1、When the virus was started, it would copy itself to the following address:
%SYSTEM32%\wgareg.exe
2、It would release a file named DCPROMO.LOG under %Windir%\Debug
3、The virus was run for period of time, it would download a file namednrcs.exe(Trojan-Proxy.Win32.Ranky.fv).
4、Connect with IRC address:bniu.househot.com(58.81.137.157:18067)
port:18067 Channel Name:#n1 Password:nert4mp1 Channel Name:#p Password: None
The domain name is the dynamic domain name. The following is the corresponding IRC IP list:
IRC IP 61.189.243.240:18067
IRC IP 61.163.231.115:18067
IRC IP 58.81.137.157:18067
IRC IP 222.68.249.164:18067
IRC IP 218.61.146.86:18067
IRC IP 211.154.135.30:18067
IRC IP 202.121.199.200:18067
5、Connect with the domain name of server:
media.pixpond.com(38.119.88.27:80)America port:80
Download http://media.pixpond.com/l9rd6g.jpg copy to the local.
Rename file :nrcs.exe
6、Create a service:
Service name: Windows Genuine Advantage Registration Service
Description: wgaregEnsures that your copy of Microsoft Windows is genuine and registered.Stopping or disabling this service will result in system instability.
The image path :
c:\windows\system32\wgareg.exe
7、Modify many locations of the registry to close anti-virus software and firewall, debase the security of the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = dword:00000001
AntiVirusDisableNotify = dword:00000001
FirewallDisableNotify = dword:00000001
AntiVirusOverride = dword:00000001
FirewallOverride = dword:00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\lanmanserver\parameters
AutoShareWks = dword:00000000
AutoShareServer = dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Service s\wgareg\Type=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\Start=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\ErrorControl=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\ImagePath=C:\WINDOWS
\system32\wgareg.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\DisplayName=Windows Genuine Advant
Create service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\DisplayName=Windows Genuine Advantage Registration Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\Security\Security=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\ObjectName=LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\FailureActions=Binary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\wgareg\Description=Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM
New value: String: "N"
Old value: String: "Y"
8、Connect with a IRC server to wait for the malicious person connecting and accepting to control, command explain as following:
IRC command as:
join Create or enter the chat room
Nick Alter byname
QUIT Exit
The operation to the goal host:
Download files
Initiate the attack to refuse service(DDOS)
Execute basal IRC command
Execute the system scanning
9、Adopt TCP protocol,according to the fashion which is 31 IP instead aIP sect to scan the system.
For example:
222.171.159.0
.
.
222.171.159.31
Go to scanning
22.4.159.0
.
.
222.4.159.31
Continue scanning
222.171.159.32
.
.
222.171.159.63
Go to scanning
222.4.159.32
222.171.159.254 |
1038
1069
1070
1101
1104
1135
1136
1518 |
445
445
445
445
445
445
445
445 |
|
