Sample Information
Static Analysis 1. Use PEID and ExeInfo tool to check sample shell, the shell is the result of the investigation
2. Review the virus with what algorithm, found CryptGenRandom function call.
3. IDA open, you can clearly see the code was logical, therefore the virus without shells, can be seen from the window string of tips and information to help link the process of the virus in the running may occur, the system software used
4. Review the import table
to see AdjustTokenPribileges, OpenProcessToken etc. api in advapi32.dll, the description of the virus run time to upgrade permission
5. Check ResourceHacker found the software must run under administrator privileges
dynamic analysis
1. run the virus will pop up many software and browser software opens multiple pages, desktops flashing, a lot of pop-up window, mouse control, stretching the desktop
2. run to the back of the computer blue screen, the opportunity to re-open rainbow cat and sound, indicating that the virus has covering the primary boot sector cause the system does not start
3. dynamic analysis tool, the child can see the operation performed and generated virus, the virus can be seen from the registry operation
4. desktop appears on the desktop hidden files, open the discovery and use of shell32.dll imageres.dll
virus analysis
start at analysis
1. Number may be seen that the function is not much, the program logic first substantially facie: acquisition system width and height of the window, the parameter acquisition console, the master boot sector covering, creating malicious threads 10, display a message, performed five times and the like watchdog
2.OD operation, the width and height of the window are: 0x5fe, 0x2c6, console parameter is the path where the viral
message box
because the number of parameters is not greater than 1, and then pop up a message box prompt information virus infected
watchdog process
1 Next the program for the additional parameters Watchdog (first run).
2. When the parameter for the watchdog to run the program, watchdog performed five times, and through all the process
3. The message has been set up within HOOK, the position of each window is created is different, and finally the blue screen system
main program
1. Then virus to run the main program, additional parameters for the main, when running a virus program again, this time has been running watchdog.
2. To enhance virus process privileges
cover the main boot sector
1. When a program running with parameters, will advance End cover 512 bytes master boot sector of space, can be seen in the OD write malicious code
2 the program twice into memory, and write to the PhysicalDrive0 the
thread analysis
produced many threads virus runs, followed by analysis of each thread, a thread of execution of these operations are different, but in the end into an infinite loop, seize system resources Ben collapse cause the system to blue screen.
A thread
running browser software, Random Open Site Explorer, run Task Manager, Registry Manager and other
thread two
open Notepad, displaying message threads three mouse position out of control, you can see in the figure above, the position of the mouse will produce icons lot worse, cause the mouse is not working thread four
Change the screen display and the desktop interface software is copied
thread five
pop "still using this computer" message thread six screen size changes, the desktop distortion thread seven sound process of virus running thread eight enumerate child windows, a window with the pair deformation operations threads nine plug in the keyboard events, keyboard monitor thread ten make the desktop color
Solutions
1. Do not open unknown email attachments and downloads software
2. If the system is still running after the first killing by killing software, rebuild MBR boot loader
3. If the system does not run, run through the launch of U disk system, open partitioning software, select "Search partition", then click "save changes" to restore all partitions are swallowed rainbow cat, then boot repair, rebuild MBR, you can reboot into the system, all files without damage, lost without reloading system, replace the hard disk and so on.
Resource Links: https://www.lanzous.com/i8xd4xg
