Virus name:
Size: 38,132 bytes
MD5:2391109c40ccb0f982b86af86cfbc900
Boxing method: FSG2.0
Writing language: Delphi
Method of dissemination: spread through mobile media or malicious web scripts
Running in a virtual machine and combining with OD analysis after unshelling, its behavior is as follows:
File creation:
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\drivers\
%systemroot%\system32\drivers\
%systemroot%\system32\
%systemroot%\system32\
X:\
X:\
X refers to non-system drive letter
%systemroot% is an environment variable. For Windows XP systems installed on C drive, the default path is C:\WINDOWS folder. The following analysis is based on this assumption.
Create a process:
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\drivers\
Use the net stop command to end possible antivirus software services
Called,
config [corresponding service] start=disabled
Disable these services
Services that are ended and disabled include:
srservice
sharedaccess (this is the system comes with a firewall—the author’s note)
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
Among them, during the end of Rising's service, since Rising will pop up a prompt, the virus has been dealt with accordingly:
Use the FindWindowA function to capture the window titled "Rising prompt"
Use the FindWindowExA function to find the button "&Y" in it
Use SendMessageA function to send information to the system, which is equivalent to pressing this button
Prohibit or end the operation of the following processes, including but not limited to:
KVSrvXp_1.exe
Create, import the registry, and delete the file. Import content:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:b5
Change the autorun way of the drive (not implemented in my virtual machine)
Modify the registry and create the startup key (the items that are later visible in the SREng log):
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<mpnxyl><C:\WINDOWS\system32\> [N/A]
<gfosdg><C:\WINDOWS\system32\> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell>< C:\WINDOWS\system32\drivers\> [N/A]
To prevent Rising registry monitoring prompts, the trick is repeated:
Use the FindWindowA function to capture the window titled "Rising Registry Monitoring Tips"
Use mouse_event to control the mouse to automatically select allow modification.
Access the Registration
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
CheckedValue key
Crush the ability to show hidden files (this is not implemented in my virtual machine, maybe it was blocked by TINY or SSM by default)
However, after doing so much work to remove the antivirus software, the author seemed to feel that it was not safe, and he finally used his "trump card":
In the Registration
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
Create a child named after the security software program
Create a child key in a child item
"Debugger"="C:\\WINDOWS\\system32\\drivers\\"
This makes these programs run as virus files when they are double-clicked to run.
As shown in:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
"Debugger"="C:\\WINDOWS\\system32\\drivers\\"
These projects and programs that have been "ravaged" by this method can be clearly seen in the autoruns log:
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
Delete the dll file of the Kaka Assistant (I did this, the results of the virtual machine running correspond to the content in the program code)
In order to block the "rear path" of the poisoned person, another despicable method was adopted
Modify the hosts file and block the website of antivirus software manufacturers. The Kaka community is "fortunate" to become one of the blocked members:
This is the result I saw later using SREng, and there are corresponding contents in the program code:
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
in addition:
content:
@echo off
set date=2004-1-22
ping ** localhost > nul
date %date%
del %0
Change date? However, it is not implemented in the virtual machine
Content:
[AutoRun]
open=
shellexecute=
shell\Auto\command=
If you want to judge from the right-click menu, unfortunately, there is no exception at all when the right-click menu is visible. Whether you double-click or right-click, the virus will also be activated!
TINY also recorded that the virus shuts down the system restore service and then turns on it. This may lead to the loss of the restore point.
At this point, the analysis of the behavior of this very bad virus has come to an end. The following is a description of the removal method (members who are dizzy when they see the above content, just look at the removal method)
The removal method boils down to one sentence: "Survival in the cracks"
, both are banned, but you just need to change the name of the file and you can still run it
Not in the banned ranks
Other banned programs will be lifted step by step
Specific process:
End process:
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\drivers\
This virus was not found to disable Task Manager. You can also use other tools such as procexp.
Use autoruns to delete the following items (it is recommended to use autoruns. One is that it is not banned, the other is that it is clear at a glance. Please choose Options-Hide Microsoft Entries first):
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
This way some programs including IceSword, SREng, registry editor and system configuration utility are no longer prohibited
Delete or modify the startup item:
Take SREng as an example
Delete in "Start Project" - "Register":
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<mpnxyl><C:\WINDOWS\system32\> [N/A]
<gfosdg><C:\WINDOWS\system32\> [N/A]
Double-click the following item to delete the following content in "Value"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell>< C:\WINDOWS\system32\drivers\> [N/A]
Delete the file:
Since there is a danger even if you right-click the non-system disk, you should use other methods. It is recommended to use IceSword or WINRAR to do it.
delete:
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\drivers\
%systemroot%\system32\drivers\
%systemroot%\system32\
%systemroot%\system32\
X:\
X:\
System repair and cleaning:
Expand in the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
It is recommended to delete the original CheckedValue key and create a new normal key value:
"CheckedValue"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
The value of the NoDriveTypeAutoRun key, whether to change and why, depends on everyone's needs, generally defaults to 91 (hexadecimal)
The meaning of this key is, please search for online information, and will not elaborate on it here
Cleaning of HOSTS files
You can use Notepad to open %systemroot%\system32\drivers\etc\hosts to clear content added by the virus
You can also use SREng to click "Reset" in "System Repair" - "HOSTS File", and then click "Save"
Finally, fix the damaged antivirus software.
summary:
It took a full five hours from getting the sample to finishing the method. The reason for this is so detailed is that this virus is quite typical, especially its several ways to deal with security software. The right-click menu has not changed, which is also a feature that is relatively "hidden" and causes trouble for cleaning. To deal with this virus, we must also use methods and tools flexibly based on "knowing yourself and your enemy".
Size: 38,132 bytes
MD5:2391109c40ccb0f982b86af86cfbc900
Boxing method: FSG2.0
Writing language: Delphi
Method of dissemination: spread through mobile media or malicious web scripts
Running in a virtual machine and combining with OD analysis after unshelling, its behavior is as follows:
File creation:
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\drivers\
%systemroot%\system32\drivers\
%systemroot%\system32\
%systemroot%\system32\
X:\
X:\
X refers to non-system drive letter
%systemroot% is an environment variable. For Windows XP systems installed on C drive, the default path is C:\WINDOWS folder. The following analysis is based on this assumption.
Create a process:
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\drivers\
Use the net stop command to end possible antivirus software services
Called,
config [corresponding service] start=disabled
Disable these services
Services that are ended and disabled include:
srservice
sharedaccess (this is the system comes with a firewall—the author’s note)
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
Among them, during the end of Rising's service, since Rising will pop up a prompt, the virus has been dealt with accordingly:
Use the FindWindowA function to capture the window titled "Rising prompt"
Use the FindWindowExA function to find the button "&Y" in it
Use SendMessageA function to send information to the system, which is equivalent to pressing this button
Prohibit or end the operation of the following processes, including but not limited to:
KVSrvXp_1.exe
Create, import the registry, and delete the file. Import content:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:b5
Change the autorun way of the drive (not implemented in my virtual machine)
Modify the registry and create the startup key (the items that are later visible in the SREng log):
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<mpnxyl><C:\WINDOWS\system32\> [N/A]
<gfosdg><C:\WINDOWS\system32\> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell>< C:\WINDOWS\system32\drivers\> [N/A]
To prevent Rising registry monitoring prompts, the trick is repeated:
Use the FindWindowA function to capture the window titled "Rising Registry Monitoring Tips"
Use mouse_event to control the mouse to automatically select allow modification.
Access the Registration
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
CheckedValue key
Crush the ability to show hidden files (this is not implemented in my virtual machine, maybe it was blocked by TINY or SSM by default)
However, after doing so much work to remove the antivirus software, the author seemed to feel that it was not safe, and he finally used his "trump card":
In the Registration
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
Create a child named after the security software program
Create a child key in a child item
"Debugger"="C:\\WINDOWS\\system32\\drivers\\"
This makes these programs run as virus files when they are double-clicked to run.
As shown in:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
"Debugger"="C:\\WINDOWS\\system32\\drivers\\"
These projects and programs that have been "ravaged" by this method can be clearly seen in the autoruns log:
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
Delete the dll file of the Kaka Assistant (I did this, the results of the virtual machine running correspond to the content in the program code)
In order to block the "rear path" of the poisoned person, another despicable method was adopted
Modify the hosts file and block the website of antivirus software manufacturers. The Kaka community is "fortunate" to become one of the blocked members:
This is the result I saw later using SREng, and there are corresponding contents in the program code:
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
in addition:
content:
@echo off
set date=2004-1-22
ping ** localhost > nul
date %date%
del %0
Change date? However, it is not implemented in the virtual machine
Content:
[AutoRun]
open=
shellexecute=
shell\Auto\command=
If you want to judge from the right-click menu, unfortunately, there is no exception at all when the right-click menu is visible. Whether you double-click or right-click, the virus will also be activated!
TINY also recorded that the virus shuts down the system restore service and then turns on it. This may lead to the loss of the restore point.
At this point, the analysis of the behavior of this very bad virus has come to an end. The following is a description of the removal method (members who are dizzy when they see the above content, just look at the removal method)
The removal method boils down to one sentence: "Survival in the cracks"
, both are banned, but you just need to change the name of the file and you can still run it
Not in the banned ranks
Other banned programs will be lifted step by step
Specific process:
End process:
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\drivers\
This virus was not found to disable Task Manager. You can also use other tools such as procexp.
Use autoruns to delete the following items (it is recommended to use autoruns. One is that it is not banned, the other is that it is clear at a glance. Please choose Options-Hide Microsoft Entries first):
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
+ c:\windows\system32\drivers\
This way some programs including IceSword, SREng, registry editor and system configuration utility are no longer prohibited
Delete or modify the startup item:
Take SREng as an example
Delete in "Start Project" - "Register":
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<mpnxyl><C:\WINDOWS\system32\> [N/A]
<gfosdg><C:\WINDOWS\system32\> [N/A]
Double-click the following item to delete the following content in "Value"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell>< C:\WINDOWS\system32\drivers\> [N/A]
Delete the file:
Since there is a danger even if you right-click the non-system disk, you should use other methods. It is recommended to use IceSword or WINRAR to do it.
delete:
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\drivers\
%systemroot%\system32\drivers\
%systemroot%\system32\
%systemroot%\system32\
X:\
X:\
System repair and cleaning:
Expand in the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
It is recommended to delete the original CheckedValue key and create a new normal key value:
"CheckedValue"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
The value of the NoDriveTypeAutoRun key, whether to change and why, depends on everyone's needs, generally defaults to 91 (hexadecimal)
The meaning of this key is, please search for online information, and will not elaborate on it here
Cleaning of HOSTS files
You can use Notepad to open %systemroot%\system32\drivers\etc\hosts to clear content added by the virus
You can also use SREng to click "Reset" in "System Repair" - "HOSTS File", and then click "Save"
Finally, fix the damaged antivirus software.
summary:
It took a full five hours from getting the sample to finishing the method. The reason for this is so detailed is that this virus is quite typical, especially its several ways to deal with security software. The right-click menu has not changed, which is also a feature that is relatively "hidden" and causes trouble for cleaning. To deal with this virus, we must also use methods and tools flexibly based on "knowing yourself and your enemy".