virus name: trojan-downloader.Win32.Agent.bumi

Risk level: Medium

Virus Description

The sample size is “49,252 bytes”, and its extension “. Exe”, mainly through the “file bundle”, “download tool to download”, “web page linked to horses” and other communication to spread the virus from the specified purpose download the virus to the user’s computer, the user’s computer after infected, will visit a large number of hacking sites specified, there system is running Slow, slow speed, a large number of unknown processes.

Infected OS

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual Solution:

Manually delete the following files
% SystemRoot% \ system32 \ popupko.dll
% SystemRoot% \ system32 \ cehProcessgy.dll
% SystemDriver% \ wxclient

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the virus:

(1) to determine whether its% SystemRoot% \ conime.exe, if not, copy itself to% SystemRoot% \ conime.exe, load the implementation of conime.exe, download http://www.011 **. com / 11d.txt to% SystemDriver% \ wxclient, get% SystemDriver% \ wxclient configuration content, configure content download according to a large number of unknown Trojans to run the machine.
(2), the release of the virus code into the% Temp% \ \ 332233404453.jpg (04453 random), modify the creation time and modification time. Copy 332233404453.jpg is% SystemRoot% \ system32 \ popupko.dll, set popupko.dll to hide property, remove 332233404453.jpg
(3), create% SystemDriver% \ supe0d3ef5s1x4a5d7f.bat batch file, write a batch command rundll32.exe popupko.dll FunctionStart, create a process to execute the batch loader run popupko.dll, delete% SystemDriver% \ supe0d3ef5s1x4a5d7f.bat .
(4), create a mutex cntest # 32770 prevent the virus from several runs, the process of creating a snapshot of the system, traverse to find cmd.exe, if there is forced to terminate the process.
(5), for cehProcessgy.dll configuration information, create threads, from time to time to open the specified website hacking, update configuration information.

Virus to create files

% Temp% \ \ 332233404453.jpg (04453 random)
% SystemDriver% \ wxclient
% SystemRoot% \ system32 \ popupko.dll
% SystemRoot% \ system32 \ cehProcessgy.dll

Virus to access the network:

http://www.011 **. com/5.exe
http://www .* mall.com /
http://u.589 **. com
http://www.suvvvs ***. com / d.php? type = 12 & said = 4349