Location>code7788 >text

Windows Emergency Response - QQ Mega Thief Virus

Popularity:303 ℃/2024-10-06 22:35:03

catalogs
  • Virus Background
  • Sample analysis
    • Turn on monitoring
    • virus infection
    • Analyzing Virus Behavior
      • C drive file monitoring
      • D-disk file monitoring
      • Process monitoring troubleshooting
      • Service Troubleshooting
      • Initialization check
    • check and kill (a pest)
      • 1. Kill the process
      • 2. Exception service
      • 3. Image hijacking processing
      • Documents processing
      • Disk file deletion
      • 6. Other abnormality troubleshooting
    • restart troubleshooting

Virus Background

synopsis:, named: [QQ Disguise Stealer] is a QQ number-stealing * horse that injects itself into the system processes of the user's computer to run and steal the account and password specified by the virus author, as well as other information about his number.
Reference Links:/

Sample analysis

The sample name of the main virus program is, double-click on him and the infection will start.
在这里插入图片描述

Turn on monitoring

I've used both tools, but I think D-Shield is better for monitoring files.
1.MyMonitor
Tool Link Sharing:
/s/1RKOR_LvfNX8QqEyJaDFq1Q?pwd=azwh
2.D Shield
Tool Link Sharing:
/s/13hCSYpV5Mn_1JMzy4nSkSQ?pwd=kott
在这里插入图片描述
MyMonitorJust open it, and you need to drag the program in to run the monitor for the virus to be infected later, and then theD ShieldMonitor folders, monitor c and d disks, but d-shield can only monitor one folder at a time, here I'll justMainly monitoring the c-drive., before finally patching in the operation of monitoring the d-disk.

virus infection

D ShieldOnce the monitor c-disk function is open, drag the program files into theMyMonitor
Wait for the program to run and launch to see the report, then D-Shield can also see exactly what files have been manipulated
在这里插入图片描述

Analyzing Virus Behavior

Because D-Shield can only monitor one disk drive at a time, the monitoring is done in two installations. We use a virtual machine to restore snapshots, so it's not a big deal to monitor multiple times. If you have found a better tool for monitoring files, please leave a comment.

C drive file monitoring

MyMonitorSimply look at it, I don't feel like it's categorized very well, you do see the actions but you can't categorize them and there are behaviors that aren't detected, so here's a look at what the virus actually does around the D-Shield.
The most obvious is that four files are created (just look at the main one for exceptions, like log suffix which logs can be ignored)
在这里插入图片描述

Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\

Look down there are created dll file, in the middle of this there are actually a lot of repetitive creation operations, this I understand that the virus is in order to prevent the program did not create a successful so many times to create the reason, the virus is so written.
在这里插入图片描述

Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\

Look down there is an action is to delete the host file and then create a hosts file, this can be recorded, the back need to go to confirm what he did to the hosts file, generally may be the domain name of the ip replacement and so on.
在这里插入图片描述

Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts

Here I double-clicked on the d-disk and createddocuments, specific behaviors are:Set system time to 2004-1-22, because there is a delete operation behind it, the file doesn't exist anymore it's not found, but you need to set the time back artificially.
在这里插入图片描述

Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time

D-disk file monitoring

Restore the snapshot of the virtual machine, re-enable the d-shield to monitor the d-disk, and then re-infect the virus all over again, as you can see at a glance by looking at the monitoring results here
1. Create d:\
2. Create d:\
在这里插入图片描述

Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\

Here omit to throw all the exe files and dll files to the sandbox to check, here to put theResults of the sandbox run.
在这里插入图片描述

Process monitoring troubleshooting

Open our old friend.PChunter
Tool Links:
/s/1_OMmoe5aFGDu3--q0u94pw?pwd=w3rb\

locateprocess, since we were infected by double-clicking on this program, and of course it was discovered that the virus creates malicious program filesRuns up as a process.
在这里插入图片描述
Then right-clicking on the process module also revealed a call to theModules\

Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,,

Service Troubleshooting

Checking the services corresponding to the malicious process, no corresponding services were found.

tasklist /svc | findstr "PID"

在这里插入图片描述
Of course, we should also check to see if there are any other suspicious services, focusing on those without vendor signatures, and no other anomalies were found here.
在这里插入图片描述

Initialization check

Focusing on the startup entries that are not signed by the vendor, I found three anomalies, and they correspond to the path of the malicious file
在这里插入图片描述
Here I was about to open the system's registry to check the information about the startup items and delete the corresponding values when I realized that I couldn't open it.
在这里插入图片描述
Trying win+r to bring up the command doesn't work, it won't open.
在这里插入图片描述
This is where you realize you're in the middle of something.The image has been hijacked.:↓↓
Explanation:It is Image File Execution Options (actually it should be called "Image Hijack"). It is to provide special environment settings for some program executables that may cause errors when running in the default system environment. But the virus can intentionally open some of its common programs to point to the file for the non-existent or their own designated file of some other malicious programs, multiple infections and so on. For example: the 360 antivirus program to open the action points to the c:\windows\system32\, so this not only disable the antivirus but also repeatedly infected with the virus.
Solution:Will not be disabled program assistance to find the disabled program files, modify its name can be, I'm here to use the file search to find the registry file, copy out to modify the name can be opened.
在这里插入图片描述
Can't open the registry is obviously banned, just change the name and it will open up
在这里插入图片描述
Of course it's also possible to open the registry from within PCHunter, which is unaffected here because PChunter is not disabled, but in deference to the virus creator (funny), it's better to go along with the pitfalls a bit.
在这里插入图片描述
Open the registry and find it:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
One can find this directory entry underneath all the banned software applications pointing to it:
C:\WINDOWS\system32\drivers\
For example, in the picture below it is banned, if it is useful on the computer then double clicking to run it will set off running and infect it again. (This hijacking is quite good, just too much movement)
在这里插入图片描述
Image hijacking solutions: Change name, delete registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsThe directory entries in the ban, when checking the kill, remove all directory entries can be, because it is not the system comes with and is not created by man.

Clue Card:
:\windows\system32\
:\windows\system32\
:\windows\system32\drivers\
:\windows\system32\drivers\
:\windows\system32\
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,,
11. Startup items (startup items correspond to the registry)
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.

check and kill (a pest)

1. Kill the process

Use PChunter to check the end of the process when deleting files, then you can safely end the process, eliminating the need to manually find files to delete!
在这里插入图片描述

I forgot to delete the process module, you can find the corresponding file to delete, the file is hidden, so you still need to find the file through PChunter to delete:c:\windows\system32\
It's best to check the Block file regeneration after deletion box first, then right-click the file again to force deletion.
在这里插入图片描述

Clue Card:
:\windows\system32\ deleted
:\windows\system32\ deleted
:\windows\system32\drivers\
:\windows\system32\drivers\ deleted
:\windows\system32\ deleted
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,, Closed
11. Startup items (startup items correspond to the registry)
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.

2. Exception service

Just delete all three exception services.Shell startup items need to be located in the registry to be removedThis is the time to be sure.Do not open the system registry directlyUsePChunterOpen it, or search the registry out yourselfrenameOpen the registry again.
在这里插入图片描述
If you can't remove the Shell startup item, just locate the registry and delete it.
在这里插入图片描述
在这里插入图片描述

Clue Card:
:\windows\system32\ deleted
:\windows\system32\ deleted
:\windows\system32\drivers\
:\windows\system32\drivers\ deleted
:\windows\system32\ deleted
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,, Closed
11. Startup items (startup items correspond to the registry) deleted
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted.

3. Image hijacking processing

The methodology has been described above.Image hijacking solutions: Change name, delete registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsThe directory entries in the ban, when checking the kill, remove all directory entries can be, because it is not the system comes with and is not created by man.
Our PChunter can do the same, and can also batch delete, which is more convenient than deleting one by one through the registry directly, and also provides deletion of corresponding program files, deletion of the registry and corresponding program files.
在这里插入图片描述

At this point then win+r to bring up the registry can be opened normally
在这里插入图片描述
Once again, let's explain how image hijacking works: by adding an image hijacker to the RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Add the corresponding program name, when you open it, it will give priority to the registry information to find the corresponding program path, here the program path is written in the malicious program files, if you click again, it will be infected again.

Clue Card:
:\windows\system32\ deleted
:\windows\system32\ deleted
:\windows\system32\drivers\ deleted
:\windows\system32\drivers\ deleted
:\windows\system32\ deleted
6. Modified c:\windows\system32\drivers\etc\hosts
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,, Closed
11. Startup items (startup items correspond to the registry) deleted
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted. processed

Documents processing

If the file cannot be found in the normal folder and is hidden, then the PChunter can be used.
The contents of the file were found to be: (meaning blocking the following antivirus and other websites)
在这里插入图片描述

127.0.0.1       localhost
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       
127.0.0.1       

Solution: copy it out, delete the file, and make a good copy from another machine.

Clue Card:
:\windows\system32\ deleted
:\windows\system32\ deleted
:\windows\system32\drivers\ deleted
:\windows\system32\drivers\ deleted
:\windows\system32\ deleted
6. Modified c:\windows\system32\drivers\etc\hosts processed
7. Set the system time to 2004-1-22, remember to modify back to the correct time
8. Create d:\
9. Create d:\
10. Three malicious processes:,, Closed
11. Startup items (startup items correspond to the registry) deleted
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted. processed

Disk file deletion

First of all, you have to pay attention.file exists, if it does then don't randomly double-click on the disk drive, it's better to right-click and open the drive, there's obviously a pitfall of(Don't be me.) I'm going to double-click on it here.Then look at the process and you'll seeI've got the virus all over again.So be sure to always be a little more cautious, this virus is still rather tricky.
在这里插入图片描述
Back to the point, to delete the files under the d-drive, you'll notice that they're all done file hiding, so go ahead and get on the tool.
Delete before opening the view you will find the same old, really the file is an infected file, if you double-click then you will execute the file again infected
在这里插入图片描述

Then PChunter finds the file and deletes it.
在这里插入图片描述

Finally there is one system time left, which is ignored here and handled by default.

Clue Card:
:\windows\system32\ deleted
:\windows\system32\ deleted
:\windows\system32\drivers\
:\windows\system32\drivers\ deleted
:\windows\system32\ deleted
6. Modified c:\windows\system32\drivers\etc\hosts processed
7. Set the system time to 2004-1-22, remember to modify back to the correct time processed
8. Create d:\ deleted
9. Create d:\ deleted
10. Three malicious processes:,, Closed
11. Startup items (startup items correspond to the registry) deleted
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted. processed

6. Other abnormality troubleshooting

There are no abnormalities in any of the following

  • Abnormal connection troubleshooting (netstat -ano)
  • Troubleshooting of unusual accounts (net user, cloned accounts, hidden accounts)
  • Planned tasks
  • wait a minute!

restart troubleshooting

Follow the clue card through to see if there are any regenerated files, or other unusual process services, etc.

Clue Card:
:\windows\system32\ deleted
:\windows\system32\ deleted
:\windows\system32\drivers\ deleted
:\windows\system32\drivers\ deleted
:\windows\system32\ deleted
6. Modified c:\windows\system32\drivers\etc\hosts processed
7. Set the system time to 2004-1-22, remember to modify back to the correct time processed
8. Create d:\ deleted
9. Create d:\ deleted
10. Three malicious processes:,, Closed
11. Startup items (startup items correspond to the registry) deleted
11. Image hijacking: find the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options The directory under the directory can be deleted. processed

The intrusion troubleshooting process is omitted here
1. Account Exhaustion
2. View Services
3. View startup items
4. View scheduled tasks
5. Network situation
6. Process troubleshooting
The follow-up virus did not do more action, is to do the above analysis of the operation, mainly to steal the account password of the victim of poisoning, early qq popular around the world, so the theft of qq number is the most, and then often have a good brother to me to send some positive energy, sometimes can not tell if they are really stolen sent or deliberately pretending to have been stolen number of hair, fortunately, then still small to see, too positive energy.


qq giant thief virus early theft virus, specific access to sensitive data here did not do the analysis, but also a good emergency response experience, processes, startup items, services, registry, image hijacking, autorun, and even modify the hosts file as much as possible to prevent the antivirus program to come in to kill the virus, used to enhance the idea of emergency response is still good.