In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
How to carry out XiaoBa blackmail virus variants analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.
Overview
XiaoBa blackmail virus, is a new type of computer virus, is a very high level of domestic blackmail virus, mainly in the form of mail, program Trojan horse, web page hanging horse form to spread. This virus uses a variety of encryption algorithms to encrypt files, the infected are generally unable to decrypt, must get the decrypted private key to be able to crack. If the ransom is not paid in 200 seconds, all the encrypted files will be destroyed.
The above description is from Baidu encyclopedia, but the XiaoBa variant I analyzed does not have the above behavioral characteristics, but it has a strong concealment and infectivity, and has three main functions: file encryption, file deletion and mining.
Sample analysis
After micro-step cloud sandbox analysis (see "reference link" for related links), this sample is confirmed to be malicious.
Behavior diagram
Permission adjustment
After the sample runs, first adjust the process permissions to ensure that you have sufficient permissions for subsequent operations
Path judgment: the sample will determine whether the current execution path is in the% systemroot%\ 360\ 360Safe\ deepscan directory, and if not, copy itself to this directory and execute it. If you are under this path, some actions related to modifying the system settings will be done first:
Modify file properties
To set the file property to protected system files, you need to cancel the "hide protected operating system files (recommended)" option in the folders and search options to see
Disable UAC
Set up self-startup, create shortcuts
Disable the registry
Do not show hidden files
Disable folder and search options
Create self-startup
Delete SafeBoot option
Disk traversal
Traverse the disk, create an autorun.inf file under the disk root, write the following data, try to infect the USB disk, and inevitably set this file to be hidden
Create the folder RECYCLER\ S Mel 5-4-62-7581032776-5377505530-562822366-6588, and copy your own files in to rewrite the hosts file and redirect the security vendor URL
Main topic
Finally, a thread is created. In the thread function, XiaoBa iterates through all files, looking for files with .exe, .com, .scr, .pif, .html, .htm, .gho, .iso extensions, and performs different operations for different extensions. Exe, .com, .scr, .pif
Rewrite these files, write your own files to the beginning of these files, and later run ZhuDongFangYu.exe if you run these files again
.html,. Htm
Add mining scripts to the end of these files
.gho,. Iso
For these files, delete them directly
An interesting point is that the icon of this sample is 360 antivirus icon, the name of the folder created is 360, and the icons of executable programs that have been rewritten by 360 are replaced by 360 icons.
Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 233
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.