backdoor: trojan.Win32.Sasfis.a
Risk level: Medium
virus Description
The sample is a Worm program that uses “Delphi” prepared, it is used “UPX” packers way, packers after the size of “57,344″ bytes, the icon is “
“, it use of “exe” extension, through the file bundle, web hanging horse, download tools to download or the other way to spread. Virus main purpose is to control the user’s computer.
The user’s computer system is running occurs slowly after infected, open the camera for no reason, personal data leakage, and so on.
Infection in the operating system
Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7
Transmission
Web page linked to horse, file bundle, download tools to download
Manual Solution:
1. Manually delete the following files
% ProgramFiles% \ DBS.EXE
2. Delete the following Registry
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ DBS_Server
Variable declaration:
% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the virus:
1. Create mutex to prevent multiple runs. Check whether their own% ProgramFiles% \ DBS.EXE, or% SystemRoot% \ SYSTEM32 \ userinit.exe
2. If not it will copy itself to% ProgramFiles% \ DBS.EXE, and to establish the CLSID in the registry value. And load the operating DBS.exe.
3. If the self is DBS.exe, userinit.exe process is hidden and will start the system itself is written to the userinit.exe process space and run into the system process. Change the registry to achieve self-starting.
4. If you own the userinit.exe is waiting for network connection, try to establish a connection with the remote host to listen to the command, the local machine completely under the control of hackers.
Virus to create a file:
% ProgramFiles% \ DBS.EXE
Virus to create the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ DBS_Server
Virus to access the network:
chb132520.3322.org
fungerar roaccutan mot finnar…
[...]k I own a similar site to this one and I was just curious if you get a lot of 8i[...]…
bra kattmat…
[...]u I own a similar website to this one and I was just curious if you get a lot cs[...]…
Triumfbågen okända soldatens grav…
[...]c Hmmm that was weird, my comment seems to have been eaten. Anyway I wanted t tp[...]…
travel promo coupons…
[...]5 This is is great. You’re a very professional blogger. I’ve joined your er[...]…
Basilikan Sacre Coeur…
[...]n I am visiting this land for the first time. I have come to know a lot of in 2v[...]…
stockholm gymnasium…
[...]k Just added this blog to my favorites. I enjoy reading your websites and hop us[...]…
shanghai historik år…
[...]6 I own a similar blog to this one and I was just curious if you get a lot of dw[...]…
eurodisney…
[...]w Hmmm that was weird, my comment seems to have been eaten. Anyway I wanted t ey[...]…
barmästare utbildning…
[...]y Very few websites that happen to be detailed below, from our point of view qc[...]…
perfekt konkurrens…
[...]o Hmmm that was weird, my comment seems to have been eaten. Anyway I wanted t re[...]…
Victoria peak utsikt…
[...]u I own a similar blog to this one and I was just curious if you get a lot of ec[...]…
bill aboves…
yea nice Work. Hello, sry for my bad english but Ih ave observed your web page and would say that I locate your posts great since they have give me new suggestions and new aspects. Many thanks for this details. terrific outstanding more please….