virus Name: backdoor.Win32.Beastdoor.pa

Risk level: high

Virus Description

The sample is a backdoor used “Borland Delphi” prepared, the size of “30,869 bytes”, icon “” , virus extension “exe”, mainly through the “file bundle”, “download tools to download”, “web horse hung “, etc. to spread. the main purpose of the virus is to establish the back door, so as to control the computer.
After the user’s computer infected, computer network connection may appear abnormal, loss of important documents, system and network is Slow, the program shut down for no reason as a result of user privacy disclosure and affect users of the phenomenon.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual Solution:

1, manually delete the following files:

% SystemRoot% \ svchost.exe
% SystemRoot% \ system32 \ mstidl.com
% SystemRoot% \ msagent \ msoesb.com
% SystemRoot% \ system32 \ mslg.blf

2, manually delete the following Registry key:

HKLM \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {42CE4021-DE03-E3CC-EA32-40BB12E6015D}
StubPath% SystemRoot% \ system32 \ mstidl.com
HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer \ Run
Name: COM Service
Data: SystemRoot% \ msagent \ msoesb.com
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run
Name: COM Service
Data: SystemRoot% \ msagent \ msoesb.com

Variable declaration:

% SystemDriver% system partition, usually “C: \”
% SystemRoot% system directory, usually “C: \ Windows”
% Documents and Settings% user’s documents directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the virus

1, the virus is running, first find out if there are name “Beasty” window of operation, if it exists, out of its own process, used to determine whether the virus is repeated;
2, to obtain their own processes, to improve their process rights, through the registry key HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion obtain the local computer’s user name, computer name, services, processes and other information;
3, find the system directory% SystemRoot% \ system32 if there is a name for the sys.msd, sys.mss other name of the file, if not found, will copy itself to% SystemRoot% directory and rename it to svchost.exe, to forge normal system files, and modify the file properties for the system property, the time set for the system to create time;
4, each copy of the document itself% SystemRoot% \ system32 \ mstidl.com and% SystemRoot% \ msagent \ msoesb.com, and modify the file properties for the system property, the time set for the system to create time;
5, comparing the process path for their own self-created one of the three documents, if not, will create a process to run% SystemRoot% \ svchost.exe, and then call the command line to delete their own files;
6, svchost.exe running, it will create a name for the “Beasty” window class, then create a new thread;
7, the thread function, find the% SystemRoot% \ system32 directory exists mslg.blf file, if you do not exist, create the file, and set file attributes as system properties, backdoor access to user information will be saved to the file;
8, to obtain the local time and date, creating a socket communication, opening up the local 6666 port to the listening state, so the user server program on the open, and hackers can be infected host file management, process control, screen monitoring, keyboard recording, etc. variety of operations, the user is the puppet master Lun;

Viruses create a file:

% SystemRoot% \ svchost.exe
% SystemRoot% \ system32 \ mstidl.com
% SystemRoot% \ msagent \ msoesb.com
% SystemRoot% \ system32 \ mslg.blf

Virus, delete the file:

Virus file itself

Virus creates registry:

HKLM \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {42CE4021-DE03-E3CC-EA32-40BB12E6015D}
StubPath% SystemRoot% \ system32 \ mstidl.com
HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer \ Run
Name: COM Service
Data: SystemRoot% \ msagent \ msoesb.com
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run
Name: COM Service
Data: SystemRoot% \ msagent \ msoesb.com