Virus sample packaging sample ↓
Link: https://pan.baidu.com/s/1Tr7PMWZ1wo0sgRYrQ07zdw?pwd=gqtr
Extract code: gqtr
The poster personally likes to collect nostalgic classic viruses, and likes to study the names of viruses.
Based on different antivirus software, the names of the same virus are uneven. Some viruses have highly consistent names (such as xp horror/Alman/Ramnit, etc.), and some have various names. (such as Panda Burning Incense and other worms), it is often seen that the name is Trojan./Ransom./Generic. Then a bunch of numbers and letters are added, which cannot be recognized intuitively. Therefore, the host decided to summarize and collect the names of various viruses, and combined with the habits of the public to choose a name that he thinks is more representative, and use (standard) to indicate it after the name.
In addition, this post will also attach the md5 of the virus, a brief introduction and some virus samples, so that it is convenient for everyone to research and collect.
Finally, this post may have many deficiencies, and the poster is still enriching his own collection, please give us your advice, and look forward to seeing more famous viruses being shared by everyone! !
The host’s content is divided into the following categories:
1. Scripts/tricks/intimidation/malicious destruction
2. Worms
3. Ransomware
4. Backdoor viruses
5. Macro viruses
6. Other Supplements
1. Scripts/ Tricky/intimidating/malicious damage category
1. Rainbow cat virus
MD5: 19dbec50735b5f2a72d4199c4e184960
English name: Trojan.Win32.MEMZ.A (standard)
Introduction: This virus belongs to MBR virus. From the function point of view, it is a prank virus. It will modify the MBR master boot sector to destroy the normal startup of the computer. After modifying the MBR, the computer restarts and stays on a picture of Rainbow Cat, so the virus is called Rainbow Cat virus. After running the virus, there will be two window prompts. After confirming the operation, modify the MBR. Many pages pop up before the blue screen, the mouse is out of control, and the desktop becomes a channel. After the blue screen, it cannot boot normally, and the rainbow cat appears.
Detailed analysis: The most suitable virus analysis for novices - Rainbow Cat Virus_Sample Sample
: Rainbow Cat.zip - Lanzuoyun
2. CIH virus
MD5: 008c786f3c188338d7ae9dd8be8838a6
MD5 (source file): d30ee3c2d3d9056f0f70fc8d48e61156
English name: Virus.Win9x.CIH.1 003 .A (Standard)
Introduction: The main function is to infect system files, but it is known for its "side effects" - being able to damage computer hardware. It occurs on the 26th of each month (there is a version that occurs on April 26 every year).
The completion time of version 1.0 was April 26, 1998, and the basic function of being able to infect executable files was completed. At this time, the size of the virus was 656 bytes.
The completion date of version 1.1 is May 15, 1998. The operating system judgment is added. If it is WinNT, the virus will not run. At this time, the size of the virus is 796 bytes.
Version 1.2 was completed on May 21, 1998, adding the functions of deleting BIOS and destroying the hard disk. At this time, the size of the virus was 1003 bytes.
The completion time of version 1.3 is May 24, 1998. It fixes the error of infecting winzip self-extracting files. At this time, the size of the virus is 1010 bytes.
The completion time of version 1.4 was May 31, 1998. It completely repaired the error of infecting winzip self-extracting files. At this time, the size of the virus was 1019 bytes.
Note: This sample is CIH1.2 version.
Detailed Analysis: Looking Back Twenty Years - Analysis of CIH Virus Source Code - Zhihu
Sample: cih.zip - Lanzuoyun
Sample (source file):CIH source file.zip - Lanzuoyun
3. Happy Time Virus
MD5: 824a05957d9ba7be017fb8a0f80af5b2
English name: Email-Worm.VBS.HappyTime.A (standard)
Introduction: The worm uses MS Outlook Express and MSMAPI services to spread in emails, It is written in Visual Basic Scripting language (VBS).
The worm arrives on the computer as an HTML-formatted e-mail message or as a plain text message with an attached HTML file. In the first case, the script code in the HTML email body is automatically executed when the email is opened, and the worm will gain control. In another case, the user had to open the attached HTML file (double-click it) to activate the worm. After being activated, the worm does not immediately start spreading; instead it starts infecting the computer. It modifies the desktop wallpaper using an HTML file containing internal worm code. If the desktop had a background image prior to the infection, this image will be displayed as the background of the infected HTML, and in most cases it will not be apparent to the user that the wallpaper has changed; therefore, every time it is displayed (for example, at Window startup ) or when the desktop is refreshed, the worm gains control.
Additionally, the virus infects all HTT files in the "WEB" subfolder of the Windows folder. Windows uses these files to customize the view of certain folders in Explorer (for example, the Program Files folder) when Web Mode is enabled. Infecting these files causes the worm's code to be executed each time a particular folder is displayed. Every time the virus gains control, it searches for files with extensions HTM, HTML, ASP, and VBS and infects them (inserts its own code into them), one file at a time. After a while, all these files on the computer become infected.
Detailed analysis: Kaspersky Threats — HappyTime
Sample: IWormHappyTime.A.zip - Lan Zuoyun
4. Love Worm Virus
MD5: 8a960cc7c9312bfd0e4309de67587d6a
MD5 (source file): 8ee3d0dd0f4ba11ed85a7bcb2935d2bc
English name: Email-Worm.VBS/Win32.LoveLetter.A (standard)
Introduction: Email via Microsoft Outlook The system broadcasts that the subject of the email is "I LOVE YOU" and contains an attachment. Once the email is opened in Microsoft Outlook, the system will automatically copy and send the virus to all email addresses in the address book. After that, the virus will modify the IE start page to point to the Trojan horse website and download the Trojan horse program, connect to the IRC service to spread, and finally destroy and hide some files on the system.
Detailed analysis: https://threats.kaspersky.com/en ... orm.VBS.LoveLetter/
Sample: i love you(lovebug virus decompression password-love).zip - Lan Zuoyun
Sample (source file): Love Worm virus source file.zip - Lan Zuoyun
5. Female ghost virus
MD5: 7873127a0bcef06cb96fb1e42aff137b
English name: Virus.Win32.Starfiled.A (standard)
Introduction: Prank program, scaring people with pictures of female ghosts.
Sample: https://wwi.lanzoup.com/ihLTz0atja4d (the picture is scary, not attached yet)
6. Windows XP Horror virus
MD5: 063ea883f8c67d3bb22e0a465136ca4c
English name: Virus.Win32.Induc.A (standard)
Introduction: Disguise as an XP upgrade package, change MBR after running, and many scary pictures appear.
Sample: Windows XP Horror virus.zip - Lan Zuoyun Picture :
https://www.bilibili.com/video/BV1Gf4y1m7zk/ If you are interested, you can enjoy it by yourself (Standard) Introduction: It is written by VBS script, adopts encryption and self-transformation methods, and is a malicious script worm virus that spreads through U disk. Virus behaviors include self-deformation, self-replication, registry modification, traversing folders, closing and ejecting the CD-ROM drive, locking the computer, abnormal process, and popping up threatening pictures. Sample: Storm One.rar - Lanzuoyun 8. Sula virus MD5: 4be31e7d4791907dfb19cc46f0c1e4fd MD5 (source file): 42af19d515107a4fac82502ed55c7ad4 English name: Virus.Win32.Sola.A (standard) Introduction: After poisoning, the computer cannot be restarted, and the security cannot be entered mode to start the system to scan and kill viruses. You can only answer questions, and you must answer a certain score to automatically remove the virus, otherwise it will further damage the system and make the user have to reinstall the computer. Answering the wrong question will destroy the system.
Sample: https://wws.lanzoui.com/iACFYdhrcva
Sample (source file): Sola virus source file.zip - Lan Zuoyun
9. Funny virus
MD5: 815b63b8bc28ae052029f8cbdd7098ce
English name: Virus.Win32.Blamon (standard)
Introduction: Spoof The program, originating from the production of a UP master at station B, will play funny emoticons on the full screen when it starts up, and the icon has been tampered with.
Sample: Funny Virus.zip - Lan Zuoyun
10. Chinese Black Panther Virus
MD5: eda588c0ee78b585f645aa42eff1e57a
English name: Trojan.Win32.FormatAll.V (standard)
Introduction: Deliberate spoof, and the spoof level is very second, its source file (Trojan. Win32.FormatAll.A) is a malicious destruction program that uses the @echo y|format command to format the hard disk.
Sample: Chinese Black Panther password 498725314.7z - Lan Zuoyun
11. Lu Benwei virus
MD5: c71091507f731c203b6c93bc91adedb6
English name: Trojan.Win32.Disabler (standard)
Introduction: A spoof virus commemorating Grandpa Lu.
Sample: Reed Virus (password: tuza).rar - Lan Zuoyun
Image: Lu Benwei Computer Virus_哔哩哔哩_bilibili
12. Rain Cloud Virus
MD5: 0a456ffff1d3fd522457c187ebcf41e4
English name: Worm.VBS.yuyun.A / Cantix.A
Introduction: A LAN worm virus, which is more harmful.
Sample: https://wws.lanzoui.com/ia8wwdkqa2b
13. BMW virus
MD5: 1aa4c64363b68622c9426ce96c4186f2
English name: TrojanDownloader: Win32.Jadtre.B (Microsoft)
Introduction: This virus can serially infect BIOS (mainboard chip program), MBR (hard disk Master boot area) and Windows system files, so that the victim computer cannot completely remove the virus no matter whether it reinstalls the system, formats the hard disk, or replaces the hard disk.
Signs of poisoning:
1. Before the Windows system is started, the words "Find it OK!" are displayed on the computer screen; 2. The
antivirus software repeatedly prompts "hard disk boot sector virus" but cannot be completely removed;
3. The homepage of the browser is tampered with.
Sample: BMW virus. zip - Lanzuoyun
14.Disttrack virus
MD5: b14299fd4d1cbfb4cc7486d978398214/d214c717a357fe3a455610b197c390aa
English name: Virus.Win32.disttrackA (standard) / Virus.Win32.WipMBR.A/ Virus.Win3 2. Erase MBR.A
Introduction: The execution file contains the "wiper" field and the "ArabianGulf" field. This field has also appeared in the Flame virus. Flame was once considered to be a malicious attack software jointly developed by the US and Israeli governments to attack Iran's nuclear energy sector. The Shamoon virus is similar to the Flame virus. It can directly send the data in the infected user's computer to the network, and viciously delete the data on the computer permanently after the data is transmitted, even including the master boot record, which directly causes the system to be paralyzed and cannot be turned on. . The file size of the Shamoon virus itself is only 900k, but the internal resources are fully encrypted.
Sample: Disttrack virus.zip - Lanzuoyun
15. Skull virus
MD5: dffe6e34209cb19ebe720c457a06edd6
English name: Trojan:Win32/Dynamer!rfn (Microsoft)
Introduction: Made by Tiange, the up master of station b, after running, change the wallpaper to skull, Then perform the same sabotage behavior as the dynamic Panda Burning Incense virus, and finally add new users to blackmail.
Video resource: The whole process of the brutal skull virus outbreak_哔哩哔哩_bilibili (skull video)
https://www.bilibili.com/video/BV1up4y1i7pu/ (dynamic version of panda burning incense, music is nice)
sample: https: //wwi.lanzouo.com/i2UiFzbs0nc
2.
WormsAdd itself to other programs or dynamic library files (a type of DLL), so as to realize the function of running synchronously with the infected program, and then destroy the infected computer and spread the virus itself, and the worm mainly refers to a virus that can A virus that replicates itself without human intervention and spreads through the network; when these new worm-infected computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behavior will continue. The worm uses this recursive method to spread, distributing itself according to the law of exponential growth, and then controlling more and more computers in time . However, in order to facilitate the classification, and considering that the two have many similarities, they are classified into the same category. However, based on the reporting methods of various antivirus software, this post will still use Virus to represent infectious viruses (in the previous category) Virus is also used to represent some malicious damage viruses), and Worm is used to represent worms.
1. Weijin infection virus/Panda burning incense worm virus
MD5: 512301c535c88255c9a252fdf70b7a03
MD5 (source file): d4a05ada747a970bff6e8c2c59c9b5cd / ad41ec81ab55c17397d3d6039752b0fd
Chinese name: English name as above
: Virus.Win32.Viking.A (standard) / Worm.Win32.Fujack.A ( Standard)
Introduction: It integrates file-type virus, worm virus and virus downloader, and has a very strong transmission ability. The virus destroys some of the user's software, making it unusable, and spreads through infected files, local area networks, and other virus downloads. The virus will also automatically download and run other viruses such as "QQ Passport" in the background, stealing user QQ and online game account numbers and passwords and sending them to hackers.
It is worth mentioning that most of the codes of Panda Burning Incense are almost the same as Viking, so we can see that many of the reported names of Panda Burning Incense are Viking, and many people think it is a variant of Viking. However, Panda Burning Incense has added a lot of its own fancy codes on the basis of the original code, such as panda pictures everywhere. The author's excessive arrogance and pretentiousness are also one of the reasons why he was quickly caught.
Sample: https://wws.lanzoui.com/iim4tdjnv1c Password: 142857
Sample (source file): Wiking virus source file.zip - Lanzou Cloud / Panda Burning Incense Source File (Kaspersky Edition).zip - Lanzuo Cloud
2. Golden Pig Annunciation Virus
MD5: a57db79f11a8c58d27f706bc1fe94e25
Chinese name: Same as above
English name: Same as 1
Introduction: A variant of panda burning incense, with the panda head replaced with a golden pig head.
Sample: The original version of the Golden Pig Annunciation.zip - Lan Zuoyun
3. Shockwave Virus
Chinese name: Same as above
English name: Virus.Win32.Ramnit/Nimnul.A (Standard)
Introduction: Since it was discovered in 2010, it is the infectious virus that infects the most users and has the widest impact . The virus can infect .exe, .dll and .html files in the user's computer system, and add the suffix to the target file after encrypting itself. When the infected file is executed, the worm is dropped into the current directory and named [InfectedFilename]Srv.exe, and then executed. At the same time, add a MNetwork directory under the %\ PR ogramFiles%\ directory. A computer infected with this virus will try to connect to a website, download a .dll file from the website and register it on the system.
Sample: https://wws.lanzoui.com/iWISddkqa1a
7. Pabug worm virus
MD5: 2391109c40ccb0f982b86af86cfbc900
Chinese name: AV Terminator/Pabug
English name: Worm
. The website downloads a large number of various Trojan horse viruses, account hacking Trojan horses, advertising Trojan horses, and risky programs.
Sample: Pabug Worm Virus.zip - Lanzuoyun
8. Robot Dog Virus
MD5: e01388a75b670d9cbe54038eec8f5ecb
Chinese name: Same as above
English name: Trojan.Win32.Agent (standard) / Trojan.Peed.Gen / Trojan.DownLoader.31883 (big spider) /Trojan-Downloader ( 0055e3da1 ) (Ikarus)/Trojan.Win32.Mnless.zpj (Rising)
Introduction: It can penetrate all kinds of recovery cards and is very harmful.
Sample: Robot Dog Virus.rar - Lan Zuoyun
9. Running Bull Virus
MD5: 06e74cedc9af89a710ee326e2ac9d5e9
Chinese name: Same as above
English name: Win32:Dh-A [Heur] (Avast) / Spy.Banker.Gen (Avira) / Trojan.MulDrop.30219 (Dr.Web) / TrojanDownloader.Agent.OQW (ESET) / Trojan.Win32.Antavka. ji (Kaspersky) / Win32/Trojan.867 (360)
Introduction: A variant of the robot dog, which can slow down the speed of the computer and download a large number of Trojan horses to the computer for hacking.
Sample: Benniu virus.zip - Lanzuoyun
10. Jihu worm
MD5: ccbe1775eb280c1b6187628534fc34da
Chinese name: same as above
English name: Worm.Win32.Bototer (Standard) / Win32:AutoRun-BFB (Avast) / Diliman.B (Avira )/Win32.WowSub.4
(Dr.Web)/AutoRun.AntiAV.T (ESET)/Trojan-Dropper.Win32.Small (Ikarus)/Trojan.Downloader.9fc (360)
Introduction: A collection of disk drives, AV A mixed virus that integrates Terminator, Chinese vampire, and ringworm downloader.
Sample: Extreme Tiger Virus.zip - Lan Zuoyun
11. Almanahe Infectious Virus
MD5: 0e5cde58af173fe7a35e6266f55c9091
Chinese Name: Same as above
English Name: Virus.Win32.Almanahe.A (Standard)
Introduction: This virus has extremely strong anti-virtual machine and sandbox technology, and the icon camouflage effect and infection are strong, and it will infect most of the exe and scr files.
Sample: Almanahe infectious virus source file.zip - Lanzuoyun
12.ttry worm virus/incaseformat worm virus
MD5: dac5f1e894b500e6e467ae5d43b7ae3e
MD5 (current outbreak sample): 915178156c8caa25b548484c97dd19c1
Chinese name: Same as above
English name: Worm.Win 32. AutoRun.xxx (Standard )
Introduction: The old worm sample, due to a wrong code setting, caused the original file deletion time to be delayed to a recent period of time.
Detailed analysis: ThreatBook user login
Sample: ttry worm virus.zip - Lanzoux
sample (current outbreak sample): https://wwx.lanzoux.com/ia6VPki78ha
13. Neshta infectious virus
MD5: 36fd5e09c417c767a952b4609d73a54b Chinese name: English name
as above
: Virus.Win32.Neshta.A (Standard)
Introduction: The svchost.com file will be released in the system %SystemRoot% directory, and the registry will be added to ensure that each exe file will be executed first when it is executed. The virus also collects system information and sends it to a remote server, such as a list of currently installed software, a list of currently running software, and SMTP email accounts.
sample:Neshta source file.zip - Lanzuoyun
14. Synaptics-infected virus
MD5: 52edba919646dc8bffb9db9bfd95bbfd
Chinese name: same as above
English name: Virus.Win32.Synaptics.A (standard)
Introduction: It will intercept the behavior of users creating or opening Excel documents, And replace the newly created or opened Excel document with a document with malicious macro code.
Sample: Synaptics Worm Virus.zip - Lanzuoyun
15. Floxif Infectious Virus
MD5: 8a9ea9c338e14cf0921ca9fe483b5b02
MD5 (source file): 836dbce15f1dfaad3df9f28b24047b41
Chinese Name: Same as above
English Name: Virus.Win32.Floxif / Pioneer .A (Standard)
Profile: Marked 360's digital signature and disguised as 360 network shield auxiliary program, infecting executable files (.exe) and dynamic link library (.dll) files.
Sample: Floxif virus.zip - Lanzuo Cloud
Sample (source file): Floxif Worm.zip - Lanzuoyun
16. Cridex worm virus
MD5: 78cc821b5acfc017c855bc7060479f84
Chinese name: same as above
English name: Worm.Win32.Cridex (standard)
Introduction: Can be injected into explorer.
Sample: Cridex Worm Virus.gz - Lan Zuoyun
17.TYJ Worm Virus
MD5: 59678e7ed89c0935d61ba0d2249ef10c
Chinese Name: Same as above
English Name: Worm.VBS.TYJ (Standard) / VBS.Dunihi (Standard)
Introduction: Both worm propagation and backdoor Function.
Sample: TYJ Worm Virus.zip - Lanzuo Cloud
18. Folder Worm Virus
MD5: c25ce8475a0ada1b8fbdf8078bf30c1f
Chinese Name: Same as above
English Name: Worm.Win32.Scar (Standard)
Introduction: Disable registry, task manager, all folders become exe format, each disk has an auto file and automatically runs the virus, the infected U disk is useless to right-click to open, and it is still infected.
Sample: Folder Virus.zip - Lanzuoyun
19.acad Pirate Picture Virus
MD5: 802daed715df692cc4f65812ca11795f
Chinese Name: Same as above
English Name: Worm.Win32.ACAD (standard)
Introduction: obligate infection of .lsp files, no harm to the computer itself, But it will harm the related picture files.
Sample: acad.rar - Lanzuoyun
20.Dorkbot worm virus
MD5: 0d4b7f4c1731c91dff56afce0ecf37c5 98f74b530d4ebf6850c4bc193c558a98
Chinese name: Same as above
English name: Worm.Win32.Dorkbot (Standard) / Trojan.Agent.AWYO / Worm.Win32.Bublik (Standard) / Win32.Tro jan.f77(360)/Trojan.Win32.Bublik. Introduction to iza (Kaba)
: https://www.freebuf.com/articles/network/162324.html (The earliest date back to 2012)
Sample: Dorkbot worm virus.zip - Lan Zuoyun
21.Sality infectious virus
MD5: 55bfee3915ae84f38fda750587868ae7
MD5 (source file): bf8af7b28ba7b27fd961b7192ca4a7c3
Chinese name: Ditto
English name: Virus.Win32.Sality.A (standard)
Introduction: The Sality family was first discovered in 2003. With years of development, the Sality virus has gradually become more stubborn , whose main malicious code body enables dynamic, persistent, fully functional virus behavior. The relatively new Sality virus variant even uses a large number of rootkit techniques to hide itself and resist antivirus products. After the virus runs, it will terminate security-related software and services, and infect exe and scr files in the system. And inject the virus thread into all processes, and download the virus to the system in the background. At the same time it creates a copy of itself to a removable device or a network share for propagation purposes. In addition, some virus variants will also collect infected system information and send it to a specified website.
sample:Sality Worm Virus.zip - Lanzuo Cloud
Sample (source file): Sality Source File.zip - Lanzuo Cloud
22. Conficker Worm Virus
MD5: c9e0917fe3231a652c014ad76b55b26a
MD5: 1db5476c766555c9995b25d19f97b9bc (Source File)
Chinese Name: Feike Virus
English name: Worm. Introduction to Win32.Conficker.A (Standard)
: The Conflicker virus broke out in October 2008. It used the known MS08-067 vulnerability of the Windows system to spread wildly. , first destroy the default property settings in the system, and then automatically search for other computers with vulnerabilities in the LAN. Once a computer system with a vulnerability is found, it will activate the vulnerability and establish a link with the infected system, and finally carry out remote infection.
Sample: https://www.lanzoux.com/id9jRh42d1c
Sample (source file): Conficker worm source file.zip - Lanzuoyun
23. Babonock worm
MD5: 8b5c2cbf7d89be0a6eb66ecc29d9f5fd
Chinese name: Same as above
English name: Worm.Win32.Babonock .A (Standard)
Profile: An old worm that spreads via USB sticks.
Sample: babonock worm virus.zip - Lan Zuoyun
24. Angry Angel Infectious Virus
MD5: aec931e484f13e7a89fc9f9d24242546
Chinese name: Same as above
English name: Virus.Win32.Madang.A (standard)
Introduction: The virus will search for executable files in all disk partitions in the system and infect them, and the size of the infected executable files will become larger , takes up more disk space and cannot be used normally. In addition, during the process of the virus infecting the executable file, the virus will mark each infected file to avoid repeated infection of the file.
Sample: Angry Angel Worm.zip - Lan Zuoyun
25. Code Red Worm
MD5: 6f5767ec5a9cc6f7d195dde3c3939120
Chinese Name: Same as above
English Name: Net-IISWorm.Win32.CodeRed.A (Standard)
Introduction: A hacker using "buffer overflow" technology, using the vulnerabilities of Microsoft IIS to infect and spread viruses. The virus uses the HTTP protocol to send a GET request containing a large number of garbled characters to port 80 of the IIS server. Running in this system allows the virus to reside in the system memory and continue to infect other IIS systems. When Code Red sends GET garbled characters to the victim, it always adds a file name suffixed with .ida before the garbled characters, indicating that it is requesting the file, which is an important feature of Code Red.
Sample: Code Red Worm.zip - Lan Zuoyun
26. Code Blue Worm
MD5: d9f17e5c44f981fe11293a607151fc0e:
Chinese name: Same as above
English name: Net-Worm.Win32.BlueCode.A (standard)
Introduction: Attack the vulnerability of Microsoft inetifo.exe program, and implant a hacker program named SvcHost.EXE to run, the worm will be continuously generated in the server memory The new threads eventually cause the system to run slowly, or even crash.
Sample: Blue Code Worm.zip - Lan Zuoyun
27.Happy99 Worm
MD5: 162c41323e23af3a3913caf716b189da
Chinese Name: Same as above
English Name: Email-Worm.Win32.Happy.A/Ska.A (Standard)
Brief Introduction: Mainly email Form transfer, or download to hard disk from some program groups. After execution, you will see a colorful picture of holiday fireworks on the opened window, with the title "Happy New Year 1999!!". When an email is sent, another email is quietly sent to the same address. There is no text in the mail, only one attachment: Happy99.exe, which can make you unable to send and receive mail normally until the entire mail system is paralyzed. The virus is a 32-bit worm program. After executing Happy99.exe, files will be created in the WINDOWS system directory (SYSTEM directory): SKA.EXE and SKA.DLL, where SKA.EXE is a copy of Happy99.exe, and SKA.DLL is compressed in SKA.EXE in the file. At the same time, rename WSOCK32.DLL to WSOCK32.SKA, and generate a file with the same size as the original WSOCK32.DLL.
Sample: Happy99 Worm Virus.zip - Lan Zuoyun
28. Toal Worm Virus
MD5: 153c98a99367c3971ae3d1648b1b6fa1
Chinese Name: Bin Laden Virus
English name: Worm.Win32.Toal.A/ Win32.InvictusDLL (Standard)
Introduction: Automatically connects to the ICQ network, uses its own hacking tool to find email addresses, and after determining the infected object, it will continue to replicate itself and spread automatically. The sharp increase of poisonous files will cause the computer to run slower and slower, and eventually lead to system failure.
Sample: Toal Worm Virus.zip - Lan Zuoyun
29. Nimda Worm Virus
MD5: 642a393a5c65d202180df5af06f29c5a
Chinese Name: Same as above
English Name: Net-Worm.Win32.Nimda (Standard)
Introduction: Through email, shared network resources, IIS server, web browsing Spreads, modifies .htm, .html and .asp files on local drives. This virus can cause IE and Outlook Express to load and generate readme.eml virus files.
Sample: Nimda Worm Virus.zip - Lan Zuoyun
30. Zippedfiles Worm Virus
MD5: 0e10993050e5ed199e90f7372259e44b
Chinese Name: Same as above
English Name: Email-Worm.Win32.ZippedFiles/Explorezip.A (Standard)
Introduction: After the virus itself is executed, it enters the system, looks for the email address in the current email inbox, then copies itself, and sends it to the found email address in the form of an email attachment along with the email information: Hi <Name of Recipient>!, I received your e-mail and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. The subject of the email is the subject of the previously sent email. Attachments are displayed using the Winzip icon. After the virus enters the system (in the 32-bit operating system of Windows95/98 or NT) and runs, it generates SETUP.EXE files (in the Windows directory) and EXPLORE.EXE files (in the WINDOWS\SYSTEM directory).
Sample: Zippedfiles worm virus.zip - Lan Zuoyun
31. Marburg infectious virus
MD5: e8e0f1f5305718a03432a09fe38ab007
MD5 (source file): 36acd261d4427e521819cc97f672c4e5
Chinese name: same as above
English name: Virus.Win9x.Marburg. A (Standard)
profile: it is automatically removed Like CHKLIST.MS and other MSAV, CPAV generates integrity check files in the subdirectory, and will automatically detect SCAN, F-PORT and other antivirus software, and avoid their detection, and it will not infect files containing the letter V . Its onset condition is that 3 months after the file was infected, when you run the infected executable file, if it is the same hour as the first time the file was infected, a red color will randomly appear on the screen Circle, its variants will also destroy the hard disk file system under WINDOWS.
Sample: https://wwx.lanzoux.com/imIJyjbqfef
Sample (source file): Marburg infectious virus source file.zip - Lan Zuoyun
32. Assarm worm virus
MD5: e3e151ac16581fec619c0d7ae4fba29f
Chinese name: Same as above
English name: Email-Worm. Win32.Assarm.A (Standard)
Introduction: This email worm will reply to unread emails in the Outlook mailbox, but if it is Monday or Thursday and the number of hours of the day is greater than 5, the virus will not send emails.
Sample: Assarm Worm Virus.zip - Lanzuoyun
33.3DStars Worm Virus
MD5: d738768613c52557157d90c701cecc5e
Chinese Name: Same as above
English Name: Email-Worm.Win32.3DStars.A/B (Standard)
Introduction: None.
Sample: Email-Worm.Win32.3DStars .zip - Lanzuoyun
34. SmackinBird worm virus
MD5: 30088199a7aeeacbba1b9302c94a5c14
Chinese name: Same as above
English name: Worm.JS.SmackinBird.A (standard)
Introduction: None.
Sample: SmackinBird Worm Virus.zip - Lanzuoyun
35. Newley worm virus
MD5: 16f3f44b710ae19f67584917eaca369c
Chinese name: Same as above
English name: Worm.VBS.Newley.A (standard)
Introduction: None.
Sample: Newley Worm Virus.zip - Lan Zuoyun
36. Mydoom Worm Virus
MD5: 53df39092394741514bc050f3d6a06a9
Chinese Name: Same as above
English Name: Email-Worm.Win32.Mydoom.A (Standard)
Introduction: When the user opens and runs the virus program in the attachment Afterwards, the virus will target the email address in the user's mailbox, forge the source address of the email, send a large number of emails with virus attachments, and leave a backdoor on the user's host that can upload and execute arbitrary code. This virus broke out in 2004, but it is still very active.
Sample: Email-Worm.Win32.Mydoom.a .zip - Lanzuoyun
37.Bugbear worm virus
MD5: 36acd261d4427e521819cc97f672c4e5
Chinese name: monster virus
English name: Email-Worm.Win32.Tanatos/Bugbear.A (standard)
Introduction: Monitor the keyboard actions of computer users, and intercept the user's login name and password; modify the registry, and the virus will be automatically launched when the computer user starts up. It will automatically search and kill the anti-virus software processes it knows; send the infected user's confidential information to the external virus client: such as user name and password, etc. Moreover, the "monster" virus will attack the printer, as long as it finds a printer or a network printer! will print random binary codes!
At the same time, the "monster" virus has a strong ability to spread. It will use the local area network to spread, and as long as it can find resources, it will be infected by "monsters". As soon as these infected machines are started, the virus will start accordingly.
Sample: Bugbear worm virus.zip - Lanzuoyun
38. Bagle worm virus
MD5: e65d7ab639a2361493d388e36d1e663a
Chinese name: Same as above English
name: Email-Worm.Win32.Bagle.A (standard)
The TCP port opens a backdoor that remote users and applications can use to gain access to data (anything including financial and personal information) on the infected system. According to an April 2005 article, the worm is "often referred to as the originator of the 'profit-by-malware campaign' by hackers who want to make a name for themselves."
Sample: Bagle Worm Virus.zip - Lanzuoyun39.Klez
Worm Virus
MD5: f95981829ca660e84f1d33bdfa9e2a28
Chinese Name: Cover Letter Virus
English Name: Email-Worm.Win32.Klez.A (Standard)
Introduction: The title of the infected message and the name of the attachment are variable. It uses a known IE security hole (IFRAME vulnerability). When an infected message is opened, it will automatically start. It spreads not only in the local network but also through e-mail messages. It will create an executable file under the WINDOWS temporary folder, the name is a random name starting with the letter K (such as KB180.exe), and then write the "Win32.Klez" virus into it, and start the virus. This virus infects most executable programs in PE format under WIN32 on all available computer disks.
When an infected file is started, this WORM copies a copy of itself to the WINDOWNS system folder, named "krn132.exe", it will write the following key values into the registry (below) and start it together with WINDOWNS .
Note: The text of the email is as follows:
I'm sorry to do so, but it's helpless to say sorry. I want a good job, I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names, I have no hostility. Can you help me?
This content is related to job hunting, so it is called "cover letter virus".
Sample: Email-Worm.Win32.Klez.A.zip - Lan Zuoyun
40. Flame Worm
MD5: bb5441af1e1741fca600e9c433cb1550
Chinese name: Same as above
English name: Worm.Win32.Flame.A/B (Standard) Brief
introduction: Flame virus, like Panda Burning Incense, is also a "worm virus" variant that has gone through many variants. It began to wreak havoc on the Internet on October 9, 2005 , it is mainly infected through downloaded files. Serious damage to computer programs and systems spread all over the world in 2007, and was blocked by the WEB information security team in January 2014.
The full name of the "flame" virus is Worm.Win32.Flame, which is a backdoor program and a Trojan horse virus, and has the characteristics of a worm virus. As long as the controller behind it gives instructions, it can replicate itself in the network and mobile devices. Once a computer system is infected, the virus begins a complex series of actions, including monitoring network traffic, taking screenshots, recording audio conversations, intercepting keystrokes, and more. All data in the infected system can be transmitted to the server designated by the virus through the link, so that the controller can see it at a glance. According to Kaspersky Lab statistics, more than 500 cases of infection with the virus have been found so far, mainly in Iran, Israel and Palestine. There are also individual cases in countries such as Sudan, Syria, Lebanon, Saudi Arabia, Egypt, and China (where there are many household computers).
The design of "flame" is extremely complex, and it can evade 100 kinds of anti-virus software. Computers infected with the virus will automatically analyze their own network traffic patterns, automatically record, record user passwords and keyboard typing patterns, and send records such as user browsing, communication calls, account passwords, keyboard input, and other important files to the remote control virus The server is considered to be the largest and most complex network attack virus ever discovered.
Sample: Flame Worm Source File.zip - Lan Zuoyun
Note: Flame virus got its name from Flame in the code above.
41. Sobig worm virus
MD5: 100018b06a74ab304261211ab11d4252
Chinese name: Big Mac virus
English name: Email-Worm.Win32.Sobig.A (Standard)
Introduction: Spread through the LAN, find all computers on the LAN, and try to write itself into the network The startup directory of each computer for self-startup. Once the virus runs, when the computer is connected to the Internet, it will automatically download the virus from a specified website every two hours, and at the same time it will search for all email addresses on the computer hard disk, and send titles such as "Re: Movies" to these addresses. , "Re: Sample" and other virus emails to spread by email, the virus will also download the virus from the designated website every two hours, and send the user's privacy to the designated mailbox. Since part of the email content comes from the data in the infected computer, it is possible to leak the user's confidential files.
Sample: Sobig Worm Virus.zip - Lan Zuoyun
42. Super Factory Worm Virus
MD5: 74ddc49a7c121a61b8d06c03f92d0c13/055a3421813caf77e1387ff77b2e2e28
Chinese Name: Same as above
English Name: Worm.Win32.Stuxnet.A/B (Standard)
Introduction: Stuxnet and "Stuxnet" , is the latest virus targeting Microsoft systems and Siemens industrial systems. It has infected industrial systems and individual users in many countries and regions. This virus can spread through the network. Unlike previous viruses, its code is very sophisticated and has caused Iran's nuclear power plant to delay power generation. The world's first "super factory virus" Stuxnet has already invaded our country. The early warning issued by Rising on September 25, 2012 showed that nearly 5 million Internet users and leading companies in various industries in China have been attacked by the Stuxnet worm virus, and due to the lack of security systems, the virus is still spreading on a large scale risk.
According to Rising security experts, the Stuxnet worm is the world's first destructive virus written specifically for industrial control systems, and can exploit seven loopholes in the Windows system and Siemens SIMATIC WinCC system to attack. Especially the attack on SIMATIC WinCC Supervisory Control and Data Acquisition (SCADA) system of Siemens, because this system is widely used in many important industries in my country, and is used for human-computer interaction in important industries such as steel, electric power, energy, and chemical industry and monitoring.
Stuxnet and its variants are worms that exploit the latest Windows Shell vulnerabilities to spread malicious files. The vulnerability is caused by Windows incorrectly parsing shortcuts and potentially executing malicious code (files with a .LNK extension) when the user clicks the display icon of a specially crafted shortcut.
Sample: Stuxnet worm virus.zip - Lan Zuoyun
43. Magistr worm virus
MD5: ca3a810e952f642bf88a8370c88bd072
Chinese name: Magistr virus
English name: Email-Worm.Win32.Magistr.A (standard)
Introduction: Can infect WIN95/98/ME system, and has the characteristics of both viruses and worms. Unlike many viruses in the past that spread through emails, "Maggis" can spread in the form of copied files in addition to email attachments. The virus will automatically search the address books in Outlook and Netscape mailboxes, and save all addresses in the Username.Dat file under the Windows directory, where Username is the machine name.
Sample: Magistr Worm Virus.zip - Lan Zuoyun
44. Tenga Worm Virus
MD5: a87c41fd395221baa23f368d7e17da55
Chinese name: Same as above
English name: Worm.Win32.Tenga / Gael.3666.A (standard)
Introduction: Virus characteristics: Win32.Gael.3666.A is a virus that infects Win32.PE files and attaches itself to the original file superior.
Infection method: When executed, Gael.3666.A scans all files in the local system and infects the found Windows PE files. The virus generates a mutex named "CBACK_GAELICUM" to prevent multiple copies of the virus from running at the same time.
Propagation method: Propagate through file infection/network sharing, scan any IP address on port 139 at the same time, spread to remote machines, and infect target files in the shares on the machines.
Harm: Download and run arbitrary files: The virus tries to download the dl.exe file from the utenti.lycos.it domain and run it. This file was detected as Win32.Gael!downloader virus. This file, in turn, downloads and runs two other files from the same domain:
§ <root>\GAELICUM.EXE – a copy of the virus
§ <root>\CBACK.EXE – the backdoor part (this file was detected as Win32.Gael.A Virus)
backdoor function: CBACK.EXE opens a backdoor on port 4321, and uses the Windows command prompt command to accept and run command commands from a remote machine. It will also send a message, including the open port number, to vx9.users.freebsd.at.
Sample: Tenga Worm Virus.zip - Lan Zuoyun
45. Virut Infectious Virus
MD5: 606a95b422c08c106744a6e312413aab
Chinese name: Same as above
English name: Virus.Win32.Virut.A (Standard)
Introduction: A host infected with Virut means that most of the executable files (mainly exe and scr) on the entire disk, as well as a large number of HTML documents, will be maliciously modified , to append the malicious code. Therefore, any software application locally on the infected host is likely to trigger Virut to run as soon as it is opened. The purpose of Virut is to use the victim's host for a long time to steal important information of users, download and install unnecessary rogue or malware to users to earn software installation fees, and can also be used as a DDoS terminal, send spam or phishing emails, and become a springboard Illegal acts such as fraud.
Detailed analysis: https://www.cnblogs.com/Mikhail/p/5615286.html
Sample: Virut Infectious Virus.zip - Lan Zuoyun
46.Partie Infectious Virus
MD5: cd86b04047ba72d5a4629806d274ad1e
Chinese name: Ditto
English name: Virus. Win32.Parite.A (Standard)
Introduction: The virus program is written in C++, and its components are written by an assembler. After the infected file is run, it directly controls the virus-generated file to write the virus file as a temporary file and execute it. Infect the program, and search for all .scr and .exe Win32 PE format files in the logical hard disk and shared directories in the LAN for infection. When running, the virus attaches to the Explorer.exe file to reside in memory.
Detailed Analysis: Parite.H Virus Analysis_Langligelang...'s Blog-CSDN Blog
Sample: Parite Worm Virus.zip - Lan Zuoyun
47.HIV Infectious Virus
MD5: 72ba9635c92450c85c556739ae78507a
Chinese name: Same as above ( not Human Immunodeficiency Virus!! )
English name: Virus.Win32.HIV.6xxx
Introduction: This virus is named after its prompt contains "this cell has been infected with HIV".
This is a dangerous per-process memory-resident Win32 virus that infects PE EXE files (Windows applications) and MSI archives, "upgrades" itself from the Internet, and has e-mail propagation capabilities. The virus is encrypted and uses "entry point masking" technology to hide itself in infected files. The length of the virus is about 6K ( so the number after the English name of the virus is its infection length ). The virus uses anti-debugging techniques that halt the computer if SoftICE or other debuggers are detected on the system. The virus also tries to disable Windows file protection. To do this, it infects system files responsible for file protection: it overwrites DEFAILT. SFC files (under Win98) or SFCFILES.DLL (under Win2000) that contain empty data. This trick should work under Win98, but not under Win2000, because Win2000 system will block access to SFCFILES.DLL, or immediately restore it from backup.
The virus looks for .EXE files in the current directory and infects them, writing itself at the end of the file. In order to gain control, the virus does not modify the program startup address, but looks for the standard program subroutine header/footer, and uses the JMP_Virus instruction to patch the footer. Therefore, the virus does not activate when running an infected file, but when executing an infected routine (when the corresponding branch takes control). The virus then remains in memory as a component of the infected program, hooks several file access functions, and infects EXE files accessed by the infected program. Thus, the virus is active in Windows memory until the infected application is terminated. In some cases, when running on an NTFS computer, the virus creates an additional NTFS stream (ADS) with the name ":HIV" ("filename.ext:HIV") in the infected file and writes there Enter the following "copyright" text: " This cell has been infected with the HIV virus , producing: 0xNNNNNNNNNN", where NNNNNNNN is the virus "production" number.
Detailed analysis: Kaspersky Threats — HIV
sample: https://wwi.lanzouo.com/i0aFNylg8va
48. Chinese hacker worm
MD5: bd587a60707832a5ebba769aa919bfe8
Chinese name: Same as above
English name: Email-Worm.Win32.Runouce.A / Worm.Win32. Chir.A
Summary: The virus does not infect executable files. During the process of being activated, the virus will copy itself to the system directory of windows, copy itself to windows\system\runouce.exe in windows 9x system, copy itself to winnt\system32 in windows 2000 and windows NT systems \runouce.exe, then run the program, and add it to the registry as self-starting, so that the virus body is activated every time the computer is turned on. The offset address in Windows 98 and Windows 95 systems is bff70400. Thus, the virus creates a kernel thread through the CreateKernelThread function, and the entry address of this thread is bff70400. This kernel thread calls the WaitForSingleObject function to put itself into a waiting state to wait for the end signal of the parent process. If the parent process is terminated, the kernel thread is woken up immediately. The kernel thread immediately calls the WinExec function to restart the virus process. In this way, after the antivirus software kills the virus process in the memory. The virus was activated again immediately. This causes the virus in the memory to not be killed. Inject threads in explorer on windows 2000 operating system. Threads in explorer are used to protect virus processes. If the virus process ends, the virus thread in the explorer restarts the virus process.
The virus protects the virus process in the memory through the above methods. At the same time, the virus is transmitted through emails, has the function of self-starting, and can effectively use the local area network to spread. Once it enters a machine in the LAN, it will immediately search for shared folders in "My Network Places". As long as a writable shared folder is found, an .eml file beginning with the name of the infected machine will be generated, so all machines in the local area network will eventually become "sending bases" for virus emails.
Sample: Chinese Hacker Worm.zip - Lanzuo Cloud
Sample (Chinese Hacker 2 Worm, variant B): Chinese Hacker 2 Worm.zip - Lanzuo Cloud
49. Naked worm virus
MD5: 9acd3a3298fc73f29cc013f60d5ac433
English name: Email-Worm.Win32.Naked (standard)
Introduction: This is an Internet worm virus that spreads by sending infected emails from infected computers. When spreading, the worm uses MS Outlook and sends itself to all addresses stored in the MS Outlook address book. The worm itself is a ~70K long Win32 application written in VisualBasic. The virus does not install itself on the system, nor does it touch the system registry (ie it does not register itself there). This is a "direct action" virus that only performs its action when activated from an infected email. The worm copies itself to the Windows TEMP directory, but does not use that copy. When run, the worm displays a fake window containing a picture of "Macromedia Flash Player" and says "Loading", "Loading...", "Loading..." - the message loops indefinitely.
Menus in windows do not invoke any actions when selected, with the exception of the Help menu. After selecting it, the "About Macromedia Flash Player 5..." item appears, and when selected, the worm displays a message box: The worm
emails itself, attaching the EXE file that is the worm itself. The message includes:
Attached file name: NakedWife.exe
The Subject: Fw: Naked Wife
Message body:
My wife never look like that!
Detailed analysis: Kaspersky Threats — Naked
Sample: Nake Worm Virus.zip - Lanzuoyun
50. Jeefo infectious virus
MD5: 9e3c13b6556d5636b745d3e466d47467
English name: Virus.Win32.Jeefo/Hidrag.A (standard)
Introduction: The virus will reside in In memory, infect 32-bit exe files. When the virus runs, it creates a copy of itself with a size of about 36K and places it in the Windows directory with the name svchost.exe. Next, the virus will register the auto-run item of this file in the system registry, and start looking for the exe file from the C drive in an active state and infect it. There are no obvious signs of exposure in the whole process.
Detailed analysis: https://www.microsoft.com/en-us/... Virus:Win32/Jeefo.A
Sample: Jeffo Infectious Virus.zip - Lan Zuoyun
51. Pikachu Worm Virus
MD5: 715614e09261b39dfa439fa1326c0cec
English Name: Email-Worm.Win32.Pikachu.A / Worm.Win32.Pokey.A (Standard)
Description: This is a worm that spreads on the Internet by using Microsoft Outlook, and it is written in Visual Basic 6.0. It is emailed as a letter with PikachuPokemon.exe attached.
When the worm starts, it replaces the contents of the original .bat file with commands that destroy files in the Windows home and system directories. The worm then scans the Microsoft Outlook address book and creates the following message in the Outbox folder for each address it encounters:
On each letter, the worm attaches itself as the file "PikachuPokemon.exe" . So everyone who received such a letter and inadvertently activated the attachment sent a copy of the worm from the address book to every recipient.
Sample: https://wwi.lanzoup.com/iH0kq03yrjuj
52. NetSky worm
MD5: e252e39c7b29e56da73ceef8d47fe073
Chinese name: Tianji worm
English name: Email-Worm.Win32.Netsky.A (standard)
Introduction: This virus was released on February 2004 It appeared on February 16, and the B variant that appeared on February 18 was highly contagious. Later, a man named Sven Jaschan was arrested and admitted that he created the NetSky and Sasser worms. After he was released from prison, he regained security. industry jobs. Interestingly, some other variants of the NetSky worm contained a lot of insults to the authors of the Bagle and Mydoom worms, and some variants even searched for and removed these two worms.
Initially sent in numerous torrent emails, the virus spreads itself in ZIP archive files attached to emails or as executable attachments, and also copies itself to shared folders on all available drives, making It can spread in peer-to-peer (P2P) and local networks. When the worm runs, a false prompt box will pop up first:
The worm then copies itself to the Windows directory using the name SERVICES.EXE and creates a startup entry for this file in the system registry. If the worm finds a folder with the name "shared" or "shared," it copies itself to that folder and renames it some file that induces someone to open it. If the Internet is available, the worm is sent as an email, tricking the recipient into opening the attachment. When opened, the attached program scans your computer for email addresses and sends the email itself to all addresses found.
Because the worm is attached to many ways of illegally downloading music, Boris Daenen (stage name NetSky) named the worm after his stage name, which is still used today.
Sample: Netsky worm virus.zip - Lanzuoyun
3. Ransomware 1. WannaCry ransomware
MD5
: 84c82835a5d21bbcf75a61706d8ab549 (VT comments are many)
MD5: db349b97c37d22f5ea1d1841e3c89eb4 (VT comments are many)
Chinese name: same as above
English name: Rans om.Win32.WannaCryptor( Standard)/Win32/Trojan.Multi.daf (360)
Introduction: A master sample in the ransomware world. It can be said that the emergence of WannaCry directly promoted the "large-scale" development of ransomware in the direction of specialization and profit .
WannaCry is a "worm-like" ransomware software (which has the characteristics of a worm, but is essentially a ransomware virus). It uses "EternalBlue" (Eternal Blue) to spread to obtain the ability of automatic transmission, which can spread within a few hours. Infects all computers in a system. After the ransomware is remotely executed by the vulnerability, it will release a compressed package from the resource folder, and the compressed package will be decrypted and released in memory with the password: WNcry@2ol7. These files include the exe that pops up the blackmail box, the bmp of the desktop background image, the blackmail fonts in various languages, and two exe files that assist the attack. These files will be released to the local directory and set as hidden. (Note: To clarify, "Eternal Blue" is the name of the exploit tool leaked by the NSA, not the name of the virus#. "Eternal Blue" refers to the dangerous vulnerability "EternalBlue" leaked by the NSA. This time, the ransomware WannaCry Of course, other viruses may also spread through the vulnerability of "Eternal Blue".)
After being invaded by this ransomware, the photos, pictures, documents, audio, video, etc. in the user's host system are almost All types of files will be encrypted, and the suffixes of the encrypted files will be uniformly changed to .WNCRY, and a blackmail dialog box will pop up on the desktop, asking the victim to pay hundreds of dollars worth of bitcoins to the attacker’s bitcoin wallet, and The ransom amount will also increase over time.
Sample: Wannacry ransomware.zip - Lanzuoyun
2. WannaRen ransomware
MD5: 1de73f49db23cf5cc6e06f47767f7fda
Chinese name: Same as above
English name: Ransom.Win32.WannaRen (standard)
Introduction: 2020 In April, the ransom virus "WannaRen" began to spread, and most antivirus software could not intercept it. It would encrypt almost all files in the Windows system, with the suffix .WannaRen, and the ransom was 0.05 Bitcoin.
But what is dramatic is that shortly after the outbreak of the virus, the author of the ransomware virus (which was basically written by a Chinese, such as Yi Language) took the initiative to "turn himself in", sent the decryption key to a Huorong user, and asked the user to forward it to Huorong Security Experiment Room, Huorong Security urgently made a decryption tool after receiving the key.
On April 9, 2020, Huorong Security successfully produced a decryption tool, and then the "WannaRen" ransomware stopped spreading.
Detailed Report: WannaRen Incident Analysis Report – NSFOCUS Technology Blog
Sample: WannaRen Ransomware.zip - Lanzuoyun
3. Petya Ransomware
MD5: 71b6a493388e7d0b40c83ce903bc6b04
Chinese Name: Same as above
English Name: Ransom.Win32.Petya (Standard)
Introduction: Petya Ransomware Analysis Report - Rising.com (Analysis Report)
PS: According to the virtual machine experiment, Petya did not actually lock the file during the "disk repair" process.
Sample: Petya ransomware.zip - Lan Zuoyun
——————————————————————————————————————————————————————————————————————————— ——Note
: This ranking comes from Tencent Cloud’s inventory. Because there are too many variants of ransomware and the height of each antivirus report is not uniform, only the name of the report that is closest to the widely recognized virus is used for naming.
4. Stop/Keypass ransomware
MD5: c4391b3b073bb1354afef0f1260b8fb8 / cd8c86863628f4d0c7f54fc3350fb1d9
Chinese name: Same as above
English name: Ransom:Win32/STOP.BS!MTB (Microsoft) / Ransom.Win32.Keypass.A (Microsoft)
Introduction: Compared with the DATAWAIT version that became active in November 2018, this version of the virus is encrypted The algorithm and virus module have changed. Since the encrypted files of this version of the stop ransomware cannot be decrypted temporarily when the infrastructure is working normally and the network is stable, we remind all government and enterprise organizations to take precautions.
The Stop ransomware family mainly spreads in China through software bundling, spam, etc. When encrypting, it usually needs to download other virus auxiliary working modules. The Stop ransomware will leave a ransom note document named _readme.txt, extorting $980, and claiming that contacting the virus author within 72 hours will get a 50% fee reduction.
The Stop ransomware also has the following characteristics:
1. When encrypting, disable the task manager, disable Windows Defender, and turn off the real-time monitoring function of Windows Defender; (derivatives, as shown in the figure below)
2. Prevent the system from accessing the global scope by modifying the hosts file 3.
When the virus executes encryption, it will cause the system to freeze obviously. In order to deceive the public, the virus will pop up a fake Windows automatic update window; 4.
Release a TeamViewer module that is artificially modified and does not display the interface. It is used to remotely control the target computer;
5. Download the AZORult secret-stealing Trojan horse to steal the user name and password of the user's browser, mailbox, and multiple chat tools.
Sample: Stop ransomware virus.zip - Lanzuo Cloud
Sample (source file): Stop ransomware virus source file.zip - Lanzuo Cloud
5. GandCrab ransomware virus
MD5: a635d6a35c2fc054042b6868ef52a0c3
Chinese name: Same as above
English name: Ransom.Win32.GandCrab.A (Microsoft/ESET/TrendMicro/GData, standard) / Trojan.Win32.Jorik.sbl (Kaba) / Win32/Trojan.7c2 (360)
Introduction: In January 2018, GandCrab ransomware was observed for the first time infecting a Korean company.
Since then, the ransomware has rapidly expanded globally, including victims in the United States in early 2018, and at least eight critical infrastructure sectors have been affected. As a result, GandCrab quickly became the most popular ransomware. It is estimated that in the middle of 2018, the ransomware has already occupied 50% of the ransomware market share.
Experts estimate that GandCrab infected more than 500,000 victims worldwide and caused more than $300 million in damages. It operates using a ransomware-as-a-service (RaaS) business model, selling malware to partners who buy ransomware services in exchange for a 40% ransom.
From January 2018 to June 2019, there were many different variants of this ransomware. In January 2019, the GandCrab5.1 variant of the ransomware became popular around the world. Until June 1, 2019, the GandCrab ransomware operation team announced the closure of their website, claiming that they had earned $2 billion in ransom.
Two weeks later, Bitdefender cooperated with Europol, FBI, many law enforcement agencies and NoMoreRansom to release the decryption tool of GandCrab ransomware, which can be applied to GandCrab1.0, 4.0, 5, 5.2 and other versions. The story of this ransomware This is the end, the encrypted file is as follows:
sample:GandCrab ransomware.zip - Lan Zuoyun
6. Sodinokibi ransomware
MD5: de35f0262c089cc880fe8cee5d6b0156
Chinese name: Same as above
English name: Ransom.Win32.Sodinokibi (standard)
Introduction: Sodinokibi ransomware (also known as REvil), first released on May 24, 2019 Found in Italy. In Italy, it was found to use RDP attacks to spread the infection. This virus is also known as the successor of the GandCrab ransomware virus. In just a few months, it spread widely around the world. This ransomware has many connections with GandCrab. Foreign security researchers have previously published many articles on the connection between these two ransomware viruses.
Sodinokibi ransomware is also distributed and marketed in the RaaS model, and uses some anti-killing techniques to avoid detection by security software. It mainly uses Oracle WebLogic vulnerabilities, Flash UAF vulnerabilities, phishing emails, RDP ports, and exploit kits to launch attacks.
Sample: Sodinokibi.B.zip - Lanzuoyun
7.GlobeImposter ransomware
MD5: e22638ce44a5f9faf9dd450438c1d492
Chinese name: same as above
English name: Ransom.Win32.GlobeImposter (standard)
Brief introduction: Globelmposter ransomware variant family history, read this article is enough- FreeBuf Network Security Industry Portal
Sample: GlobeImposter Ransomware.zip - Lanzuoyun
8. Crysis ransomware
MD5: ebcdda10fdfaa38e417d25977546df4f
Chinese name: Same as above
English name: Ransom.Win32.Crysis.A (ESET) / Trojan-Ransom.Win32.Crusis.b (Kaba) / Trojan:Win32/Casur.A!cl (Microsoft )
Introduction: CrySiS ransomware, also known as Dharma, first appeared in 2016.
In May 2017, after the master key of this ransomware virus was released, the previous samples could be decrypted, which caused the ransomware virus to disappear for a while, but then immediately appeared its latest variant sample with the encrypted suffix java.
Enter the victim's server for encrypted ransom through RDP brute force cracking. The encryption algorithm of this ransomware virus adopts AES+RSA method, which makes the encrypted files unable to be decrypted. In the past year, this ransomware virus has been extremely active, and its variants have reached 100. Multiple.
Sample: Crysis ransomware.zip - Blue Cloud
9. Phobos ransomware MD5: f785b1a9a657aca7e70d16ac5effaabd
Chinese name: same as above
English name: Ransom.Win32.Phobos.A (Microsoft, ESET)
Introduction: Phobos ransomware variant analysis report
Sample: Phobos ransomware Virus.zip - Lanzuoyun
10. Ryuk ransomware
MD5: 6cdcb9f86972efc4cfce4b06b6be053a
Chinese name: Same as above
English name: Ransom.Win32.Ryuk (standard)
Introduction: The Ryuk ransomware was first discovered in August 2018. It is operated by the Russian hacker group GrimSpider behind the scenes.
GrimSpider is a cybercrime group that uses Ryuk ransomware to carry out targeted attacks on large businesses and organizations. CRAM TG Soft (Anti-Malware Research Center) found that Ryuk ransomware is mainly spread by exploiting other malware such as banking Trojans such as Emotet or TrickBot.
Emotet and TrickBot banking Trojans are mainly used to steal the login credentials of the victim's bank website, and at the same time act as a downloader function to provide services for downloading other ransomware viruses. Emotet and TrickBot banking Trojan spread Ryuk ransomware because the operator of the TrickBot banking Trojan transmission channel is the Russian hacker group WIZARD SPIDER. GRIM SPIDER is one of the departments of the Russian hacker group WIZARD SPIDER.
Sample: Ryuk ransomware.zip - Blue Cloud
11. Maze ransomware
MD5: f5ecda7dd8bb1c514f93c09cea8ae00d
Chinese name: Maze ransomware
English name: Ransom:Win32/Maze!MSR (Microsoft) / Ransom.Win32.Maze.A (McAfee, ESET )
Introduction: Maze ransomware, also known as Chacha ransomware, was first discovered by Malwarebytes security researchers in May 2019.
This ransomware is mainly distributed and disseminated through various exploit toolkits Fallout, Spelevo, fake sites disguised as legitimate cryptocurrency exchange applications, or websites linked to horses. Recently, Proofpoint security researchers discovered a new type of hacker organization TA2101, which launched cyber attacks on Germany, Italy, and the United States through spam, and spread the Maze ransomware virus.
Sample: Maze ransomware.zip - Lanzuoyun
12. Buran ransomware
MD5: e60e767e33acf49c02568a79d9cbdadd
Chinese name: same as above
English name: Ransom.Win32.Buran (standard)
Introduction: Buran ransomware first appeared in May 2019, it is a A new type of ransomware that spreads based on the RaaS model.
Buran is sold in a well-known Russian forum. Unlike other RaaS-based ransomware that earns 30%-40% of the income, the author of the Buran ransomware only accounts for 25% of the income generated by the infection. Security researchers believe that Buran is a variant sample of the Jumper ransomware, and the VegaLocker ransomware is a member of the family. The original origin, due to its huge profits, quickly started spreading the infection across the globe.
The Buran ransomware was previously spread using the RIG Exploit Kit exploit kit, which exploited a relatively serious vulnerability CVE-2018-8174 in IE. It was recently discovered that this ransomware uses IQY (Microsoft Excel Web query file) to spread.
Sample: Buran ransomware..zip - Lanzuoyun
13.MegaCortex ransomware
MD5: e60e767e33acf49c02568a79d9cbdadd
Chinese name: Ditto
English name: Ransom.Win32.MegaCortex (standard)
Introduction: The MegaCortex ransomware was first discovered on VT in January 2019. At that time, someone uploaded a malicious sample on VT, and the British network security company Sophos released an analysis report on the MegaCortex ransomware in May.
The early version of this ransomware is somewhat similar to the SamSam ransomware that was popular last year. They both use BAT scripts and password parameters. The load loading methods of the two ransomware are similar, but there is no more evidence to prove the existence of the two ransomware. associated.
Since the MegaCortex ransomware was uploaded to VT in January, the network security company Sophos has monitored that the number of this ransomware has been increasing, and has conducted a detailed analysis and report on this ransomware. This ransomware once launched to many industries in Europe and North America. Some corporate networks in countries such as the United States, Canada, the Netherlands, Ireland, Italy, and France have been attacked by this ransomware through ransomware attacks and demanded high ransom payments.
In August 2019, the MegaCortex ransomware V2.0 was discovered. The running process of the payload was redesigned. It will automatically execute the requirements that do not require the installation password. The author hardcoded the password in the binary file and added some anti-analysis , as well as the function of blocking and killing various security products and services. This process was completed by manually executing relevant batch scripts on each victim host in the previous version. The latest version does not require manual execution , are encapsulated in the binary program.
Sample: Megacortex ransomware.zip - Lan Zuoyun
————————————————— I am the gorgeous dividing line~~~~~~~———————————— —————————
14. FRS ransomware virus
MD5: af6d91121887f5bb0a85a06b1ded0db7
Chinese name: Same as above
English name: Ransom.Win32.FRSCryptor (standard)
Introduction: domestic ransomware virus, but it is very rubbish, because the decryption password itself has been embedded in the text file that comes with it.
https://bbs.pediy.com/thread-261074.htm (detailed analysis)
Sample: FRS ransomware virus.zip - Lan Zuoyun
4. Backdoor virus
1. Ice River Trojan
MD5: 37fb43a5f78176846d463d906f83b5aa
Chinese name: Same as above
English name: Backdoor .Win32.G_Door (Standard)
Introduction: Developed in 1999, it was originally a powerful remote control software, but it became a powerful virus because of abuse. As the master of the backdoor virus field, viruses such as Glacier Trojan and later Gray Pigeon have become symbols and pronouns of domestic backdoor viruses.
Trojan horse functions:
1. Automatically track the target machine screen changes, and can completely simulate keyboard and mouse input, that is, while synchronizing the screen changes of the controlled terminal, all keyboard and mouse operations on the monitoring terminal will be reflected on the controlled terminal screen (applicable to LAN); 2
. Record various password information: including power-on password, screen saver password, various shared resource passwords and most of the password information that have appeared in dialog boxes;
3. Obtain system information: including computer name, registered company, current user, system path, operating system version, current display resolution, physical and logical disk information and other system data; 4
. Restricting system functions: including remote shutdown, remote restart of the computer, locking the mouse, locking the system hotkeys, and locking the registry, etc.;
5. Remote file operations: including creating, uploading, downloading, copying, deleting files or directories, file compression, quick browsing of text files, remote opening of files (provides four different opening methods - normal, maximize, minimize and hide mode) and many other file operation functions;
6. Registry operation: including browsing, adding, deleting, copying, renaming, and reading and writing of key values, etc. for primary keys;
7. Send message: send a short message to the controlled terminal with four commonly used icons;
8. Peer-to-peer communication: chat online with the controlled end in the form of a chat room.
The server-side program of the Glacier Trojan is G-server.exe, the client-side program is G-client.exe, and the default connection port is 7626. Once G-server is running, the program will generate Kernel32.exe and sysexplr.exe in the C:/Windows/system directory and delete itself. Kernel32.exe automatically loads and runs when the system starts, and sysexplr.exe is associated with TXT files. Even if you delete Kernel32.exe, as long as you open the TXT file, sysexplr.exe will be activated, and it will generate Kernel32.exe again, which is why Binghe keeps deleting it repeatedly.
Sample: Glacier Trojan V2.0.zip - Lanzuoyun (V2.0)
Glacier Trojan V2.2.zip - Lanzuoyun (V2.2) [including the control terminal and the controlled terminal]
2. Huigege backdoor virus
MD5 : 0f2f224513a5b60e70b91f62e6a5f2da
Chinese name: Same as above
English name: Backdoor.Win32.Hupigon.A (Microsoft)
Introduction: A master of backdoor viruses, enjoying a high reputation in China.
Gray Pigeon was developed in 2001. Originally, this software was suitable for company and family management. Its functions are very powerful, not only can monitor the camera, keylogger, monitor the desktop, file operations, etc. It can also be self-deleted after running, installed without prompting, etc. Due to the defective design of rebound links in the early years, users have the highest authority, and once cracked, they cannot be controlled. Eventually lead to malicious use by hackers. The gray pigeon of the original author was mistaken for a Trojan horse program integrating multiple control methods.
Virus composition:
The configured server file name is G_Server.exe (this is the default, of course it can also be changed). Then use all means to make the user run the G_Server.exe program.
Running process:
After G_Server.exe runs, copy itself to the Windows directory (98/xp is the windows directory of the system disk, and 2k/NT is the system disk Winnt directory), and then release G_Server.dll and G_Server_Hook from the body. dll to the windows directory. The three files G_Server.exe, G_Server.dll and G_Server_Hook.dll cooperate with each other to form the gray pigeon server, and G_Server_Hook.dll is responsible for hiding the gray pigeon. By intercepting the API calls of the process, the file of the gray pigeon, the registry key of the service, and even the module name in the process are hidden. The intercepted functions are mainly some functions used to traverse files, traverse registry entries and traverse process modules. Therefore, sometimes users feel that they have been poisoned, but they can't find anything abnormal after careful inspection. Some gray pigeons will release an additional file named G_ServerKey.dll to record keyboard operations. Note that the name of G_Server.exe is not fixed, it can be customized, for example, when the custom server file name is A.exe, the generated files are A.exe, A.dll and A_Hook.dll.
Gray Pigeon has now become a formal remote control software! ! !
If you want to know, please consult the official website:www.hgzvip.net
Sample: Gray Pigeon A Sample (Microsoft).zip - Lanzuoyun
3. Rainbow Bridge Backdoor Virus
MD5: 29b1550a1de57efda52b039aedeb4710
Chinese Name: Same as above
English Name: Backdoor.Win32.Bifrose.A (Standard) —— Source From the original file name Bifrost.exe
Introduction: It was originally used as a remote control auxiliary software, but it was maliciously tampered with and became a very harmful backdoor virus.
Functions:
1. Remote file management {file management (including: general file operation, upload, download, modification, operation, etc.; file search (custom extension file search) 2. Remote system management (system information, process management, window Management, password interception, uninstallation, server upgrade, etc.)
3. Remote screen view (support mouse, keyboard control, save to file, etc.)
4. Remote camera view (support save to file, etc.)
5. Remote DOS command ( DOS commands are used to add administrator accounts, etc.)
6. Keylogging (including offline keylogging and online keylogging)
7. Obtain passwords (get memory, save, default passwords)
8. Change victim names
9. Copy IP
samples: rainbow Bridge Backdoor Virus.zip - Lan Zuoyun
4.PcClient Backdoor Virus
MD5: 203c4f24052a8df191e7c9fdc74a3b38
Chinese Name: Same as above
English Name: Backdoor.Win32.PcClient.A (Standard)
Introduction: Discovered on July 9, 2004, it can infect Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP and other operating systems. After being infected, it will record keyboard and mouse operations and automatically Behaviors such as restarting, downloading files, and forcibly shutting down the computer.
Behavior introduction:
1. Create a smss.dll file in the system32 directory.
Edit voice for related information
and add the following parameter value to the registry startup item:
"PcClient" = "[path to Trojan]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
2. The Trojan virus will try to connect to a pre-defined website with the http application layer protocol at a random port, and send information such as the user name, CPU model, and computer name of the infected machine to the connected host. Known connection sites are:
· saap.meibu.com
· ps7.meibu.com
· net918.dns0755.net
· xjtomb.20cn.com
3. The Trojan virus can have the following behaviors:
· Log out of the current account, force shutdown, reboot Start your computer, download and run more files,
and record keyboard and mouse behavior.
Sample: PcClient backdoor virus.zip - Lanzuoyun
5.Aimrat backdoor virus
MD5: db14bd3cb017e67fb12fb8ec0791b5d6
Chinese name: same as above
English name: Backdoor.Win32.Aimrat.A (standard)
Introduction: None.
Sample: Aimrat backdoor virus.zip - Lan Zuoyun
6. Aimspy backdoor virus
MD5: 99724fc3358d168c6f3f375ef1b15cbe
Chinese name: Same as above
English name: Backdoor.Win32.AimSpy.A (standard)
Introduction: A backdoor virus controlled by port 777.
Sample: AimSpy Backdoor Virus.zip - Lanzuoyun
7.Ap Backdoor Virus
MD5: 3e07ae209a0e347d05d48320dd6de668
Chinese Name: Same as above
English Name: Backdoor.Win32.Apdoor.A (Standard)
Brief Introduction:
1. This virus consists of two parts, the exe main programs and dll files. The virus copies itself to the system directory, registers as self-starting, and the file names and registry data item names are random. 2. Hook Program Manager, that is, eXPlorer.exe's message distribution hook, inject the dll file into the address space of explorer, and open up a new thread. The main program exits.
3. In the explorer, send the http request package "GET /bin/ap216.exe HTTP/1.1" to "smart2com.net" every 30 seconds, trying to download the virus ap216.exe to run locally.
4. The virus uses "AICORE 08/27/03 19:36:10" as the symbol of the event object.
5. The virus monitors the run item in the registry in a timely manner. If modified, fix it immediately.
Sample: Ap Door Backdoor Virus.zip - Lanzuoyun
8. Black Sea Window Backdoor Virus (V1.0.0.1 Angel Doll Exclusive Edition)
MD5: 7d8dcebef26d40a717a1dbdf895c8676
Chinese Name: Same as above (original file name is "Black Sea Window.EXE" )
English name: Backdoor.Win32.Andover.A (standard)
Introduction: After running this backdoor, you can get cmdshell, and use dos commands to remotely control the infected computer. Restart the infected computer. Enumerates the processes and terminates the specified program process. User-defined VBS scripts can be added, deleted, and modified to expand control functions not implemented by the backdoor.
Author's self-report:
[Original] Window of the Black Sea
Title of the article: [Original] Window of the Black Sea Top andyower Published: 2005-09-2215:09 [Original] [Original] Window of the Black Sea
Information source: Evil Octal Information Security Team ( www. eviloctal.com )
Author of the article: Andyower
This thing was released a long time ago, and it was released by Fengze Gang~Thank you in advance~~Hehe~It is for rookies~It is not suitable for experts. There are many more The function is not perfect, for example, TCP/IP screening, basically nothing is done, there is no time~ and there is no network. It is really depressing.
My friend said that the interface is really ugly, so let me republish one. I used SkinMagic to make the interface on the basis of the original one. Haha~ It’s really good~ I gave an article about cracking SkinMagic, at http: // www.eviloctal.com/forum/htm_data/10/0507/12778.html
If you are interested, you can take a look. For those who use vc, it is very convenient and convenient~ The main function
of Window of the Black Sea
: After getting a rebound or connection On the shell, you can simplify some operations
and convert all cmd commands into a visual interface.
I won’t write about the specific functions, please try it yourself and you will know~
TCP/IP screening part, I will start working as soon as I have time~
Sample: Black Sea Window Backdoor Virus.zip - Lan Zuoyun
9. Poison Backdoor Virus
MD5: b1a85fdd944c21070a0551e8c59a6158
Chinese name: Poison Ivy backdoor virus
English name: Backdoor.Win32.Poison.A (standard)
Introduction: A backdoor Trojan horse program generated by the backdoor generation tool Poison Ivy. It hides itself by injecting into other processes, allowing unauthorized access and control of the victim system.
Sample: Poison Backdoor Virus.zip - Lan Zuoyun
10.Blastit Backdoor Virus
MD5: 068e7d0320cf32ee0816525c88bb9c4f
Chinese Name: Same as above
English Name: Backdoor.Win32.Blastit.A (Standard)
Introduction: The backdoor program installs itself in the system directory after startup, runs hidden in the background, and adds the following key values in the registry to achieve the purpose of self-starting.
1
HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\Currentversion\Run
"Windows Wininit Command" : WININIT.EXE
2
HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\Currentversion\Run
Services
"Windows Wininit Command" : WININIT.EXE
Modify the Boot section in System.ini The shell item in is EXPLORER.EXE WININIT.EXE
Sample: Blastit backdoor virus.zip - Lanzuoyun
11. Allaple backdoor virus
MD5: c60d1e4c93692a33d93d6c1b8380ab5d
Chinese name: same as above
English name: Backdoor.Win32.Allaple.A (standard)
Introduction: for Propagation, which scans computers vulnerable to several vulnerabilities for self-propagation; it can also perform dictionary attacks on network share passwords.
In addition, the worm performed a denial of service (DoS) attack on many Estonian websites. The worm copies itself multiple times to the hard drive and also affects HTML files. The worm's files are polymorphically encrypted, which means that each copy of the worm is different. The only constant aspect of the worm's code is the size of its executable file - 57856 bytes.
The backdoor worm creates a different CLSID for each copy of itself it creates on the hard drive. The number of these copies can be very large. The names of the worm files are randomized. After the worm file runs, it passes through the polymorphic decryptor, then into the static part of the code, where a memory buffer is allocated and the main worm's code is extracted into it. Control is then passed directly to the extracted worm code. After gaining control, the worm creates some threads. A thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there to infect them. Another thread scans all .HTM and .HTML files on the local hard drive and infects them by adding a reference to the worm's CLSID there. One of the remaining threads performed a DoS attack on three websites located in Estonia, and the worm also attempted to brute force network share passwords by performing dictionary attacks on the passwords.
Sample: https://wwx.lanzoui.com/iSpUawodwri
12.Cabrotor backdoor virus
MD5: 89f1be754ec6638938f42ee7855d84ad (zip)
Chinese name: Same as above
English name: Backdoor.Win32.Cabrotor.A (standard)
Introduction: A Windows PE written in Delphi EXE files, version 2.1 exploits a vulnerability that could escalate privileges.
Sample: https://wwx.lanzoui.com/iE554wodwqh
13.Salgorea backdoor virus
MD5: 14ee3488c6896ca2b26664e61bf6b11a
Chinese name: Same as above
English name: Backdoor.Win32.Salgorea.A (standard)
Introduction: Disguise the icon and name as WinWord.exe, after running, it will steal a large amount of user account information, record keyboard keystroke information and store related information Post back to the server.
Sample: https://wwx.lanzoui.com/i8BzHwqe0uh
14. Aspid backdoor virus
MD5: e2d20322337d42a9bf8290d1f1c17366
Chinese name: Same as above
English name: Backdoor.Win32.Aspid.A (standard)
Introduction: No
sample yet: https://wwx. lanzoui.com/i8C47wqe0da
15. Nitol backdoor virus
MD5: 1242cabae9718d87032d5061f720bbf9
Chinese name: Ditto
English name: Backdoor.DDoS.Win32.Nitol.A (standard)
Introduction: The Nitol family is the collective name of the Storm DDoS family and the Ghost DDoS family. The function codes are transformed from the same set of source codes on the Internet. An anti-virus software collectively refers to them as the Nitol family. This family is not as active as the common DDoS botnet family. The Nitol family has the following two characteristics: 1. The Nitol family is
both Features DDoS botnets and RAT malware
The Nitol family, first of all, mainly has the functional characteristics of the DDoS attack of the DDoS botnet. The Nitol family mainly implements 7 types of DDoS attacks, including syn flood, udp flood, http flood, icmp flood, tcp flood, cc flood, and dns flood; at the same time, it also initially has functions such as remote cmd for RAT malicious programs, and file update download window pop-up. Through long-term monitoring and statistical analysis, we know that the behind-the-scenes manipulators of the Nitol family often remotely implant various viruses and Trojans deployed on the HTTP File Server server through remote file update and download instructions, so that the same device can be implanted Various types of Trojan horses seriously endanger device security.
2. The Nitol family is not easy to be cleared.
In order to maintain the control authority of the "broiler" for a long time, the developers of the Nitol family used lpk.dll hijacking technology. There will be lpk.dll file, which is enough to illustrate the danger of this type of virus. The lpk.dll file of the system itself is located in the C:\WINDOWS\system32 and C:WINDOWS\system\dllcache directories. The typical characteristic of the lpk.dll virus is to infect the directory where the executable file exists, hide itself, delete it and generate it again. When the exe file in the same directory is running, lpk.dll will be dynamically linked by Windows, thereby activating the virus. As a result, it cannot be completely removed.
Detailed Analysis: Botnet Nitol Family Trojan Analysis and Traceability-Track Knowledge Community-Control Security Online Education- Powered by Controller
Sample: Nitol Botnet Sample.zip - Lanzuoyun
5. Macro virus
1. Melissa macro virus
MD5: e429025707d8af0054361e7f9bb20767
Chinese name: Same as above
English name: Virus.Word.Melissa.A (standard)
Brief introduction: In the spring of 1998, it was written by American David L. Smith using the macro operation of Word, and it was mainly spread by mail. The subject line of the email is usually "This is information for you, don't let anyone see it", and the name of the virus is the name of a dancer in Florida.
When the virus breaks out, Word's macro virus protection will be turned off, conversion confirmation will be turned on, and template saving prompts will be turned on; the "macro" and "security" commands will be disabled, and the security level will be set to the lowest. If the value of Melissa under "HKEY_CURRENT_USER\Software\Microsoft\Office\" in the current registry is not equal to "... by Kwyjibo", use Outlook to send E-mails to the first 50 contacts in the address book with the subject of " Important Message From XXX" (XXX is the user name), the content is "Here is that document you asked for ... don't show anyone else ;-)", the attachment is the currently infected document; set "HKEY_CURRENT_USER \Software\Microsoft\Office\" directory, the value of Melissa is set to "... by Kwyjibo". If the current date number and the current time's minute number are the same, output the following in the document "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here "
Sample: Melissa macro virus.zip - Lan Zuoyun
2. Taiwan No. 1 macro virus
MD5: 73f5e352172e416f6a3970132b551dc3
Chinese name: Same as above
English name: Virus.Word.Twno.A (standard)
Introduction: This virus is an encrypted macro virus. In word environment, it infects doc and dot files. On the 13th of each month, if the user uses Word to open a virus-infected document (template), the virus will be activated. The phenomenon when activated is: a dialog box pops up in the center of the screen, which prompts the user to do a mental arithmetic problem , if you make a mistake, it will open the file indefinitely until there is not enough memory in Word and Word makes an error; if you do the mental arithmetic problem correctly, it will prompt the user "What is a macro virus (macro virus)?", and the answer is "I am Macro virus", and then prompt the user: "How to prevent macro virus?", the answer is "Don't look at me".
Sample: https://wwi.lanzouo.com/iEAPVy86hhc
3. Chaos macro virus
MD5: 002c4c4ab64bc1fec1a19f9c697e71d3
Chinese name: Chaos virus
English name: Virus.Word.Chaos.A (standard)
Introduction: Virus behavior:
1. The current second is At 18 o'clock, repeat randomly (minimum 10 times, maximum 30 times) to insert comment lines in the code.
2. Search for the startup directory, and create one under the program directory if it does not exist.
3. Generate word8.dot in the startup directory, which contains virus code, and add this file to the add-in.
4. Overload FileNewDefault, FileNew, ToolsMacro, FileTemplates, ViewVBCode, FormatStyle.
Sample: Chaos macro virus.zip - Lanzuoyun
4.Alliance macro virus
MD5: e6f375d351980333c9154770bcc3f400
Chinese name: Same as above
English name: Virus.Word.Alliance.A (standard)
Introduction: Infect .DOC and .DOT files, only infect and copy on the 2nd, 7th, 11th and 12th of each month, and copy the files The subject in the properties is set to "You Have Been Infected by the Alliance", and a message window is displayed on the screen, prompting the user to be infected with a virus.
Sample: https://wwi.lanzouo.com/idxypydpe9a
5. Bithday macro virus
MD5: 96683e60c506266efed0d53850beb24e
Chinese name: Same as above
English name: Virus.Word.Birthday.A (standard)
Introduction:
(The following content is modified and integrated by myself German translation of ,,,,,,)
Dear PC World Editor,
I would like to make a request to you. I'm 16 years old and a student, and some of my classmates and I read your article on the Winword virus (11/95). We studied in the Department of Computer Science and studied viruses and how they spread. Then, my classmates and I each made a lot of viruses. Some are about Excel, WinWord, and Access. So far I've pushed viruses until I developed a dropper with a DOS virus or a virus to access Excel.
Now is the time for me to speak up. A classmate of mine stole my "virus source text" and has now set about 10 different "macro viruses" in all sorts of programs in the world - including every item that pops up on the internet. As I found out, it has a very high rate of spread (Winword viruses sometimes still have mail functionality). I know these viruses are "malicious", it is able to format information). I can't tell you when the virus will be activated, but it should be soon, since these viruses have been circulating on the Internet for over a month. I hope you will warn in your magazine that these viruses are about to spread, because if serious damage occurs, I may also bear the consequences. The attachment contains a virus, copy this document to a floppy disk (WinWord 7).
Hope you can help me to solve the problem. Please forgive me for not being able to call and reveal my real name as this could have criminal consequences.
Sincerely Regards
Sample: Birthday macro virus.zip - Lan Zuoyun
6.Thus macro virus
MD5: 7299e870c3a3634a8ef6555300ddb74d
Chinese name: same as above
English name: Virus.Word.Thus.A (standard)
Introduction: The virus is a macro virus that infects MS Word97/Word2000 documents. The virus consists of modules of ThisDocument, which uses Document_Open macro, Document_Close macro and Document_New macro to infect. It will infect the general template (normal.dot) file of WORD. When the general template is infected, the macro alarm interface of Word97 will be invalid. Before the virus infects a WORD document, it will detect whether the document has been infected with a virus. If the comment of the document contains the string of thus.000, the virus will not infect the document again. The virus occurs on December 13 every year. When the infected file is opened, the virus will delete all files (including subdirectories) of the C drive.
Sample: https://wwa.lanzouv.com/iyGDQ00e3g1a
7. Mailcab macro virus
MD5: 19867b879ff9c9a91d1d038069057241
Chinese name: Same as above
English name: Virus.Excel.Mailcab.A (standard)
Introduction: This is a virus that can infect Excel documents and pass Email-borne macro viruses. After the virus runs, it will first create registry keys so that macros can be run when using Microsoft Office. Afterwards, the virus will copy the virus-infected workbook as %AppData%\Microsoft\Excel\XLSTART\K4.xls, so that as long as the user opens the excel document, the virus-infected K4.xls will be executed. This virus will collect the user's Outlook address book, generate and call a VBS script to send an excel document with this virus to the contacts in the address book. The virus also copies itself as a macro in other Excel documents and names the macro "ToDOLE".
Sample: https://wwa.lanzouv.com/imrzFydpecd
8. Sic macro virus
MD5: ea978e1d137ba86409528b682044ee48
Chinese name: Same as above
English name: Virus.Excel.Sic.A (Standard)
Introduction: This macro virus will prevent users from opening excel files, and will automatically infect other excel files. Its obvious performance is: every time you open an excel document, it will automatically open a book1 document first, and then prompt you that the opened excel document has macros.
Sample: Sic macro virus.zip - Lan Zuoyun
9. NetSnake macro virus
MD5: 055ddc696936256ad70050fb5aac21f3
Chinese name: Same as above
English name: Virus.Excel.NetSnake.A (standard)
Introduction: The main symptoms of infection similar to this macro virus:
1) MSExcel . The words Pri-vate Sub createcabfile ( ) can be seen in the file after Netsnake infection (you can see it when you open it with Notepad). When Excel opens the poisoned file, the following prompt pops up: "The file "Normal . dof" already exists. Do you want to replace the original file?" When the poisoned machine opens any Excel document, it will open a blank document of book1 at the same time.
2) Open EXCEL and report runtime error 1004.
Tooltip Title: Microsoft Virtual Basic
Tooltip Content: Runtime Error '1004'
The workbook contains at least one visible worksheet. To hide, delete or move the selected sheet. A new sheet must first be inserted or a hidden sheet must be redisplayed.
Sample: NetSnake macro virus.zip - Lan Zuoyun
6. Other supplementary categories
1. Vamson virus
MD5: 09258814f80286358678086fc33bf578
Chinese name: Same as above
English name: Trojan:Win32/Vamson.A!rfn (Microsoft) / Rootkit.Win64.Agent.bds (Kaba) Introduction: This virus belongs to the homepage security series and locks the homepage driver. It is disgusting in itself and protects the file registry and disk. Generally, its registry and files cannot be moved, and the operation of disk analysis is also protected. And found that once its protection is bypassed, it will automatically restart or shut down, mainly against the first aid kit, because he can ignore other antiviruses. The restart methods include but are not limited to IO restart, clearing the SYSTEM EPROCESS structure, causing the system to randomly blue screen, and calling HalReturnToFirmware to force shutdown, etc., and as soon as the first aid kit is updated, he will update the driver to fight. Quite disgusting, it is recommended to go to WINPE to check and kill. There is no need to fight him upside down.
For specific analysis and operation method, please change the homepage to drive a Trojan horse. After running, it will be almost immune to all anti-software_Virus sample sharing & analysis area_Safe area card meal forum-mutual aid sharing-atmosphere and modesty! Check it out .
Supplementary sample: Vamson virus.zip - Lanzuoyun bingdu_bat.rar_free high-speed download|Baidu network disk-share unlimited
file sharing antivirus test this virus link: Virus-infected environment removal test-Can the 2021 antivirus successfully remove the rootkit of the 2018 version? _Foreign Antivirus Software_Safe Zone Kafan Forum- Mutual Help Sharing- Atmosphere and Modesty!
2. Purple Fox Virus
MD5: 971bd6b087aa17dc582d08a5fe0904f7 Chinese name
: Same as above
English name: Trojan . Killing-Security Information-360 official website (detailed analysis) sample: https://wwx.lanzoui.com/isUI0r05rnc 3. Cat ringworm downloader MD5: ed918b67662896536fe1583b4359539c Chinese name: Same as above English name: Trojan-Downloader.Win32.Murlo.A (Standard) Introduction: The most obvious poisoning symptoms of the "tinea cat" virus are the usp10.dll file appearing on the computer desktop, the Thunder cannot be started, the security software is automatically closed, and the online game account is stolen. The targets include mainstream games such as World of Warcraft, Westward Journey online II, Swordsman World, Feng Shen Bang II, Perfect Series Games, Fantasy Westward Journey, and Demon Field, which have a huge impact on users' virtual property. No matter which variant of "cat ringworm" can use IE7 0day vulnerability, Microsoft access vulnerability, Sina uc vulnerability, realplay vulnerability and other security vulnerabilities of various systems and third-party software to carry out web page Trojan transmission, if the user system has the above If there is a loophole, and you just browse to the webpage that is linked to the horse, "cat ringworm" will take advantage of it. https://m.c114.com.cn/w501-381931.html (detailed analysis) sample:
Cat Ringworm Downloader.zip - Lanzuoyun
4.Fanny U disk virus
MD5: c82eee84c051abef1c60d0954eb3fdc9
Chinese name: same as above
English name: Exploit.Lnk.CVE-2010-2568
Introduction: Trojan horses spread through "LNK icon vulnerability", most of which contain multiple "Malicious shortcuts", such as the "Gemini" Trojan discovered recently contains two shortcuts, and the "Fanny Trojan" discovered this time contains 5 shortcuts. This is because malicious shortcuts must use absolute paths when calling virus files. However, Trojan authors cannot accurately know the drive letter of the USB flash drive inserted by the user, so they often have to prepare multiple plans. From the names of the five shortcuts included in the "Fanny Trojan" (as shown in Figure 1), we can also see that these shortcuts are for the five cases where the drive letters of the U disk are E, F, G, H, and I And made. Although the Fanny Trojan is the same as the Gemini Trojan, it uses the LNK icon vulnerability to spread, but obviously the attack method has been upgraded. In addition to the Fanny Trojan using more shortcuts to increase the attack hit rate, the virus file is also disguised as a picture format (.bmp), which is more camouflaged.
Sample: Fanny USB Disk Virus.zip - Lanzuoyun