Network worms: Worm.Win32.Qvod.b

Risk level: Medium

virus Description

The sample is to use the “VC” prepared by the “worm”, using “PEtite” way of trying to evade signature scanning packers, packers after the size of 172,032 bytes, the icon for the ““, use the “exe” extension, through the files bundled, web trojan, download tools to download, etc. and spread. The main purpose of viral infection where the LAN users and computers. After the user’s computer was infected a large number of svchost processes, computer speed and speeds significantly slower.

Infection of the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

File bundle, page trojan, download tools to download

Manual Solution:

Delete the following files:
1. Delete% SystemRoot% \ system32 \ 6to4.dll
2. Delete% SystemRoot% \ system32 \ pchsvc.dll
3. Remove% SystemDriver% \ 144162d3.exe
4. Remove% Documents and Settings% \ user name \ Desktop \ recycle. (645FF040-5081-101B-9F08-00AA002F954E)
5. Remove% Documents and Settings% \ user name \ Desktop \ autorun.inf
6. Remove% Documents and Settings% \ Infotmp.txt

Delete the following Registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ 6to4
Name: IMGPATH
Data:% SystemRoot% \ system32 \ svchost.exe-k netsvcs
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ 6to4
Name: IMGPATH
Data:% SystemRoot% \ system32 \ svchost.exe-k netsvcs

Variable declaration:

% SystemDriver% partition where the operating system, typically “C: \”
% SystemRoot% WINDODWS where the directory, usually “C: \ Windows”
% Documents and Settings% user documentation directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles”

Virus analysis:

1. Virus program in the current directory release% SystemDriver% \ 144162d3.exe
2.% SystemDriver% \ 144162d3.exe running, the establishment of named pipe \ \. \ Pipe \ (D952F2D0-0BCE-4b2b-8FFF-2317F120FCC3), prevent the virus from running on many occasions
3. To establish a snapshot of the process, through all of the process, the following process to determine whether there is: RavMonD.exe, 360tray.exe, MPSVC.exe, exists to exit the main program.
4. Otherwise, the letter of the path traversed to install configuration files and create a autorun.inf recycle. (645FF040-5081-101B-9F08-00AA002F954E) and other documents, and set to hidden attribute, and then try to connect to the network, and download the hosts file from the specified replace local hosts file, generate a large number of images taking
5 create% SystemRoot% \ system32 \ 6to4.dll files and self-loading, the establishment of 6to4 service, and create the registry HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ 6to4, and then start the service.

The virus creates the following files:

1.% SystemRoot% \ system32 \ 6to4.dll
2.% SystemRoot% \ system32 \ pchsvc.dll
3.% SystemDriver% \ 144162d3.exe
4.% Documents and Settings% \ user name \ Desktop \ recycle. (645FF040-5081-101B-9F08-00AA002F954E)
5.% Documents and Settings% \ user name \ Desktop \ autorun.inf
6.% Documents and Settings% \ Infotmp.txt

Virus to create the registrys:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ 6to4
Name: IMGPATH
Data:% SystemRoot% \ system32 \ svchost.exe-k netsvcs
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ 6to4
Name: IMGPATH
Data:% SystemRoot% \ system32 \ svchost.exe-k netsvcs