Network Worm: Worm.Win32.AutoRun.wjo
Risk level: Medium
virus Description
The virus samples used “UPX” packers way in an attempt to evade anti-virus software to scan, shelling Size is 86,149 bytes, virus extension “. Exe”, this virus is mainly through the “file bundle” “download tools to download”, “web page linked to horse,” etc. to spread, the viruses can hijack your browser and the main purpose of tampering home page, then visit the designated website hacker, download lots of files to the user’s computer, the user’s computer will appear running Slow, unknown process.
Infection in the operating system
Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7
Transmission
Bundle file, web page linked to horse, download tools to download
Manually removal:
1. Manually delete the following files
% SystemRoot% \ system32 \ kirpawlutb
% SystemRoot% \ system32 \ afjstjhmbh
% SystemDriver% \ oqqfgptnqa.txt
% ProgramFiles% \ Common Files \ ocsoss.dll
% SystemDriver% \ nxqjuelngl.jpg
X: \ My Documamts.exe (X as a removable drive letter)
2 Remove the Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile
Key: NeverShowExt
Data: 1
3 Modify the registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {F986CC17-37C0-4585-B7D9-15F2161F0584} \ shell \ OpenHomePage \ Command
Key: Data: iexplore.exe
Variable declaration:
% SystemDriver% system partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user’s documents directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the virus:
1 to obtain the keyboard type, setting his own as “SeDebugPrivilege”, to enhance their own authority. Disk access through their properties, save type is a fixed partition, mobile devices and network equipment disk for infection.
2. Kirpawlutb created in the system directory and afjstjhmbh directory, and set the hidden attribute, respectively, two copies itself to the newly created two directories under:% ProgramRoot% \ system32 \ kirpawlutb \ explorer.exe and% ProgramRoot% \ system32 \ afjstjhmbh \ smss.exe, by running these two files.
3 in the system tray to create% SystemDriver% \ oqqfgptnqa.txt,% ProgramFiles% \ Common Files \ ocsoss.dll and% SystemDriver% \ nxqjuelngl.jpg and other documents and the release of the configuration file and the virus code to the above file, create directory% SystemDriver % \ EEQQ, the release of files in this directory, can be infected in all the other fixed partition, move hard disk, U disk, network equipment, creating X: \ My Documamts.exe (X for the corresponding letter), set all of the above documents to hide their hidden properties and extensions, set the system hidden file is not visible.
4. Modifying the registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {F986CC17-37C0-4585-B7D9-15F2161F0584} \ shell \ OpenHomePage \ Command
Key: Data: iexplore.exe http://www.sfc ***. com /? Activex72
Key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile
Key: NeverShowExt data: 1
5 added since the launch link% Documents and Settings% \ All Users \ “Start” menu \ Programs \ Startup \ jaitjiwavb.lnk, on the desktop to create multiple links to malicious sites in IE, hijack browser home page and access to hackers tampering with the specified website, download large files to the user’s local computer.
Viruses create files:
% SystemRoot% \ system32 \ kirpawlutb
% SystemRoot% \ system32 \ afjstjhmbh
% SystemDriver% \ oqqfgptnqa.txt
% ProgramFiles% \ Common Files \ ocsoss.dll
% SystemDriver% \ nxqjuelngl.jpg
X: \ My Documamts.exe (X fixed disk, removable hard disk, flash disk, network equipment, letter)
Virus creates registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {F986CC17-37C0-4585-B7D9-15F2161F0584} \ shell \ OpenHomePage \ Command
Key: Data: iexplore.exe http://www.sfc ***. com /? Activex72
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile
Key: NeverShowExt data: 1
Virus access to the network:
http://www.vol ***. com / index.html? ie72-BT
http://www.sfc ***. com /? Activex72
http://www.sfc ***. com / taobao.htm
great post! im bookmarking this!
Kite News…
[...]we like to bookmark other sites on the web, even if they aren’t related to us, by linking to them. Below are some sites worth checking out[...]…
Websites we think you should visit…
[...]although websites we backlink to below are considerably not related to ours, we feel they are actually worth a go through, so have a look[...]……