- Virus Background
-
Sample analysis
- Turn on monitoring
- virus infection
-
Analyzing Virus Behavior
- C drive file monitoring
- D-disk file monitoring
- Process monitoring troubleshooting
- Service Troubleshooting
- Initialization check
-
check and kill (a pest)
- 1. Kill the process
- 2. Exception service
- 3. Image hijacking processing
- Documents processing
- Disk file deletion
- 6. Other abnormality troubleshooting
- restart troubleshooting
Virus Background
synopsis:, named: [QQ Disguise Stealer] is a QQ number-stealing * horse that injects itself into the system processes of the user's computer to run and steal the account and password specified by the virus author, as well as other information about his number.
Reference Links:/
Sample analysis
The sample name of the main virus program is, double-click on him and the infection will start.
Turn on monitoring
I've used both tools, but I think D-Shield is better for monitoring files.
1.MyMonitor
Tool Link Sharing:
/s/1RKOR_LvfNX8QqEyJaDFq1Q?pwd=azwh
2.D Shield
Tool Link Sharing:
/s/13hCSYpV5Mn_1JMzy4nSkSQ?pwd=kottMyMonitor
Just open it, and you need to drag the program in to run the monitor for the virus to be infected later, and then theD Shield
Monitor folders, monitor c and d disks, but d-shield can only monitor one folder at a time, here I'll justMainly monitoring the c-drive., before finally patching in the operation of monitoring the d-disk.
virus infection
D Shield
Once the monitor c-disk function is open, drag the program files into theMyMonitor
Wait for the program to run and launch to see the report, then D-Shield can also see exactly what files have been manipulated
Analyzing Virus Behavior
Because D-Shield can only monitor one disk drive at a time, the monitoring is done in two installations. We use a virtual machine to restore snapshots, so it's not a big deal to monitor multiple times. If you have found a better tool for monitoring files, please leave a comment.
C drive file monitoring
MyMonitor
Simply look at it, I don't feel like it's categorized very well, you do see the actions but you can't categorize them and there are behaviors that aren't detected, so here's a look at what the virus actually does around the D-Shield.
The most obvious is that four files are created (just look at the main one for exceptions, like log suffix which logs can be ignored)
Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
Look down there are created dll file, in the middle of this there are actually a lot of repetitive creation operations, this I understand that the virus is in order to prevent the program did not create a successful so many times to create the reason, the virus is so written.
Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
Look down there is an action is to delete the host file and then create a hosts file, this can be recorded, the back need to go to confirm what he did to the hosts file, generally may be the domain name of the ip replacement and so on.
Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
Here I double-clicked on the d-disk and createddocuments, specific behaviors are:
Set system time to 2004-1-22
, because there is a delete operation behind it, the file doesn't exist anymore it's not found, but you need to set the time back artificially.
Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
D-disk file monitoring
Restore the snapshot of the virtual machine, re-enable the d-shield to monitor the d-disk, and then re-infect the virus all over again, as you can see at a glance by looking at the monitoring results here1. Create d:\
2. Create d:\
Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
Here omit to throw all the exe files and dll files to the sandbox to check, here to put theResults of the sandbox run.
Process monitoring troubleshooting
Open our old friend.PChunter
Tool Links:
/s/1_OMmoe5aFGDu3--q0u94pw?pwd=w3rb\
locateprocess, since we were infected by double-clicking on this program, and of course it was discovered that the virus creates malicious program files
、
Runs up as a process.
Then right-clicking on the process module also revealed a call to theModules\
Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,,
Service Troubleshooting
Checking the services corresponding to the malicious process, no corresponding services were found.
tasklist /svc | findstr "PID"
Of course, we should also check to see if there are any other suspicious services, focusing on those without vendor signatures, and no other anomalies were found here.
Initialization check
Focusing on the startup entries that are not signed by the vendor, I found three anomalies, and they correspond to the path of the malicious file
Here I was about to open the system's registry to check the information about the startup items and delete the corresponding values when I realized that I couldn't open it.
Trying win+r to bring up the command doesn't work, it won't open.
This is where you realize you're in the middle of something.The image has been hijacked.
:↓↓
Explanation:It is Image File Execution Options (actually it should be called "Image Hijack"). It is to provide special environment settings for some program executables that may cause errors when running in the default system environment. But the virus can intentionally open some of its common programs to point to the file for the non-existent or their own designated file of some other malicious programs, multiple infections and so on. For example: the 360 antivirus program to open the action points to the c:\windows\system32\, so this not only disable the antivirus but also repeatedly infected with the virus.
Solution:Will not be disabled program assistance to find the disabled program files, modify its name can be, I'm here to use the file search to find the registry file, copy out to modify the name can be opened.
Can't open the registry is obviously banned, just change the name and it will open up
Of course it's also possible to open the registry from within PCHunter, which is unaffected here because PChunter is not disabled, but in deference to the virus creator (funny), it's better to go along with the pitfalls a bit.
Open the registry and find it:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
One can find this directory entry underneath all the banned software applications pointing to it:C:\WINDOWS\system32\drivers\
For example, in the picture below it is banned, if it is useful on the computer then double clicking to run it will set off running and infect it again. (This hijacking is quite good, just too much movement)
Image hijacking solutions: Change name, delete registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
The directory entries in the ban, when checking the kill, remove all directory entries can be, because it is not the system comes with and is not created by man.
Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,,
11. Startup items (startup items correspond to the registry)
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.
check and kill (a pest)
1. Kill the process
Use PChunter to check the end of the process when deleting files, then you can safely end the process, eliminating the need to manually find files to delete!
I forgot to delete the process module, you can find the corresponding file to delete, the file is hidden, so you still need to find the file through PChunter to delete:c:\windows\system32\
It's best to check the Block file regeneration after deletion box first, then right-click the file again to force deletion.
Clue Card:
:\windows\system32\
deleted:\windows\system32\
deleted:\windows\system32\drivers\
:\windows\system32\drivers\
deleted:\windows\system32\
deleted6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,,
Closed11. Startup items (startup items correspond to the registry)
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.
2. Exception service
Just delete all three exception services.Shell startup items need to be located in the registry to be removed
This is the time to be sure.Do not open the system registry directly
UsePChunter
Open it, or search the registry out yourselfrename
Open the registry again.
If you can't remove the Shell startup item, just locate the registry and delete it.
Clue Card:
:\windows\system32\
deleted:\windows\system32\
deleted:\windows\system32\drivers\
:\windows\system32\drivers\
deleted:\windows\system32\
deleted6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,,
Closed11. Startup items (startup items correspond to the registry)
deleted11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.
3. Image hijacking processing
The methodology has been described above.Image hijacking solutions: Change name, delete registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
The directory entries in the ban, when checking the kill, remove all directory entries can be, because it is not the system comes with and is not created by man.
Our PChunter can do the same, and can also batch delete, which is more convenient than deleting one by one through the registry directly, and also provides deletion of corresponding program files, deletion of the registry and corresponding program files.
At this point then win+r to bring up the registry can be opened normally
Once again, let's explain how image hijacking works: by adding an image hijacker to the RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Add the corresponding program name, when you open it, it will give priority to the registry information to find the corresponding program path, here the program path is written in the malicious program files, if you click again, it will be infected again.
Clue Card:
:\windows\system32\
deleted:\windows\system32\
deleted:\windows\system32\drivers\
deleted:\windows\system32\drivers\
deleted:\windows\system32\
deleted6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,,
Closed11. Startup items (startup items correspond to the registry)
deleted11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.
processed
Documents processing
If the file cannot be found in the normal folder and is hidden, then the PChunter can be used.
The contents of the file were found to be: (meaning blocking the following antivirus and other websites)
127.0.0.1 localhost
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
Solution: copy it out, delete the file, and make a good copy from another machine.
Clue Card:
:\windows\system32\
deleted:\windows\system32\
deleted:\windows\system32\drivers\
deleted:\windows\system32\drivers\
deleted:\windows\system32\
deleted6. Modified c:\windows\system32\drivers\etc\hosts
processed7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,,
Closed11. Startup items (startup items correspond to the registry)
deleted11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.
processed
Disk file deletion
First of all, you have to pay attention.file exists, if it does then don't randomly double-click on the disk drive, it's better to right-click and open the drive, there's obviously a pitfall of
(Don't be me.) I'm going to double-click on it here.
Then look at the process and you'll seeI've got the virus all over again.
So be sure to always be a little more cautious, this virus is still rather tricky.
Back to the point, to delete the files under the d-drive, you'll notice that they're all done file hiding, so go ahead and get on the tool.
Delete before opening the view you will find the same old, really the file is an infected file, if you double-click then you will execute the file again infected
Then PChunter finds the file and deletes it.
Finally there is one system time left, which is ignored here and handled by default.
Clue Card:
:\windows\system32\
deleted:\windows\system32\
deleted:\windows\system32\drivers\
:\windows\system32\drivers\
deleted:\windows\system32\
deleted6. Modified c:\windows\system32\drivers\etc\hosts
processed7. Set the system time to 2004-1-22, remember to modify back to the correct time
processed8. Create d:\
deleted9. Create d:\
deleted10. Three malicious processes:,,
Closed11. Startup items (startup items correspond to the registry)
deleted11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.
processed
6. Other abnormality troubleshooting
There are no abnormalities in any of the following
- Abnormal connection troubleshooting (netstat -ano)
- Troubleshooting of unusual accounts (net user, cloned accounts, hidden accounts)
- Planned tasks
- wait a minute!
restart troubleshooting
Follow the clue card through to see if there are any regenerated files, or other unusual process services, etc.
Clue Card:
:\windows\system32\
deleted:\windows\system32\
deleted:\windows\system32\drivers\
deleted:\windows\system32\drivers\
deleted:\windows\system32\
deleted6. Modified c:\windows\system32\drivers\etc\hosts
processed7. Set the system time to 2004-1-22, remember to modify back to the correct time
processed8. Create d:\
deleted9. Create d:\
deleted10. Three malicious processes:,,
Closed11. Startup items (startup items correspond to the registry)
deleted11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.
processed
The intrusion troubleshooting process is omitted here
1. Account Exhaustion
2. View Services
3. View startup items
4. View scheduled tasks
5. Network situation
6. Process troubleshooting
The follow-up virus did not do more action, is to do the above analysis of the operation, mainly to steal the account password of the victim of poisoning, early qq popular around the world, so the theft of qq number is the most, and then often have a good brother to me to send some positive energy, sometimes can not tell if they are really stolen sent or deliberately pretending to have been stolen number of hair, fortunately, then still small to see, too positive energy.
qq giant thief virus early theft virus, specific access to sensitive data here did not do the analysis, but also a good emergency response experience, processes, startup items, services, registry, image hijacking, autorun, and even modify the hosts file as much as possible to prevent the antivirus program to come in to kill the virus, used to enhance the idea of emergency response is still good.