Continued from our last post — Virus Encyclopedia vol.3L
Viruses are the serious online threats that have the potential to delay your important work, stop your device from responding, or may give rise to uncertainty that are difficult to deal with. An active Trojan, worm, malware, spyware, or any other infection may enter your device, whenever you visit an unprotected source, run an external drive without scanning, and access spam emails. Users are required to be extra alert while dealing with such scenarios online as a little carelessness may leave you barehanded with non-functional PCs or irreparable software/hardware components. Antivirus is an ideal solution for stopping such threats from entering into your device as it works as a protective shield between the machine and outside cyber world.
In this blog, you will read about some of the common viruses that can easily sit inside your device and start transmitting your crucial data to malware authors.
Trojan.Agent.AAQK was first discovered on August 27, 2008 by Boeriu Laura, a well-known virus researcher. The virus will copy itself in different location in your PC in order to make the attack more impactful. Targeting on Registry keys, the infection can easily hamper your crucial work hours by getting loaded into the system’s memory along with the currently running programs.
Since the virus has been packed with advanced coding techniques, its presence can only be judged by a tech geek. The prime symptom of having this virus on your device is the existence of a file named __a00 [some-hexa-digits].exe, located in “C:\Documents and Settings\\local settings\temp” folder with a dimension of 40KB.
If the virus is triggered on your device, you will find one or more files named as c00[five-hexa-digits].dat in the system directory with a file size of 24,5KB (25088 Bytes). Moreover, the presence of a mutex named vmc_mm confirms the existence of this infection on the machine.
As soon as the infection is triggered, the malware will make attempts to copy itself to C:\Documents and Settings\\local settings\temp as a00[some-hexa-digits].exe. Once copied successfully, the virus will add the file to the following registry keys:
C:\Documents and Settings\\Local Settings\Temp\__a00[some-hexa-digits].exe
The Trojan is packed with high-level codes, hence, remains undiscovered by most of the virus detection software and drops a .dll file with its original file name and extension followed by .dat. Finally, the dll will be loaded and executed to perform an export function named A.
This will copy the dll in the system directory with the name c00[five-hexa-digits].dat and will make the following changes in the registry key:
Logon -> B
Impersonate -> 0×00000000
DllName -> C:\WINDOWS\system32\__c00[five-hexa-digits].dat
Startup -> B
Asynchronous -> 0×00000001
In addition to this, the infection will also take active part in creating a mutex named ‘vmc_mm’ and will download another infectious file from a link, when this mutex was created.
The highly infectious malware – Worm.P2P.Dilly.A was discovered on August 26, 2008 by Vlad Ioan Topan, a well-known virus researcher, and it is a Delphi written worm that has the potential to copy itself into various shared folders. Copying itself from vulgar titles, the infection immediately stops the PC functioning, when clicked by the user. The worm will also use fake .WMV, .AVI, .MPG, .MP4 or .MPEG extension and the real .SCR extension to make the infectious file look real.
The presence of files named ‘_undo_[date]_[time].bat’ in C: confirms the presence of this infection on the drive. In addition to this, the presence of files in the shared folders with a double extension ending with .SCR in the file names, resembling the titles of pornographic movies, also reveals the infection existence.
Possessing an original file size of 790,528 bytes, the worm will spread itself thorough copying itself to the DC++ shared folders using randomly generated file names. The basic symptom of such infectious files is that they will resemble pornographic movie titles along with a double extension ending with .SCR.
To retrieve the list of shared folders, the worm will locate the DC++ client folder by using the registry path ‘HKEY_LOCAL_MACHINE\SOFTWARE\Magnet\Handlers\DC++.’ It will open the program’s configuration file – DcPlusPlus.xml, and the list can be easily accessed by clicking on the Settings subfolder.
The worm will store copies of itself in the shared folders and the file name with random numbers of null bytes will resemble genuine pornographic video files. Once the files are created, it generates a ‘removal’ script to delete all the copies of itself created in the beginning of the process. Having [root-folder]:\_undo_[date]_[time].bat. as the typical pattern, the worm automatically deletes itself using a batch script.
On August 26, 2008, Cristian Lungu discovered a popular password stealer named as Trojan.Spy.Zbot.KJ. The infection is specially designed and developed for stealing important information from user’s computers by keeping a close track on their activities and then transferring the information to malware authors. Featuring the quality of spreading itself email containing a spam attachment, the infection will provide backdoor and proxy server capabilities.
The presence of ‘oembios.exe’ file in %WINDIR%\system32\ or C:\Documents and settings\%username%\Application Data\ folder reveals the existence of this virus on the device. In addition to this, the presence of following registry keys also confirm the existence of the same:
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- userinit=”%WINDIR%\system32\userinit.exe,C:\Documents and settings\%username%\ Application Data\oembios.exe”
The malware generally comes encrypted with a version of the infamous Trojan.Wsnpoem malware and is known for injecting svchost.exe and winlogon.exe files for providing backdoor and proxy server capabilities. The malware author will have a full control over data shared using svchost.exe file and he can also listen to the information at a random TCP port to send commands to the remote computer. Attackers usually use this code to steal information, gain a remote control, or for spamming.
Hiding itself using stealth and rootkit techniques, the Trojan actively deletes cookies of Internet Explorer (IE) URL cache and copies itself in %WINDIR%\system32\oembios.exe (or C:\Documents and settings\%username%\Application Data\). The malware will also create a registry key to ensure its execution on every reboot by changing the registry key to:
It will also change another registry key to ensure that its existence remain private from antivirus:
The malware will enable various process and system features to ensure that it remains hidden from Windows Explorer, and registry keys are duly checked and changed with the latest infected values.on active execution. Once executed successfully, the infection will create the following files that contain encrypted data:
Certain a __SYSTEM__91C38905__ mutex
The infection also makes several attempts to download http://195.2.252.[removed]/n.bin file from the web to gain access over some malicious encrypted data.
- 4. Trojan.Spy.Wsnpoem.HA
Trojan.Spy.Wsnpoem.HA is used for providing backdoor and proxy server capabilities and it was first discovered on August 22, 2008 by Alexandru Maximciuc, a virus researcher. The Trojan will get itself copied at various locations, including registry key, to schedule its loading at every system reboot.
The presence of ntos.exe file in %WINDIR%\system32\ folder or C:\Documents and settings\%username%\Application Data\ confirms the presence of this virus on your machine. When the virus is activated, you will see the following changes in the registry keys:
userinit=”%WINDIR%\system32\userinit.exe,C:\Documents and settings\%username%\Application Data\ntos.exe”
On activation, the malware copies itself in %WINDIR%\system32\ntos.exe (or C:\Documents and settings\%username%\Application Data\) file to start the infection spreading process. In addition to this, the Trojan will also create a registry key to make sure that it will be executed after every reboot. On successful loading at the system reboot, the malware will inject svchost.exe and winlogon.exe files into the system to provide backdoor and proxy server capabilities.
The above mentioned infections can easily take a hold of your system and force it to stop responding and operating several programs apart from damaging the software as well as hardware components. Therefore, it is recommended to install an efficient and effective antivirus program on your devices that can restrict the entry of such elements. Even after taking so many precautions, if you suspect any of the infections on your device, then immediately ask for a technical support and remove the same, as soon as possible to contain the propagation of the malware.