"Synaptics" is a new type of worm virus, and the pathogen "Synaptics.exe" has more than 20,000 variants. The virus is highly contagious, and it can be spread through Excel documents with malicious macro codes, or by spoofing normal EXE files (copying and updating the content of normal EXE files into the resource section of the virus itself) Secondly, the virus will monitor the access of USB devices and infect USB devices through the autorun.inf file.
When the user unintentionally opens the virus EXE executable file, the virus will first copy itself, then update the user EXE file in the specified directory to the resource section of the virus file just copied, then copy the user EXE file icon, and finally replace the original document. The entire infection process will not destroy the original file function. After the user clicks on the file, the function of the original file will still be executed. It is difficult for the user to find that the file has been infected.
Detailed analysis 1. File infection
To ensure efficient and stealthy execution, “Synaptics” only infects EXE and XLSX files in the following three directories:
Document directory: "C:\Users\UserName\Documents"
Desktop directory: "C:\Users\UserName\Desktop"
Download directory: "C:\Users\UserName\Downloads"
"Synaptics" will check whether the target file contains "EXEVSNX" resources before infecting. "EXEVSNX" is the virus version number marked in the infected file after successfully infecting the target file, so as to determine whether the file is infected or whether it needs to renew.
For the exe file, "Synaptics" first copies the "pathogen" file to the temporary directory, then copies and updates the normal file to the resource section "EXERESX" of the virus file just copied, and then copies the icon of the target file to pretend to be a normal file , and finally replace the normal file. When the infected file is clicked by the user, it will first release the normal file to run, and then "Synaptics" will be executed again.
For xlsx files, "Synaptics" reads and copies the normal xlsx file content, and then matches the resource section in the virus file
"XLSM" merges to generate a new file with the suffix ".xlsm", and then replaces the normal file.
The "XLSM" resource contains a malicious VBA script with the following malicious functions: tampering with the macro settings of Word and Excel components
set to enable all macros. When the document is opened by the user, the macro code in the document will be launched automatically without user intervention.
Download and execute the Synaptics.exe virus.
2. USB snooping/infection
"Synaptics" sets the timer to monitor whether there is a USB device connected:
When a device is detected, it immediately infects EXE and XLSX files in the USB device disk:
Then copy itself to the USB device and generate the autorun.inf file in the USB device. When the user double-clicks the
When the disk of the USB device is opened, the autorun.inf file will automatically run the virus file (autorun.
inf is one of the more common files in computer use. Its function is to allow a specified file to be automatically run when the disk is double-clicked.
pieces), so as to complete the diffusion propagation:
3. Keyboard monitoring
"Synaptics" releases the dll file from the keyboard monitoring function from the resource "KBHKS", and then loads this dll for keyboard monitoring:
4. Automatic email return
"Synaptics" sets a timer to automatically return sensitive computer information and keyboard monitoring data of the victim every 30 minutes. Name information includes: computer name, user name, mac address, current screenshot:
5. Remote control function
In addition to propagation, "Synaptics" has basic remote control functions, including executing CMD commands, taking screenshots, printing directories, downloading files, deleting files, etc.:
6. Persistence
"Synaptics" copies itself to C:\ProgramData\Synaptics\Synaptics.exe, and realizes self-starting by writing to the registry:
safety advice
Do not click on attachments and links in emails from unknown sources;
Update system and application patches, and close unnecessary file sharing;
Use strong passwords, avoid weak passwords, and change passwords regularly.