virus Name: trojan-downloader.Win32.Small.afut

Risk level: Medium

Virus Description

The virus samples were mainly through the “file bundle”, “download tools to download” “page linked to horse”, etc. to spread, the viruses main purpose is to download a Trojan to your computer to run.
The user’s computer virus, the system will appear to run Slow, there are a large number of known suspicious processes, systems and so important information is lost.
Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manually removal:

1. Delete the following files and Registry entries:
% Temp% \ svchost \ svchost.exe
% SystemRoot% \ temp \ svchost.exe
% Documents and Settings% \ All Users \ “Start” menu \ Programs \ Startup \ svch0st.exe
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Name: “svch0st”
Data: “% Temp% \ svchost \ svchost.exe”
2. Clear the temporary folder of the machine and conduct a comprehensive anti-virus

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the virus

1. The sample is running, get the version of the operating system, test the file “C: \ WINDOWS \ SysTEM32 \ sysedit.exe” exists, if there is exit.
2. To obtain the local temporary directory, to copy itself to “% Temp% \ svchost” directory, and renamed as “svchost.exe“.
3. To get their own path to the file to determine whether their own path to the file “% Temp% \ svchost \ svchost.exe”, if not run the “% Temp% \ svchost \ svchost.exe”.
4. To create and run called “afc9fe2f418b00a0.bat” the batch file, delete the virus source.
5. “% Temp% \ svchost \ svchost.exe” running, create a file called “HackFuck” mutex object, to prevent the program running repeatedly.
6. To get their own process control handle, will enhance its process priority to “HIGH_PRIORITY_CLASS”.
7. To create a snapshot of the process, find the name “KSafeTray.exe”, “avp.exe”, “360tray.exe”, if you try to find a way through the end of the process running the command.
8. Operate the following registry key, to boot virus files:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Name: “svch0st”
Data: “% Temp% \ svchost \ svchost.exe”
9. To their own files to “% SystemRoot% \ temp” folder, the process itself to provide power to the “SeDebugPrivilege” permission.
10. To its own boot file to the folder “C: \ Documents andSettings \ All Users \” Start “menu \ Programs \ Startup \ svch0st.exe”.
11. To obtain the Ethernet address of the machine, process, and operating system version number, through the “prepared to receive space” is sent to the hacker, then to the infection statistics.
12. Open their own files, read from their own virus Download the file, download the virus from the virus download download the list to the local “C: \”, and was named “boot”.
13. Open the virus to download the list, obtain virus download address, download the virus under the local temporary folder and run.
14. Finally, remove the virus download list file “C: \ boot”.

Virus to create  files:

% Temp% \ svchost \ svchost.exe
% SystemRoot% \ temp \ svchost.exe
% Documents and Settings% \ All Users \ “Start” menu \ Programs \ Startup \ svch0st.exe

Virus delete files:

% SystemDriver% \ boot

Virus modifies the registry:

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Name: “svch0st”
Data: “% Temp% \ svchost \ svchost.exe”

Virus to access the network:

http://www.s *** 8.com: 2 ***/*** xt
http:// *** 23 ***. 100.t ***. i *** / Co ***. asp