Worm Worm.Win32.Agent.vvp

Risk level: Medium

virus Description

The sample is to use the “C / C” prepared by the worm process, the use of “UPX” packers approach attempts to evade signature scanning, the size of after packed “25,600″ bytes, the icon for the virus ““, extension “exe” , mainly through the “file bundle”, “download tools to download ” “page linked to horse”, etc., the viruses main purpose is to spread itself using a removable disk, download the virus to the local computer.
After the user’s computer was infected, the system will appear to run Slow, there are a large number of known suspicious processes, systems and so important information is lost.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual Solution:

1. Stop and delete the display name “ScsiDrv” system service items.
2. Manually delete the following Registry key:
HKLM \ System \ CurrentControlSet \ Services \ ScsiDrv
Name: Imagepath
Data: C: \ Windows \ system32 \ drivers \ scsi4dos.sys
3. Clear the temporary folder of the machine.
4. If the removable disk has been infected, delete the root directory of the disk \ … \ RECYCLER, autorun.inf

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Virus

1. The sample is running, running to get their own path, to determine whether their own “C: \ WINDOWS \ system32 \ drivers \ scsi4dos.sys”.
2. If not then copies itself to “% SystemRoot% \ system32 \ drivers” folder and renamed “scsi4dos.sys”.
3. Try to open called “ScsiDrv” of system services, if the open fails, then create a show called “ScsiDrv”, type SERVICE_AUTO_START system services, point to “C: \ WINDOWS \ system32 \ drivers \ scsi4dos.sys”, to achieve The boot virus, corresponding to the following registry key:
HKLM \ System \ CurrentControlSet \ Services \ ScsiDrv
Name: Imagepath
Data: C: \ Windows \ system32 \ drivers \ scsi4dos.sys
4. Create a process to run “scsi4dos.sys” and exit.
5.scsi4dos.sys running, create a process to run the system file svchost.exe and unload its memory image, and then injected into the process their own files to execute, and delete their own source file.
6. Created called “EvilEva” mutex object, to prevent repeat run.
7. Create a thread, the thread after the test whether the implementation of networking, then sleep for 60 seconds if no network re-test.
8. If it is found it will connect the local network hackers to specify a URL, download the virus to the local temporary file and run it.
9. Traversal local disk, if found “DRIVE_REMOVABLE” type of disk in the disk root directory create a directory “x: \ \ … \”, to copy itself to the directory, renamed the “RECYCLER”, and Create a file under the root directory “autorun.inf” file pointing to the virus file, to use a removable disk spread their own purposes.

Virus to create a file:

% SystemRoot% \ System32 \ Drivers \ scsi4dos.sys
x: \ autorun.inf
x: \ \ … \ RECYCLER (x for the infected removable disk drive letter)

Virus delete files:

% SystemRoot% \ system32 \ drivers \ scsi4dos.sys

Virus modifies the registry:

HKLM \ System \ CurrentControlSet \ Services \ ScsiDrv
Name: Imagepath
Data: C: \ Windows \ system32 \ drivers \ scsi4dos.sys

Virus to access the network:

http://hi .*** du.com