Article Directory
Preface
Synares is an infectious virus that appeared last year. At that time, in order to clarify the infection logic of the virus, I also roughly analyzed the virus. I recently sorted out the documents and found a short analysis report written before.
Simple sample analysis
When running a virus file in a directory other than C:\ProgramData\Synaptics\Synaptics.exe, first find out whether your own resource exists. (The resource name EXERESX is the source file before infection. If there is an EXERESX resource, it means that this is an infected File), after it exists, it is released to the current directory and hidden, and the source file that is released by the creation process is executed.
The sample will judge the mutex to avoid multiple openings, obtain some resource information, create a startup item, release the virus parent file to C:\ProgramData\Synaptics\Synaptics.exe, and set the file attribute to hidden
Obtain system version information, create a process in the C:\ProgramData\Synaptics\Synaptics.exe directory with InjUpdate as a parameter, and execute the parent process
1. The operating logic of the parent virus: traverse some designated special directories in the computer
C:\Users\username\Documents
C:\Users\username\Desktop
C:\Users\username\Downloads
Traverse the specified suffix name: .exe .xlsx file
Infection steps:
The traversed file A.exe (for example) first determine whether the resource EXEVSNX exists and whether it has been infected, the infected files will be skipped, and the uninfected files will execute the infection function infected_file_fun
Infection logic:
First, the virus copies the Synaptics.exe parent file to the temp directory, renames a file with a random name, and then adds the traversed file to be infected to the resource with the random name letter body file named EXERESX, and obtains the icon of the source file to be infected. The resource changes the random name letter font file icon resource, and finally overwrites the infected file to complete the file infection.
Infect xlsx files, just like the exe infection mode, place the virus matrix resource XLSM file in the temp directory for infection and then copy it back to the original path. The difference is that the file format is changed to xlsm, and it will be released in the original directory named ~ cache 1 file, this file is also a virus with infection function, the infected xlsx file is added with a macro file, the open macro is set and the password cannot be viewed, the original content will be cleared when starting, only the starting macro will restore the content, but at the same time The virus file cache1 file released to the current directory. This file is also a virus with infection function. The infected xlsx file is added with a macro file. The open macro is set with a password and cannot be viewed. The original content will be cleared at startup. Only when the macro is started The content will be restored, but the virus files that were released to the current directory at the same time~C A C H E . 1 text element , the text element is also a disease drugs having with a sense transfected function can , the sense stained in X L S X text element is added plus the macro text items , playing open macro is disposed opposite the secret code no method to check to see , start moving when the original inner contentAll will be clear empty , only it has started moving macros only be restored complex in the content , but the same time is released put to when the former head record of the disease poison file members cache1 will be started, continued malicious behavior.
The virus will also connect to the Internet to download files, but the URL file is no longer available.
hxxp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
This is the rough analysis