This virus sample was discovered on April 7, 2010 at 08:21 GMT, operating the next day - April 8, 2010 at 09:40 GMT, the analysis information was officially announced on the same day - April 8, 2010 at 13:13 GMT.
Detailed technical analysis
Malicious programs like these often infect and "execute" executable files on infected computers. They also have the function of automatically downloading and activating additional malicious programs on the victim's computer without their knowledge. And essentially, they are Windows PE EXE files, written in C ++ language.
When enabled, these programs automatically 'extract' one or more files from themselves and save them in Windows system folders with different names:
% System% drivers.sys
with is often random Latin character string, such as INDSNN. These files are usually kernel mode drivers of 5157 bytes. And according to Kaspersky Anti-Virus they are classified into Virus.Win32.Sality.ag class.
The drivers are decompressed, installed and activated into a Windows service called amsint32.
Infection process
In essence, they are created to infect all Windows executable files with the * .EXE and * .SCR extensions. But only files containing those sections in the PE header section are infected: TEXT, UPX and CODE.
When successfully infected with the PE file, the virus will inherit the final sections in the file and copy the body to the end of the section. After that, they will spread everywhere on the hard drive and continue to find more files to infect. And when these infected files are activated, they will immediately copy the original file's body to a temporary folder created with the following name:
% Temp% __ Rar.exe
To make sure they activate automatically when the system starts, they will copy themselves to all logical partitions with random names and extensions in the following list: * .exe, * .pif and * .cmd. Also, they create hidden files in the root of these drives:: autorun.inf - here the code, the command to activate the malicious files are stored. Or when users open Windows Explorer, these viruses will also be activated.
Payload method
Once operational, they will create unified identification parameters called Ap1mutx7 to mark their presence in the system. And then, they will continue to download data from the following addresses:
http:///*******nc.sa.funpic.de/images/logos.gif
http:///www.*********ccorini.com/images/logos.gif
http:///www.********gelsmagazine.com/images/logos.gif
http:///www.********ukanadolu.com/images/logos.gif
http:///******vdar.com/logos_s.gif
http:///www.****r-adv.com/gallery/Fusion/images/logos.gif
http:///********67.154/testo5/
http:///*********stnet777.info/home.gif
http:///*******stnet888.info/home.gif
http:///***********net987.info/home.gif
http:///www.**********wieluoi.info/
http:///**********et777888.info/
http:///********7638dfqwieuoi888.info/
These files will be saved in the% Temp% folder and automatically activated. At this point, the following templates will be downloaded to the system from the links listed above:
- Backdoor.Win32.Mazben.ah
- Backdoor.Win32.Mazben.ax
- Trojan.Win32.Agent.didu
The above templates are created primarily for spam and spam. In addition to the task of downloading other malicious malware, these viruses can also modify Windows system parameters, such as:
- Lock the operation of Task Manager, refuse to edit the Registry by changing the following key:
[HKÑUSoftwareMicrosoftWindowsCurrentVersionPoliciessystem]
"DisableRegistryTools" = dword: 00000001
"DisableTaskMgr" = dword: 00000001
- Change Windows Security Center settings by intervening and Registry in the following way:
[HKLMSOFTWAREMicrosoftSecurity Center]
"AntiVirusOverride" = dword: 00000001
"FirewallOverride" = dword: 00000001
"UacDisableNotify" = dword: 00000001
[HKLMSOFTWAREMicrosoftSecurity CenterSvc]
"AntiVirusDisableNotify" = dword: 00000001
"AntiVirusOverride" = dword: 00000001
"FirewallDisableNotify" = dword: 00000001
"FirewallOverride" = dword: 00000001
"UacDisableNotify" = dword: 00000001
"UpdatesDisableNotify" = dword: 00000001
- Hidden files cannot be displayed by adding the following parameters to the Registry:
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer
Advanced]
"Hidden" = dword: 00000002
Changing options in the default browser always activates online mode:
[HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"GlobalUserOffline" = dword: 00000000
Turn off the UAC (User Account Control) function by changing the EnableLUA parameter in the Registry to 0:
[HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciessystem]
"EnableLUA" = dword: 00000000
- Self-assigning themselves to the Windows firewall's secure application list to gain access to the Internet and the system network:
[HKLMSystemCurrentControlSetServicesSharedAccess
ParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
""
= ": *: Enabled: ipsec"
- Create a registry key to store data:
HKCUSoftware
Here is the custom value.
- Continue, they will search for the file:
% WinDir% system.ini
and assign the following record values to the file:
[MCIDRV_VER]
DEVICEMB = 509102504668 (any arbitrary number)
- At the same time, they delete the following keys to make the computer unable to boot in Safe Mode:
HKLMSystemCurrentControlSetControlSafeBoot
HKCUSystemCurrentControlSetControlSafeBoot
- Delete all * .exe and * .rar files in the temporary directory of all user accounts: % Temp%
- Continue to find and delete files with the format: * .VDB, * .KEY, * .AVC and * .drw
on the other hand, they use previously decomposed drives to block all requests to connect to domains that contain the following strings:
- Disconnect and delete the following services:
Agnitum Client Security Service- At the same time, they can also prevent scanning and identification processes of security programs or popular support tools today.
Ways to prevent and remove viruses
If the computer you are using does not have a strong security program, or does not update the database for the application, the risk of being affected is very high. Use the following tips to keep your system safe:
- Use Kaspersky products here or here, and always update Kaspersky completely. However, users can almost never delete all infected files, because they 'stick' to most executable files (* .exe) of Windows, so use them. Add Sality Killer tool.
- Restore previously edited Registry keys:
[HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciessystem]
"EnableLUA" = dword: 00000000
[HKLMSOFTWAREMicrosoftSecurity Center]
"AntiVirusOverride" = dword: 00000000
"FirewallOverride" = dword: 00000001
"UacDisableNotify" = dword: 00000001
[HKLMSOFTWAREMicrosoftSecurity CenterSvc]
"AntiVirusDisableNotify" = dword: 00000000
"AntiVirusOverride" = dword: 00000000
"FirewallDisableNotify" = dword: 00000000
"FirewallOverride" = dword: 00000000
"UacDisableNotify" = dword: 00000000
"UpdatesDisableNotify" = dword: 00000000
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced] "Hidden" = dword: 00000002
- Delete the following keys in the Registry:
[HKÑUSoftwareMicrosoftWindowsCurrentVersionPoliciessystem]
"DisableRegistryTools"
"DisableTaskMgr"
[HKCUSoftwareMicrosoftWindowsCurrentVersion
Internet Settings] "GlobalUserOffline"
- Delete all files in the temporary folder including Temp and% Temp%
- Only use the security software of reputable firms, encourage you to buy the official license of the application - to ensure benefits and receive direct support from the manufacturer. You can refer to the security program here.
Good luck!