Windows Emergency Response - Auto Virus

Emergency response context

The operation and maintenance personnel are ready to distribute the software installation for the company's employees through the windows shared document method, after opening forget to close, and other people can delete and replace the files under the shared folder modification, there are spoofing people through the shared folder, bundled with a virus in some of the files, leading to the company's employees to download and install the virus when they were hit.
The symptoms are shown below, with the right keyboard character appearing Auto

Internet research found to be auto virus, the first characteristic is the existence of files under the disk drive, later analysis will find this file, and every time you double-click the disk drive will be based on the file to re-run the file specified in the program files, that is to say, it will be re-infected with the virus once.

Analytical Sample

After getting the sample in the shared folder first drop it to the VM to monitor the behavior of the sample to see what the next specific tampering has been done.
Monitoring Tool UsageD Shield：
/s/13hCSYpV5Mn_1JMzy4nSkSQ?pwd=kott

---

Turn on monitoring

D Shield allows you to turn on file monitoring, mainly to see what the virus has done, focusing on what files were created

That's it. We're ready for surveillance.

virus infection

Drop the virus sample into the virtual machine, and remember to set the virtual machine NIC mode to host-only mode to avoid some viruses infecting the physical machine as well.

View Monitor

Upon double clicking it is obvious that two weird files have been created

Clue Card:
:\\
:\\system32\

Analyzing Virus Behavior

analyze

First check out the file, right click to open the disk drive, here you can also see that it has indeed been infected with a virus

When I saw the c disk did not see it, I knew that it must have been done to hide the file, but only on the tool!
Since this experiment is using WinServer 2003, it is possible to use theXueTrI'm just going to go ahead and analyze the killing process.XueTrUp.
XueTrTool download address:
/s/1ZT-80vNkQs6gWOuvLAxTcg?pwd=d55s

We choose to copy the file out

To view the contents of the file, we need to knowThe role is:Allow a specified file to be run automatically when the disk is double-clicked. That means that double-clicking on the disk drive will infect the virus again, and you can see that the file is in theC:\\Windows\System32folder, then that confirms the behavior that our d-shield monitors, which is indeed correct.

But here it is, not what is written in the d-shield, for reasons unknown, but it still prevails, as it is the virus counterpart.
Modify Clue Card ↓

Clue Card:
:\\
:\\system32\

2. Abnormal connection

No external connection anomalies found

3. Process troubleshooting

Open the process management view, there is a capital DLLHOST, this has been confirmed to be a virus, but the lowercase dllhost process we do not pack the ticket is normal, but the Internet can also be found that this file is the system originally have, so focus on the capital process first.

Check the process corresponding to the service, there is no abnormal service found, there is only one process running

tasklist /svc | findstr "4036"

Then it's time to get on the tool and analyze it

A look at the process module confirms that it is indeed a virus, with only one abnormal process module.

I continued to look at the other dllhost after that, and found no anomalies either
Then here is the process file to follow up, or look at the file path corresponding to the process, I forgot to take a screenshot here, it shows.

Clue Card:
:\\
:\\system32\

4. Startup Item Exhaustion

xuetr opens the startup items to see the startup items created by the virus

Open the registry and look at it, and again, I find that there are writes to the registry

Clue Card:
:\\
:\\system32\
3. Startup items
4. Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

check and kill (a pest)

We're done analyzing. We'll start killing based on the clues we've got.

Clue Card:
:\\
:\\system32\
3. Startup items
4. Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

1.Delete the file first.

Open the disk drive remember to use the right click, then open, do not directly double click, otherwise it will be infected again all over again!

No files were found, and as stated in the previous analysis, the files were hidden and could only be deleted with the xuetr utility

Like virus-related files, it's best to check Delete Files and Block Regeneration -> then right-click again to force deletion

2. Use xuetr to kill the process

Here I observed that he is deleted under my dllhost folder, that is, I copied in the source of the virus deleted, did not delete the system32 that folder under the file, here a simple analysis can be known as a cover-up, we reboot will automatically find the system32 that file, because the process will be rebooted to re-run, the startup item corresponding to the The DLLHOST corresponds to the program files in the system32 folder.

So we're going toc:\\system32\However, this process corresponds to a file that is also hidden, so you should use a professional tool to remove it.

3. Startup item removal

First locate the registry

Because I don't know load from time to time the system comes with the catalog entries, so here it is best to delete the value can be


Then I went back to the startup items to see that they were gone and needed to be removed if they were still in DLLHOST.

restart troubleshooting

Now open the disk drive without auto, you can normally double-click the disk drive to enter the

Normal Flow of Intrusion Detection

The first step was to re-examine the behavior of the previous virus operation.

• No process exceptions (DLLHOST)
  

• c:\\Windows\System\non-existent
  

• Startup items, normal (registry normal)

---

Then the rest of the invasions were cleared.

• Abnormal connections (netstat -ano)
• Account troubleshooting (net user)
  Looked directly at it with d-shield, here you can also go to the registry to see if there are any hidden accounts
  
• Service Troubleshooting
• timed task

---

Emergency completed, this is a small understanding of the virus emergency, auto virus is also a long time, mainly through the u-disk transmission, because some people he will plug in the u-disk double-click to open, then this time will be infected with the virus, so through this experiment to raise the alarm, u-disk is usually best or right-click to open the way into the safer.