virus Name: trojan.Win32.Swisyn.auu

Risk level: Medium

Virus Description

The virus sample is the use of “ASPack” way of trying to evade signature scanning packers, length of after shelling “88,064″ bytes, the icon ““,  using “exe” extension, through the file bundle, pages linked to horse, Download tools to download, etc. and spread. The main purpose is to establish the virus back door, so that the target computer into a puppet.
The user’s computer after infected, will be loss important computer documents, system and network is Slow, there all kinds of viruses as a result of user privacy, disclosure, etc.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual removal:

1, manually delete the following files:
Temp% \ 654f_appcompat.txt
% SystemDriver% \ ARIBTXMEJJGL.EXE
% SystemDriver% \ N11S \ SVCHOST.EXE
% SystemDriver% \ N11S \ CTFMON.EXE

2, manually delete the following Registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ ARIBT \ ARIBTXMEJJG

Variable declaration:

% SystemDriver% system partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user’s documents directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”

Analysis of the virus:

1 Create a mutex to prevent running the program several times
2. UserEnvDebugLevel operate the registry key to test whether the current process is the commissioning state, if the debug state on exit.
3. Create the file% Temp% \ 654f_appcompat.txt,
% SystemDriver% \ ARIBTXMEJJGL.EXE;
% SystemDriver% \ N11S \ CTFMON.EXE replace itself with a copy of the way into the created% SystemDriver% \ ARIBTXMEJJGL.EXE file.
4. Create a registry key to achieve self-starting
5 Open the file C: \ WINDOWS \ system32 \ drwsn32.exe, registered their service is complete self-delete
6 Run% Temp% \ 654f_appcompat.txt, first detected in the system itself is the root directory, if not, you get the system directory and copies itself to the system directory. Through the list of services, to find whether there is to kill soft services, so, you try to stop
7 In other non-system disk drive to create info files under the root directory and set file attributes to hidden. Find WINDOWS update is turned on, turn it off if the update
8. Create a network link, the information will be sent to the local system on the network access http://www.seop **. com/ie123-JB. At the same time change the IE home page to http://www.k986.com

Viruses create files:

Temp% \ 654f_appcompat.txt
% SystemDriver% \ ARIBTXMEJJGL.EXE
% SystemDriver% \ N11S \ SVCHOST.EXE
% SystemDriver% \ N11S \ CTFMON.EXE

Virus creates registry:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ ARIBT \ ARIBTXMEJJG

Virus access to the network:

http://www.seop **. com/ie123-JB