downloader: trojan-Downloader.Win32.Agent.g

Risk level: Medium

virus Description

The sample is a backdoor program which was developed by the “C” language, the size of “32,768 bytes”, the icon for the virus ““, the extension “exe”, mainly through the “file bundle”, “download tool download”, “Page Trojan” and other modes to spread, the main purpose of the virus is to download malicious code to users running the host.

After the user’s computer was infected, there will be computer and network operations are Slow down and unknown processes and services, systems and network is slow, the program shut down for no reason as a result of user privacy disclosure and the phenomenon of users affected.

Infection of the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

File bundle, page trojan, download tools to download

Manual Solution:

1, manually delete the following files:

% SystemRoot% \ conme.exe

2, manually change the following Registry value:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ Winlogon

Key Name: Userinit

Data:% SystemRoot% \ system32 \ userinit.exe

Variable declaration:

% SystemDriver% system where the partition, typically “C: \”

% SystemRoot% WINDODWS directory, usually “C: \ Windows”

% Documents and Settings% user documentation directory, usually “C: \ Documents and Settings”

% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”

% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles”

Virus Analysis

1, create a process snapshot, traverse the process to find avp.exe, kern.wxe, egui.exe, KAVStart.exe, KISSvc.exe, RavMoD.exe, ravmod.exe, renetsvr.exe, rstray.exe, RstRay.exe, RsMain.exe, scanfrm.exe, if found, just the end of the process.

2, the virus in the% SystemRoot% directory, create a file conme.exe, set to the system hidden, and set its own file system hidden.

3, access to the computer network card address, connect to the network, sending cards to the designated network address.

4, modify the registry key, so conme.exe attached to the userinit.exe process, the realization of the boot from the start.

5, conme.exe running, in the% SystemRoot% directory on the release of driver files SSDT_TOOL.sys, establish SSDT_TOOL service, self-protection.

6, the virus creates the thread to connect the network, downloading a large number of Trojan viruses into the machine.

The virus creates the following files:

% SystemRoot% \ conme.exe

% SystemRoot% \ SSDT_TOOL.sys

Viruses modify the registry:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows

NT \ CurrentVersion \ Winlogon

Key value: Userinit

Data: C: \ WINDOWS \ system32 \ userinit.exe, C: \ WINDOWS \ conme.exe 0vfdn

Virus delete the file:

% SystemRoot% \ SSDT_TOOL.sys

Viruses connect to the network:

http://1.5 ***. com/reques0.asp

http://safe .***. com: 7123/999tcp/addip.asp