One: Trojan overview
Near future of 360 safe centers receives user feedback, be installed in download and used a certain download implement hind, the meeting with nonsked computer is installed, repeat installation even all sorts of software, after the file is analysed related extraction, it is normal that we discover this is one kind uses a system mechanism of "Pending File Rename Operations" replaces systematic document, implementation switchs on the mobile phone to start to load drive automatically (automatic download software) baleful trojan, we name our for " of " violet fox. According to preliminary count, have user of 30 thousand above at least at present toxic.
2: Trojan analysis
We see next vaulting horses first whole executive technological process:
Begin to run download implement hind meeting couplet net downloads
Http://216.250.99.5/m/wpltbbrp_011up.jpg
Wpltbbrp_011up.jpg this file is bag of installation of a MSI actually
After this MSI moves:
The trojan installs packet of MSI to include 3 files, a file that be not PE (add secret PE file) , additionally two are 32 trojan DLL with 64 respectively:
The meeting after the trojan is installed switchs on the mobile phone through PendingFileRenameOperations implementation start, more interesting is, the trojan can undertake for many times deleting replacing, will found process catenary for many times to realize catenary to prevent to check kill.
Replace systematic file Sense.dlll to start, we call it FakeSense.dll.
After FakeSense.dll is started, DLL can found Shellcode and carry out, oneself DLL code the copy arrives temporarily memory, undertake DLL again Free, next temporarily memory is written again in answering process code, will come true conceal, delete trojan DLL former put oneself in another's position.
Delete trojan FakeSense.dll process
Name FakeSense.dll again first for C:WIndowsAppPatchCustomS721141.tmp
Next will before the C:W of backupIndowsAppPatchAcpsens.dll
Copy C:WIndowssystem32sens.dll
Memory Shellcode carries out:
Delete trojan file process to be as follows:
Call MoveFileA first C:WIndowssystem32sens.dll
The file moves
C:WIndowsAppPatchCustomS721141.tmp
Call CopyFileA again C:W of file of will primary systemIndowsAppPatchAcpsens.dll
Replace arrives C:WIndowssystem32sens.dll
Delete FakeSens.dll (C:WIndowsAppPatchCustomS721141.tmp)
Can decode a blame PE next and found a service to start
This module can be founded mutually exclusive, detect whether is DLL Winlogon or in Svchost process, if be in,decode memory DLL and drive file, establish Svchost process and infuse Shellcode is carried out, keep DLL and drive remotely into Svchost process to call for Shellcode again:
The DLL of infuse undertakes drive is released, the name is Dump_ begin joining together random number, have to load:
Drive file:
Drive entry point registers MiniFilter and line Cheng callback:
Callback of line Cheng timer:
Oneself trojan document conceals in MiniFilter:
Function of NtEnumerateKey of 32 link up with conceals oneself to register watch project:
The NtfsFsdCreate that replaces Ntfs.sys next sends function:
The address after Hook is:
The file time that visits protection can return STATUS_ACCESS_DENIED:
To erase drops drive information:
Code of the infuse in line Cheng callback:
Close machine callback:
The trojan line Cheng that the Svchost.exe after infuse founds:
Couplet net download installs all sorts of software after, looked to be installed from user feedback machine 45 of all kinds software:
Installation commands behavior:
/ C Start "" "C:WIndowsTEMPFastpic_u44047309_sv67_52_1.exe" /at=591 /tid1=67
3: Safety reminds
For the safety of computer and privacy, do not download the software with unidentified antecedents as far as possible, do not believe trojan clew exits safety to defend more, if safe software hints " discovers trojan risk " wants to clear instantly, at present 360 safe bodyguard had supported " of trojan of " violet fox to check kill, the user that discovers computer installs software automatically repeatedly can download 360 safe bodyguard undertake checking killing.
