Trojan-Downloader.Win32.Cntr.ioq Analysis

First, virus Tags:
Virus Name: Trojan-Downloader.Win32.Cntr.ioq
Virus Type: Worm Category
File MD5: F8820809EBCAB9AC87CA039A0D974F59
Open range: a fully open
Hazard rating: 4
File length: 7,680 bytes
Infected with system: Windows98 or later
Development Tools: Microsoft Visual C + + 7.0
Second, the virus description:
The virus is the worm-like virus, the virus creates the mutex after running "gagagaradio", prevent the virus from running on many occasions, called HttpOpenRequestA hide open a hyperlink to connect to a website, create a svcp.csv file to the% System32% directory, call the API function InternetReadFile read network information, save the information to svcp.csv file, call InternetQueryDataAvailable function, in the% System32% directory Create a back.exe use of remote access to network information Diaoyong code Jishu virus data written to the sub- file, access the network to judge whether the data size to meet the conditions for the virus, such as to meet the call to download a virus file to run after, and svcp.csv file delete, modify and delete the registry, after downloading the back.exe behavior analysis: call back.exe call the function, the release of driver files "glok +3 c51-3a43.sys, glok + serv.config" (which glok other for the fixed random numbers or letters) to the% Windir% directory, EnumServicesStatus enumeration system services, determine whether there is virus services to existing services, such as the existence of the virus service is not created, or create a virus, the virus service, hidden in the local press in order to open a large number of viruses a predetermined address.
Third, behavior analysis:
Local acts:
1, the file will run after the release of the following documents:
% System32% \ back.exe 92,672 bytes
% System32% \ svcp.csv 64 bytes
% System32% \ glok +3 c51-3a43.sys 128,640 bytes (Random files
% System32% \ glok + serv.config 47,901 bytes (random file name
% System32% \ winsub.xml 4 bytes
2, modify the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ ShowCmd
New: DWORD: 1 (0x1)
Old: DWORD: 3 (0x3)
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ WFlags
New: DWORD: 0 (0)
Old: DWORD: 2 (0x2)
3, delete the registry entries:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Capabilities
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "LegacyDriver"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ClassGUID
Value: string: "(8ECC055D-047F-11D1-A537-0000F8753ED1)"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ConfigFlags
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Control \ ActiveService
Value: string: "Gpc"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ DeviceDesc
Value: string: "Generic Packet Classifier"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Legacy
Value: DWORD: 1 (0x1)
4, the virus creates the mutex after running "gagagaradio", prevent the virus from running on many occasions, call
HttpOpenRequestA open a super-hidden connection to a website, create a svcp.csv
File to the% System32% directory.
5, call the API function InternetReadFile read the network information, the information is saved to the svcp.csv file
Call InternetQueryDataAvailable function, in% System32% directory Create a back.exe
Calling code using remote access to network information technology section to write the virus data files, access the network connection http://213.155.3 .** / aff / cntr.php? E =!! />
45337902_85_1_2_2 & x => = 98 & y = 7621
Determine whether the data size to meet the conditions for the virus, such as closed networks to meet the sentence C, after the call to download the virus file to run, and svcp.csv file deletion.
6, after downloading the back.exe behavior analysis: call back.exe call the function, the release of driver files "glok +3 c51-3a43.sys, glok + serv.config (which glok other for the fixed random numbers or letters) , to% Windir% directory, EnumServicesStatus enumeration system service to determine whether there is virus services to existing services, such as the existence of the virus service is not created, or create a virus, the virus service, hidden in the local press in order to open a large number of viruses a predetermined address.
Network behavior:
Open the large number of viruses hide a predetermined Web site addresses.
Note:% System32% is a variable path. Determined by querying the operating system virus, the current System folder location.
% Windir% WINDODWS
Directory
% DriveLetter% logical drive root
Directory
% ProgramFiles% default system programs
Installation directory
% Temp% \ Documents
Where the system partition
% Documents and Settings% current user documentation
Root:
% Temp% \ Documents
and Settings
\ Current user
\ Local Settings \ Temp
System System32 folder

Windows2000/NT in the default installation path is C: \ Winnt \ System32
windows95/98/me in the default installation path is C: \ Windows \ System
windowsXP in the default installation path is C: \ Windows \ System32
4, clear the program:
1, using the safe days can completely remove the Trojan virus defense (recommended).
Days Go On website: http://www.antiy.com />
2, Manual removal Please follow the behavior of the corresponding files to delete and restore the relevant system settings.
(1) the use of ATOOL "process management" off virus-related processes
(2) restoration of the virus changes the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Services \ W32Time \ Parameters \ NtpServer
New: string: "time.windows.com, time.nist.gov"
Old: string: "time.windows.com, 0x1"
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ ShowCmd
New: DWORD: 1 (0x1)
Old: DWORD: 3 (0x3)
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows
\ ShellNoRoam \ Bags \ 6 \ Shell \ WFlags
New: DWORD: 0 (0)
Old: DWORD: 2 (0x2)
(3) restoration of the virus to delete the registry entries:
Remove the registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Capabilities
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "LegacyDriver"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Class
Value: string: "(8ECC055D-047F-11D1-A537-0000F8753ED1)"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ ConfigFlags
Value: DWORD: 0 (0)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Control \ ActiveService
Value: string: "Gpc"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ DeviceDesc
Value: string: "Generic Packet Classifier"
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet
\ Enum \ Root \ LEGACY_GPC \ 0000 \ Legacy
Value: DWORD: 1 (0x1)
HKEY_CURRENT_USER \ Software \ Microsoft
\ Windows \ ShellNoRoam \ MUICache
Delete all keys under MUICache key
(4) remove the virus, drug-derived files:
% System32% \ back.exe 92,672 bytes
% System32% \ svcp.csv 64 bytes
% System32% \ glok +3 c51-3a43.sys 128,640 bytes (random file name)
% System32% \ glok + serv.config 47,901 bytes (random file name)
% System32% \ winsub.xml 4 bytes