Shulou(Shulou.com)05/31 Report--

How to carry out XiaoBa blackmail virus variants analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Overview

XiaoBa blackmail virus, is a new type of computer virus, is a very high level of domestic blackmail virus, mainly in the form of mail, program Trojan horse, web page hanging horse form to spread. This virus uses a variety of encryption algorithms to encrypt files, the infected are generally unable to decrypt, must get the decrypted private key to be able to crack. If the ransom is not paid in 200 seconds, all the encrypted files will be destroyed.

The above description is from Baidu encyclopedia, but the XiaoBa variant I analyzed does not have the above behavioral characteristics, but it has a strong concealment and infectivity, and has three main functions: file encryption, file deletion and mining.

Sample analysis

After micro-step cloud sandbox analysis (see "reference link" for related links), this sample is confirmed to be malicious.

Behavior diagram

Permission adjustment

After the sample runs, first adjust the process permissions to ensure that you have sufficient permissions for subsequent operations

Path judgment: the sample will determine whether the current execution path is in the% systemroot%\ 360\ 360Safe\ deepscan directory, and if not, copy itself to this directory and execute it. If you are under this path, some actions related to modifying the system settings will be done first:

Modify file properties

To set the file property to protected system files, you need to cancel the "hide protected operating system files (recommended)" option in the folders and search options to see

Disable UAC

Set up self-startup, create shortcuts

Disable the registry

Do not show hidden files

Disable folder and search options

Create self-startup

Delete SafeBoot option

Disk traversal

Traverse the disk, create an autorun.inf file under the disk root, write the following data, try to infect the USB disk, and inevitably set this file to be hidden

Create the folder RECYCLER\ S Mel 5-4-62-7581032776-5377505530-562822366-6588, and copy your own files in to rewrite the hosts file and redirect the security vendor URL

Main topic

Finally, a thread is created. In the thread function, XiaoBa iterates through all files, looking for files with .exe, .com, .scr, .pif, .html, .htm, .gho, .iso extensions, and performs different operations for different extensions. Exe, .com, .scr, .pif

Rewrite these files, write your own files to the beginning of these files, and later run ZhuDongFangYu.exe if you run these files again

.html,. Htm

Add mining scripts to the end of these files

.gho,. Iso

For these files, delete them directly

An interesting point is that the icon of this sample is 360 antivirus icon, the name of the folder created is 360, and the icons of executable programs that have been rewritten by 360 are replaced by 360 icons.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.