The following is an analysis report on the latest variant of the AUTO virus that has been extremely rampant in the past two days:
one. Behavior overview
The EXE is a virus downloader, which will:
1) Refer to the system C volume serial number to calculate the service name, EXE and DLL file names.
2) Place the AUTO virus and its own copy under each drive and add the system and hidden attributes.
3) Place your own copy "random name.exe" and the released "random name.dll" under system32 and disguise them as system files with hidden attributes.
4) Modify the system keys and delete the system hidden file option, causing users to be unable to view the hidden virus files.
5) Modify the system registry and register yourself as a service and start the computer.
6) Search whether there is a "360" string key value in the registry startup key, delete it, and use ntsd to close the program, whether the search window contains "Kingsoft Antivirus", and close it with simulated operations. Determine whether there are Kaspersky files in the process, and modify the system time to make Kaspers invalid.
7) Download other viruses through the website file list.
8) Delete the registry information left by previous versions of the virus.
9) "Random name.dll" will be injected remotely into all processes in the system process.
two. Execution process
1. Refer to the C volume serial number to calculate the 8-bit random service name, exe and dll file name. (Remember the AV Terminator? It was the EXE with a random 8-digit file name in the beginning)
2. Search for the current file name, and if you call ShellExecuteA, open the drive.
3. Fight against antivirus software:
Search for whether there is a "360" string key value in the registry startup key, and if there is, delete it, so that 360 cannot be automatically started after it. And then close the started 360 program.
Check whether there is a Kaspersky process in the current process. If so, modify the system time to invalidate Kaba, which depends on system time for activation and upgrading.
The virus will also try to close Kingsoft Antivirus. It searches for the surveillance prompt window of "KAVStart", and then sends a CLOSE message through PostMessageA, and then searches for "Kimsoft Antivirus" through SendMessageA to send a close message, and simulates the user, sends a click-and-click message to close. However, after testing, none of the above methods cannot be turned off.
4. Compare whether the current file running path is a random name under system SYSTEM32. Otherwise, copy your own copy to system SYSTEM32.
5. Inject the DLL into the system process, release it after running and delete it
6. Virus file injection or loop waiting, use their space to run itself to achieve hidden operation.
7. Find out whether there is a string containing 360 in the startup item, delete it, and use SeDebugPrivilege to increase permissions and ntsd to close the program, search for whether the window contains "Kingsoft Antivirus", and close it with simulated operations.
8. Tamper with the relevant data about the folder display status in the registry and delete the system hidden file option.
9. Virus searches for the registry information left by the old version and deletes it for easy upgrades.
10. Download the virus list from the address ***id*/soft/ specified by the virus author, download other viruses based on the list information, download one at a time, delete it after running, and then download it.
Among the virus files it downloads, there are *'s own upgrade files and an internationally renowned brand's online voice communication software. In addition, there are 17 account thieves targeting different well-known online games. Among these *s, some of them also have download functions. If they successfully enter the computer, they will cause greater damage that is inestimable.
11. In addition to stealing the account on this machine, the virus also releases its AUTO virus files and on each disk partition. Point. As long as the user double-clicks the toxic disk with his mouse, the virus will run immediately, searching for all disks including mobile storage such as USB disks. If you find that any disk has not been poisoned, you will immediately infect it and expand your scope of infection.
three. Delete method
Since the virus DLL file is remotely injected into all processes including the system process, it is impossible to completely understand the direct deletion method. The DLL must be deleted, and the service must be deleted at the same time, and the service must be deleted again. Since the virus conversion takes a lot of time, the DLL cannot be released immediately when the computer is turned on and injected. This is also the best time to clear it.
It is recommended that users use Kingsoft Cleanup experts to add these random 8-digit named DLLs and EXEs to the file crusher’s deletion list, and delete these files completely at one time. After restarting, repair the remaining registry add-ons.
Four. Auto virus killing tool
Download address: /?aid=16127097
Auto * Group Special Kill 1.4 Function:
Quote:
1. Processing of image hijacking
2. Handling of msosXXX virus that makes the surveillance of the Antivirus surveillance gray
3. Processing of auto * group downloaders
4. Process Appinit_Dlls
5. Processing of execution hooks
Auto * group killing cannot replace "Disk/Robot Dog/AV Terminator killing". If the killing is turned off, please first use "Disk/Robot Dog/AV Terminator killing".
This special killing tool can simultaneously remove the robot dog/AV Terminator/8749 virus; fix "image hijacking"; fix; fix safe mode. After using this special killing tool to check, please use Kingsoft Antivirus to perform a comprehensive antivirus.
Download address: /zhuansha/
one. Behavior overview
The EXE is a virus downloader, which will:
1) Refer to the system C volume serial number to calculate the service name, EXE and DLL file names.
2) Place the AUTO virus and its own copy under each drive and add the system and hidden attributes.
3) Place your own copy "random name.exe" and the released "random name.dll" under system32 and disguise them as system files with hidden attributes.
4) Modify the system keys and delete the system hidden file option, causing users to be unable to view the hidden virus files.
5) Modify the system registry and register yourself as a service and start the computer.
6) Search whether there is a "360" string key value in the registry startup key, delete it, and use ntsd to close the program, whether the search window contains "Kingsoft Antivirus", and close it with simulated operations. Determine whether there are Kaspersky files in the process, and modify the system time to make Kaspers invalid.
7) Download other viruses through the website file list.
8) Delete the registry information left by previous versions of the virus.
9) "Random name.dll" will be injected remotely into all processes in the system process.
two. Execution process
1. Refer to the C volume serial number to calculate the 8-bit random service name, exe and dll file name. (Remember the AV Terminator? It was the EXE with a random 8-digit file name in the beginning)
2. Search for the current file name, and if you call ShellExecuteA, open the drive.
3. Fight against antivirus software:
Search for whether there is a "360" string key value in the registry startup key, and if there is, delete it, so that 360 cannot be automatically started after it. And then close the started 360 program.
Check whether there is a Kaspersky process in the current process. If so, modify the system time to invalidate Kaba, which depends on system time for activation and upgrading.
The virus will also try to close Kingsoft Antivirus. It searches for the surveillance prompt window of "KAVStart", and then sends a CLOSE message through PostMessageA, and then searches for "Kimsoft Antivirus" through SendMessageA to send a close message, and simulates the user, sends a click-and-click message to close. However, after testing, none of the above methods cannot be turned off.
4. Compare whether the current file running path is a random name under system SYSTEM32. Otherwise, copy your own copy to system SYSTEM32.
5. Inject the DLL into the system process, release it after running and delete it
6. Virus file injection or loop waiting, use their space to run itself to achieve hidden operation.
7. Find out whether there is a string containing 360 in the startup item, delete it, and use SeDebugPrivilege to increase permissions and ntsd to close the program, search for whether the window contains "Kingsoft Antivirus", and close it with simulated operations.
8. Tamper with the relevant data about the folder display status in the registry and delete the system hidden file option.
9. Virus searches for the registry information left by the old version and deletes it for easy upgrades.
10. Download the virus list from the address ***id*/soft/ specified by the virus author, download other viruses based on the list information, download one at a time, delete it after running, and then download it.
Among the virus files it downloads, there are *'s own upgrade files and an internationally renowned brand's online voice communication software. In addition, there are 17 account thieves targeting different well-known online games. Among these *s, some of them also have download functions. If they successfully enter the computer, they will cause greater damage that is inestimable.
11. In addition to stealing the account on this machine, the virus also releases its AUTO virus files and on each disk partition. Point. As long as the user double-clicks the toxic disk with his mouse, the virus will run immediately, searching for all disks including mobile storage such as USB disks. If you find that any disk has not been poisoned, you will immediately infect it and expand your scope of infection.
three. Delete method
Since the virus DLL file is remotely injected into all processes including the system process, it is impossible to completely understand the direct deletion method. The DLL must be deleted, and the service must be deleted at the same time, and the service must be deleted again. Since the virus conversion takes a lot of time, the DLL cannot be released immediately when the computer is turned on and injected. This is also the best time to clear it.
It is recommended that users use Kingsoft Cleanup experts to add these random 8-digit named DLLs and EXEs to the file crusher’s deletion list, and delete these files completely at one time. After restarting, repair the remaining registry add-ons.
Four. Auto virus killing tool
Download address: /?aid=16127097
Auto * Group Special Kill 1.4 Function:
Quote:
1. Processing of image hijacking
2. Handling of msosXXX virus that makes the surveillance of the Antivirus surveillance gray
3. Processing of auto * group downloaders
4. Process Appinit_Dlls
5. Processing of execution hooks
Auto * group killing cannot replace "Disk/Robot Dog/AV Terminator killing". If the killing is turned off, please first use "Disk/Robot Dog/AV Terminator killing".
This special killing tool can simultaneously remove the robot dog/AV Terminator/8749 virus; fix "image hijacking"; fix; fix safe mode. After using this special killing tool to check, please use Kingsoft Antivirus to perform a comprehensive antivirus.
Download address: /zhuansha/