| liang's profile阿斯提亚神殿——梦幻天子's skyPhotosBlogLists |  Tools  Help |
|
January 21 Some tips about Conficker.BSomething about virus loading limitation ============================ 1. This virus will check the VM by using some unique instructions for VMWare or VPC. So this virus could not be run in VMWare or VPC unless Hardware-level virtualization has been enabled. 2. The victim computer will use “Rundll32.exe <virus dll>, <random parameter>, or “rundll32.exe <virus rename>” . 1) For the first kind, the random parameter is calculated by hashing the Computer Name of the victim machine, so if the hash is incorrect. The virus failed to load. 2) For the second kind, although it does not use the random parameter is not needed, the virus name SHOULD not be the dll extension, otherwise the virus failed to load.
Something about Hiding Tricks for Conficker.B ======================================= Conficker is far away from the professional Rootkits: 1. For Register Entry Hiding, the virus just modifies the permission of the specific service. 2. The virus uses undocumented method to create the service(Do not call CreateService API), instead it create the service entry by modifying the registry. In this case, the service could run properly, but we could not see this service in “Services.msc” before a reboot for creating this service. After the reboot, we could see this virus in “Services.msc”. 3. For file hiding, it just sets the virus file attribute to “RHSA”.
4. In the “Services.msc”, we could see this service, but the status of it is not running:
And for Windows 2k, the status is always “Starting”, this is because the virus is running in the DLLMain Function, and Windows Service Manager will treat it as initializing status. 5. If the virus is running, we could still see the handle in Process Explorer:
This virus is running unstable and sometimes itself will crash. In this case, you may not find the handle in Process Explorer, but this not means it is hidden. 6. This virus will continuously sending mal-formed packets to the LAN network by enumerate all the local IP addresses:
After finishing sending the packets, the virus will wait for a long time, and during this period, you will not see any suspicious packets. 7. The driver’s file name is always 0*.tmp(01.tmp,02.tmp, etc). It is extracted from the dll file when the dll virus loaded for the first time of each reboot. This .tmp driver will loaded to memory just to modify the memory of the tcpip.sys module to add the limitation of TCP Maximum Half-connection attempts number. And the dll will delete this file, unload the driver, and delete the service entry immediately.
That is all about Conficker. Hope we could kill it soonerJ |
![clip_image002[5]](https://5qrpqg.bay.livefilestore.com/y1mZ2-EHZZCOckVnVfcr5evD0yrVBP37lUkaKsCjss9pFeYGh1qZDIo0VJ2KD77x-lEAOIFM9CEPphQr8ZT3LhVyxqzQ2mqjtqudVzDlnowbLvWdXdxFys0t0O4fnE3klxw5nQvY5ppDAM/clip_image002[5][3].jpg "clip_image002[5]")
![clip_image002[7]](https://5qrpqg.bay.livefilestore.com/y1mQaFhM3-YCGTSF_-Clw9Ot8THyxRVxYEPQPKLiYwdyu266DH-Q6AGAw4XTZjOF288RdYzdFxoP57QidjnDYvxLMre26-0ZYQoz0STRY3wJ__iDXNDNjKHDUBPBgdWY1etN2AfHR-D_SA/clip_image002[7][2].jpg "clip_image002[7]")
![clip_image002[9]](https://5qrpqg.bay.livefilestore.com/y1mJvcExZORdfvaXNmU96v8JCNDnLjO_Lm0hhCG8XMV-krfV2gbHT1hh6F6F9JfgTt1MeAsQAUYGSYX5GpX-hsr0EREIJwJQ6EIAZhQptnvzL_e3Sg_b4bYXe427MtAPsJLlrdzUihWijk/clip_image002[9][2].jpg "clip_image002[9]")
![clip_image001[5]](https://5qrpqg.bay.livefilestore.com/y1mTKhOaX6j97ORYvwKn_5OJxfvI19ArswBuJkrhnyUk8-dRZPt-E6R6IxK1Sw0lwdCntePMPd5ERXKKm1iDOYjk3pXvp4PfvxK74JV6cfI-uCprcemQcm91mdkgyABCYVQiY3WEgzEkvs/clip_image001[5][3].jpg "clip_image001[5]")
|
|
