virus Name: trojan-PSW.Win32.Element.hu

Risk level: Medium

Virus Description
This virus sample extension “. Exe”, virus is mainly through the “file bundle”, “download tool to download”, “web page linked to horse”, etc. to spread, the main purpose of the virus is to steal user’s game account, the user’s computer after infected, virus replace the dll file of operating system directory , resulting in operating system to run slowly, found unknown process.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual Solution:

1, manually delete the following files

% SystemRoot% \ system32 \ 1008.ocx
% SystemRoot% \ system32 \ elementclientwl01.ocx

2, replace the following three files as normal files

% SystemRoot% \ system32 \ dsound.dll
% SystemRoot% \ system32 \ ddraw.dll
% SystemRoot% \ system32 \ comres.dll

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”

Analysis of the virus:

(1), enumerate all top-level window on the screen to find whether there is called “Element Client” window of the process, if there is to terminate the process.
(2), try to move the% SystemRoot% \ system32 \ 1008.ocx to temp, if the file does not exist, create% SystemRoot% \ system32 \ 1008.ocx and% SystemRoot% \ system32 \ elementclientwl01.ocx, created after the success of the release of virus source code to the newly created two files, and then set it as hidden attributes.
(3), create% SystemRoot% \ system32 \ system.ini configuration files and write configuration information. Copy% SystemRoot% \ system32 \ dsound.dll is% SystemRoot% \ system32 \ New.dll. Get dsound.dll PE header and the section information to the buffer, modify the% SystemRoot% \ system32 \ New.dll PE header, add a data2 section, access to% SystemRoot% \ system32 \ dsound.dll file creation time and modification time, set the% SystemRoot% \ system32 \ New.dll the creation time and modification time for the newly acquired time. Function call sfc_os.dll 5 , lifting windows system file protection, backup% SystemRoot% \ system32 \ dsound.dll, and then copy the% SystemRoot% \ system32 \ New.dll to% SystemRoot% \ system32 \ dsound.dll, so as to achieve replacement The purpose of the system components of the normal dsound.dll.
(4), backup% SystemRoot% \ system32 \ ddraw.dll and% SystemRoot% \ system32 \ comres.dll, copy the two% SystemRoot% \ system32 \ New.dll was% SystemRoot% \ system32 \ ddraw.dll and% SystemRoot% \ system32 \ comres.dll, and ddraw.dll and comres.dll PE add malicious code to reorganize the structure, restore the original ddraw.dll and comres.dll file creation time and modification time.
(5), the current directory in the new batch file virus, called WinExec execute this file delete itself.
(6), when start the game automatically loads% SystemRoot% \ system32 \ dsound.dll,% SystemRoot% \ system32 \ ddraw.dll and% SystemRoot% \ system32 \ comres.dll, virus program to create a keyboard hook, memory interception of Pirates games take the user account.

Virus to create a file:

% SystemRoot% \ system32 \ 1008.ocx
% SystemRoot% \ system32 \ elementclientwl01.ocx

Replace the following three systems the normal virus files:

% SystemRoot% \ system32 \ dsound.dll
% SystemRoot% \ system32 \ ddraw.dll
% SystemRoot% \ system32 \ comres.dll

Virus delete files:

% SystemRoot% \ system32 \ dsound.dll
% SystemRoot% \ system32 \ ddraw.dll
% SystemRoot% \ system32 \ comres.dll