virus Name: backdoor.Win32.Floder.l

Risk level: Medium

Virus Description

The viruses mainly through the “file bundle”, “download tool to download”, “page linked to horse”, etc. to spread, the viruses back door to the main purpose is to create the user’s computer turned into a puppet.
After the user’s computer was infected, the system will appear to run Slow, there is a large number of unknown suspicious processes, systems and so important information is lost.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manually removal:

1. Manually delete the following Registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Name: “Taskman”
Data: “C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”
Title: “Shell”
Data: “explorer.exe, C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Name: “gfsewd”
Data: “C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”

2. Delete the following files:
C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe
C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ Desktop.ini

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the virus

1. The sample is running, to get their own path and the command line, and then create a suspended process to run its own file and command line settings with access to the process of running the command line.
2. Uninstall pending process memory image file, and then in the process itself pe file is written to suspend the process, the last suspended process resumption of the operation.
3. The process is running, the dynamic process needs access to its own function address, for its own file path.
4. Comparison of whether their own path to the file “C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”.
5. If not, create the path “C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \”, and copy files to the path itself, changed its name to “dced.exe”, and set Hidden file attribute for the system.
6. In the same directory generated “Desktop.ini”, disguised as a folder icon to the Recycle Bin.
7. Operating the following registry key to achieve virus boot file:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Name: “Taskman”
Data: “C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”
Title: “Shell”
Data: “explorer.exe, C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Name: “gfsewd”
Data: “C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”
8. Create a system snapshot, find the machine “explorer.exe” process, and get control of the process handle.
9. Inject malicious code into the “explorer.exe” process, create a thread to run malicious code far.
10. “Explorer.exe” process running malicious code, create a file called “gcdv” mutex object, to prevent repeat run.
11. Finally, initialize the socket, connect the remote address specified hacker, hackers command to wait for the end of the machine turned into a puppet, controlled by hackers.

Virus to create a file:

C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe
C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ Desktop.ini

Virus modifies the registry:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Name: “Taskman”
Data: “C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”
Title: “Shell”
Data: “explorer.exe, C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Name: “gfsewd”
Data: “C: \ RECYCLER \ S-1-5-21-0243556031-888888379-781863308-1912 \ dced.exe”

Virus to access the network:

u **. te *** me.com