I-Worm.MTX pathological analysis

zhaozj2021-02-11  173

This MTX virus consists of three parts - worms, viruses, and latte programs. It spreads in 32-bit systems: virus part

Infected Win32 executable, attempt

Send E-mail with an infected attachment, install the rear door program part and implant the affected system.

This virus has an unusual structure. It contains three different parts (viruses, worms, latter doors). virus

Part is an important part, it will worm, the back door

The program code is placed in its code in a compressed format. When infected with the system, it decompresses them and implants the system.

The structure of the MTX virus looks like the following:

------------------

I the Virus I -> Install worms and back door programs to the system, then find and infect Win32 executable

file.

I Iinstallation I

I and infection i

I routines i

------------------

I Worm Code i -> User-running procedures

I (Compressed) i

------------------

I Backdoor Code I -> Used and acts as a separately running

I (Compressed) i

------------------

This worm does not include all the programs of the infection system, and the worm is used as a virus.

An ordinary file infection then sends.

The reason for using this way is not clear, and the program that may be part of this part is written.

The virus section contains the following text:

Sab.b Virus

Software Provide by [Matrix] VX Team: Ultras, Mort, NBK, Lord Dark,

Del_armg0, Anaktos

Greetz: All Vx Guy In #virus and vecna for Help US

Visit US AT:

http://www.coderz.neet/matrix

The worm part contains the following text:

Software Provide by [Matrix] VX Team:

Ultras, MORT, NBK, LORD DARK, DEL_ARMG0, ANAKTOS

Greetz:

All vx guy on #virus channel and vecna

Visit US: www.coderz.net/matrix

The back door portion contains the following text:

Software provide by [matrix] Team:

Ultras, MORT, NBK, LORD DARK, DEL_ARMG0, ANAKTOS

Greetz:

Vecna ​​4 Source Codes and Ideas

- Virus Component:

The virus portion uses EPO (ENTRY POINT OBSCURING) when infected files. This means this disease

The poison does not affect the file in the beginning of the code.

The "Jump to Virus" instructions is placed in the middle of the program, which makes the detection and disinfection process more complicated. The result is this

Virus only has the corresponding affected procedures

It is activated when it is controlled.

The virus is also encrypted, and it first encrypts it when its code gets control. Then by scanning Win

32 kernel Verify the necessary Win32API function.

It then finds an anti-virus program in the current system in an activation state, once you find any one, exit.

The anti-virus programs that the virus lookup include:

Antiviral Toolkit Pro

AVP Monitor

Vsstat

Webscanx

Avconsol

McAfee Virusscan

Vshwin32

Central Do McAfee Virusscan

The other part of the virus will then be installed in the system, which is uncompressed to the Windows directory. Generate three hidden properties in this directory

file:

IE_PACK.EXE - Pure Worm Code

Win32.dll - worm code infected by viral

MTX_.exe - Back door program code

The virus then infects the current, Win32 under Temporary and Windows directory executable PE EXE file, then

drop out.

- Worm Component

The technique used by the worm is the first time the first introducing the giving dyeing message main body when HAPPY99 / SKA. It passes

Add their code to Windows System

The tail of WSOCK32.DLL and always "send" WSOCK32.DLL in the directory. As a result, the

Worm surveillance all from this machine to

Data on the Internet. Typically, the WSOCK32.DLL file is used in the worm starts and is locked by the Windows

set. In order to avoid that, the worm uses

Standard mode: Create a copy of the original WSOCK32.DLL for WSOCK32.mtx, infecting this copy then

Wincinit.ini file written "Replace Ori_

GINAL FILE with INFECTED "Description ::

NUL = C: /Windows/system/wsock32.dll

C: /Windows/system/wsock32.dll=d: /windows/system/wsock32.mtx

The infected WSOCK32 will replace the original WSOCK32 file when restarting, worms access from this machine

The right of the data sent out. worm

Attention to the Internet Site (Web, FTP) that is visited while paying out the email.

The most intuitive behavior of this worm is to stop accessing some Internet sites, but also send E to the same domain.

Mail. It detects four alphanumeric combinations

The way to determine:

Nii.

Nai.

AVP.

F-se

Mapl

pand

SOPH

NDMI

Afee

Yenn

Lywa

TBAV

Yman

The worm also does not allow the user to send email to the following domain:

Wildlist.o *

Il.esafe.c *

Perfectsup *

Complex.is *

Hiserv.com *

Hiserv.com *

Metro.ch *

Beyond.com *

McAfee.com *

PandasoftW *

Earthlink. *

INEXAR.COM *

COMKOM.CO. *

Meditrade. *

Mabex.com *

Cellco.com *

Symantec.c *

Successful *

Inforamp.n *

Newell.com *

Singnet.co *

BMCD.com.a *

BCA.com.nz *

TrendMicro *

Sophos.com *

MAPLE.COM. *

Netsales.n *

F-secure.c *

The worm can also intercept the email message, then try to send another with the same address with dyed attachments.

Email. Result Email Address

Two emails will be received, the first seal is the sender's email, the second email theme and the body are empty but have one

Attachment, the name of the attachment is a worm

Current date selection:

Readme.txt.pif

I_wanna_see_you.txt.pif

Matrix_screen_saver.scr

LOVE_LETTER_FOR_YOU.TXT.PIF

NEW_PLAYBOY_SCREEN_SAVER.SCR

BILL_GATES_PIECE.JPG.PIF

Tiazinha.jpg.pif

Feiticeira_nua.jpg.pif

Geocities_free_sites.txt.pifNew_napster_site.txt.pif

Metallica_song.mp3.pif

Anti_cih.exe

Internet_security_forum.doc.pif

Alanis_screen_saver.scr

Reader_digest_letter.txt.pif

WIN_ $ 100_now.doc.pif

IS_LINUX_GOOD_ENUGH! .Txt.pif

Qi_Test.exe

AVP_UPDATES.EXE

Seicho-no-ie.exe

You_are_fat! .Txt.pif

Free_XXX_SITES.TXT.PIF

I_am_sorry.doc.pif

ME_NudE.avi.pif

Sorry_about_yesterday.doc.pif

Protect_your_credit.html.pif

Jimi_hmndrix.mp3.pif

Hanson.scr

Fucking_with_dogs.scr

Matrix_2_is_out.scr

Zipped_files.exe

BLINK_182.MP3.PIF

- Backdoor Component

When running, the latter program creates a new system registration button indicating that the machine has been infected:

HKLM / Software / [Matrix]

If the registration button exists, the rear door program will ignore the installation process, otherwise it will automatically run the following:

HKLM / Software / Microsoft / Windows / CurrentVersion / Run

SystemBackup =% WINDIR% / MTX_.exe

% WINDIR% is a Windows directory.

This back-door program remains activated in Windows in a hidden application (service), and runs an example.

The lines are connected to some Internet services

On the server, get the file from there and implant them into the system. So the latter program can be used in other viral infections

Unit or install Trojan horse or other functions

A stronger back door program.

转载请注明原文地址:https://www.9cbs.com/read-4632.html

New Post(0)