connections and intercept worm Buffer Overflow.


= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/10103555Q-0.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/10103555Q-0.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>



Appendix 1 weak password dictionary list

= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/1010356124-1.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/1010356124-1.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

Attachment 2. Some anti-virus software and firewall Processes

= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/1010351006-2.gif); "src =" http://www.bkjia.com/uploads/allimg/131129/1010351006-2.gif "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>



Attachment 3. Modify the registry key content
= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/1010351137-3.gif); "src =" http://www.bkjia.com/uploads/allimg/131129/1010351137-3.gif "width = 700 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>


Annex 4 Analysis of Attacks

= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/101035B36-4.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/101035B36-4.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
To ensure customer security, the real IP address of the Intranet is hidden


Appendix 5. Final interceptions of worms

= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/1010355212-5.gif); "src =" http://www.bkjia.com/uploads/allimg/131129/1010355212-5.gif "width = 700 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Intercepts worms from MS03-039

= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/1010355632-6.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/1010355632-6.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Intercept worm infection System



The final interceptor intercepts the bot attack effect .jpg
= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/10103525E-7.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/10103525E-7.jpg "width = 700 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>


Virus configurerandom open multiple ports. jpg
= 700) window. open (http://www.bkjia.com/uploads/allimg/131129/1010352512-8.jpg); "src =" http://www.bkjia.com/uploads/allimg/131129/1010352512-8.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>