describe:
Program name: .57345 "Cover Letter"
Program Type: Virus/Word
Exploit vulnerability: MIME vulnerability
(/technet/security/bulletin/)
Viral behavior: self-copy, spread through email, spread through network sharing, infect executable files (including screen savers),
Destroy local files
Affected systems: All 32-bit Windows versions.
Detailed description (based on Win2K platform):
The program has a rare dual-program structure, divided into worm parts (network spread) and virus parts (infecting files, destroying files).
The two are independent parts in the code and may also be written separately. The combination of the two is very interesting. The author first wrote about the worms
Part, then add the binary code of the virus part to the worm part at a specific location to obtain the final virus/worm program.
The complete wantjob only executes part of the worm code when it is run for the first time, as follows:
1. Copy yourself to "\WINNT\System32\" and set the system, hidden, read-only attributes.
(Files with both system and hidden properties set under Windows 2000 are not visible in Explorer, even if selected
"Show all files and folders". It is visible after deselecting "Hide protected operating system files (recommended). )
2. Register "\WINNT\System32\" as "Krn132" service and set it to run automatically when powered on.
3. Read all "htm" and "html" files in the temporary Internet folder and extract the email address from it. This worm uses and Nimda
It also exploits the MIME vulnerability to add itself to the email and send it to all the obtained addresses.
The email subject is set to one of the following:
“Hi”“Hello”“How are you?”“Can you help me?”“We want peace”
“Where will you go?”“Congratulations!!!”“Don't Cry”“Look at the pretty”
“Some advice on your shortcoming”“Free XXX Pictures”“A free hot porn site”
“Why don't you reply to me?”“How about have dinner with me together?”
“Never kiss a stranger”
The content is empty, but there is a comment in the encoding:
4. Search for online neighbors and find that the writable shared directory will randomly generate a file name, and encrypt the virus itself, using the file name
Copy the virus. File name generation rules:
The name generated randomly in the first part is a letter or a number, and finally a "." is added.
The second part selects one of Htm, Doc, Jpg, Bmp, Xls, Cpp, Html, Mpg, and Mpeg.
The third part adds exe as the extension.
5. Every time it starts, a copy of itself will be created in the directory: "%Temp%" and "\WINNT\Temp\"
The file name is started with K and is like "", "" or "".
The complete wantjob will also set up the virus to execute the virus part when the next startup is started, as follows:
6. Change part of the encoding and copy to "\WINNT\System32\", and set the system, hidden and read-only attributes.
7. Write the following key value in the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
Register as a module that must be loaded when the system starts. The next time you boot, the virus part will be loaded in the form of a dynamic link library.
Exist in all system processes. Because it does not have its own PID, it cannot be seen in the task manager and cannot be terminated.
This is a commonly used method for hackers to hide backdoor, and Microsoft Knowledge Base Q134655 and Q125680 discuss this issue in detail.
The next time I boot, it is loaded and wantjob runs as a virus:
1. Traverse the hard disk, look for PE files, and infect them.
2. Check the local time. If the time is January 13, start 26 corrupt threads immediately and overwrite the hard disk with the data in memory.
All files.
3. Every time it starts, a copy of itself will be created in the directory: "\WINNT\System32\".
The file name is "", and add a number, such as "Wqk.dll6", "Wqk.dll23".
No matter how it runs, wantjob will do some self-protection measures:
1. Check the process. If you find that some antivirus software is running (AVP, NAV, NOD, Macfee, etc.), then the process of the software is displayed.
termination.
2. Continuously write to the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
Even if this key value is removed manually, it will be re-written immediately.
The above mentioned are all the situations of wantjob under Win2K, and the situations under WinNT are generally similar. But under Win9X, it's a little bit different
Same, mainly:
1. Since Win9X does not have a "service", wantjob does not register the "Krn132" service. Instead in the registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Write "krn132"="C:\WINDOWS\SYSTEM\"
2. There is no "" in the system folder, but instead, and in the registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Write ""="C:\WINDOWS\SYSTEM\"
Solution:
It is best to turn on the computer and enter DOS mode under Win9X to prevent viruses under DOS. Then clear the relevant registry key value.
Due to the special nature of wantjob, all current anti-virus software cannot be completely removed under Win2K, because
Any program is loaded in memory before running, and cannot delete the registry-related key values, so you need to follow the following steps:
1. End all processes.
2. Delete all copies in "\WINNT\System32\" and the temporary folder mentioned above.
3. Delete or disable the "Krn132" service.
4. In the registry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Add the following key values:
@="cmd /c "attrib -s -h -r \WINNT\System32\"&"del \WINNT\System32\""
(When the system starts, this key value is loaded with priority over the above mentioned "AppInit_DLLs") Then restart the system and run the anti-illness
Vicious software to kill the entire hard drive.
or:
Start the system with a clean floppy disk that supports NTFS, or start the system with a Windows 2000 installation CD, and select Repair Windows 2000
Installed options and finally launch the "Recovery Console". delete. Use anti-virus software that can be started from the console to detect and kill
The entire hard drive. (Please contact the anti-virus software manufacturer before this to upgrade the latest virus feature library)
5. Start the system normally and delete the relevant registry key values.
Whenever possible, it is highly recommended to format the hard disk and reinstall the system, or restore it with a backup system.
Preventive measures:
1. For MIME vulnerabilities: Open IE's "Tools-->Internet Options-->Security-->Custom Level-->File Download" and select "Disable".
You can also install Service Pack 2 of IE, or upgrade to IE6.
2. Set the shared directory permissions and passwords appropriately.
3. Do not open suspicious emails, especially do not open them in HTML.
FAQ:
1. What language is wantedjob written in?
Because the program will recode itself, the original program has no obvious characteristics, but some of its virus code is complete.
It can be seen that it is compiled with MS Visual C++ v6.0. Combined with the judgment of program size, it may adopt the C++/ASM hybrid programming method.
2. How to know if you have been infected with wantjob?
The main purpose is to check whether there are suspicious documents. See above for details.
3. Are those loaded in memory really unaware?
After loading into memory, the system will react significantly slower and the hard disk rotates for no reason.
A tool used can view the modules loaded by the system, using the following format command:
“listdlls -d ”
Can you tell if the system is currently loading
4. I used some decompilation tools to analyze wantjob, why did it fail?
Wantjob is not generated directly by the compile link tool, but is manually encoded, so some tools will make errors. You can try it
W32dasm。
5. I successfully decompiled wantjob with W32dasm, but why do many strings look weird?
Wantjob performs simple single-table substitution encoding for some strings, such as F->C, L->T, K->S, etc. Like "rwky64" is actually
It's "base64"
6. Which one is more harmful than wantsjob compared to Nimda and Sircam?
Obviously, wantjob is not as fast as Nimda, but it will certainly be faster than Sircam. It can infect files and destroy files.
The harm should not be much smaller than Nimda, and the economic losses may be greater than Nimda.