VBS - Visual Basic Script. The programming language used in Windows-based systems. In this language are written script application system, and auxiliary routines for Internet sites. applet - an additional script program that uses the so-called "Active system scenarios". Usually written in VBS or JV (Java Script). Such programs are used to spec. inserts in the design of Web pages (such as moving pictures, a page with audio, etc.).Conductor - hereinafter referred to as I will call the Explorer "Explorer" Windows, which is used by most users to manipulate files and folders. Root disc / folder - to drive all the files in the base of the disc, except for all the on the folder and all their contents, to the folder: all files in a folder directly, except for all those in its subdirectories and all their contents.
All Windows-based systems have these files: desktop.ini and folder.htt . These files are "hidden" (have the attribute "hidden"), as well as many other auxiliary files and subdirectories of the system. By default, Windows does not show users who use Windows Explorer, hidden files and folders, as They are typically used directly only by the system for service use and storage of technical information. Therefore, the ordinary user, it would seem, there is absolutely no need to see them and generally aware of the existence thereof.However, it is this property and play "into the hands of" the virus.
Files desktop.ini are initialization files directory specials. destination, and folder.htt - the so-called Patterns of hypertext. And they both used the system to store and recall settings of each folder type (size of icons, font, text boxes, coloring the icons of files, the order of their location within the folder, depending on the type of the past, etc.) - both system and user (for the latter - only with their own user preferences) when working with them through Windows Explorer. Given that users are generally satisfied with the settings for a folder, used the system default, the number of system files, desktop.ini is usually no more than 15-20 pc. and folder.htt - 05.07 pc. (Depending on the version for Windows) and then only for official subdirectories WINDOWS ,Program Files and My Documents ( My Documents ).
Virus Folder is a VBS-program running all the currently existing on Windows. For his work uses some specific features support the GUI system and service application component kernel Windows - EXPLORER.The worm uses a built-in Windows decryptor for applet programs carried out on VBS ("MS ObjectLib"), which gives it (the virus) the ability to hide their code from visual examination by a polymorphic encryption main part of its program to the idle time and the subsequent deciphering of the last directly to system memory during its execution.
The virus consists of 3 logical parts, the order location, the language is written in that code, and size are shown in the diagram below:
jmp -code (English speech. "jamper" - switch) - used to call the system operator, which recognizes an applet-virus program; dropper -code - used to call a system of support for the language of VBS, as well as the decryption core code of the virus; main -code - the main program of the virus, which manages all the processes of the latter, as well as an installable into the system as a service script-based applications. The source of the virus are infected Web page. When an infected HTM-or HTML-file, the virus writes to the disk its components: - a system subdirectory WINDOWS \ SYSTEM (in Windows 9X/ME) or WINDOWS \ SYSTEM32 (in Windows 2K/2K Server / XP) file Kernel.dll size 11 160 bytes , which sets the attribute "Archive" ("archive"); - a hidden system subdirectory WINDOWS \ WEB file kjwall.gif size of 23,142 bytes , which assigns the attributes of "Archive" and "Hidden" ("archive" and "hidden"); - in the system subdirectory WINDOWS \ SYSTEM32 (in Windows 9X/ME) or WINDOWS \ SYSTEM (in Windows 2K/2K Server / XP) filekjwall.gif size of 266 bytes , which sets the attribute "Hidden" ("hidden"). Title 1 On file - Kernel.dll , author of the virus, obviously, deliberately chose a similar name with the main component of the nucleus of all OS Windows - file Kernel32.dll , so as not to involve him (his component) special attention and mislead the user confused. This component of the virus is a program that manages all the processes of the latter. Runs on every system startup with a virus under the name of the key " Kernel32 "under the system registry: for Windows Windows 2K/2K where% windir% - name of the directory where you installed on Windows. Viral code that is run from this file, treated system process data exchange "system - Explorer - system", thus not included in any of the lists of active system applications. The virus does not show residency, and is activated by the system as the user from viewing the conductor (ie, working in the so-called "background" mode.) 2nd file - kjwall.gif ( size 23 142 bytes ) is infected virus system file folder.htt (principle of infection, see the scheme in Section 3), which is set to mask the GIF-expansion as a graphic file. third file - as kjwall.gif ( size 266 bytes ), which again to mask assigned GIF-expansion, a modified virus up the file desktop.ini , also located in the specified directory. Folder adds to the original content of this file additional line
Through which called for the implementation of the contents of the infected file folder.htt in the current directory.
To be safe, Folder copies the contents of two of its files kjwall.gif in the system subdirectory ... \ All Users \ Start Menu \ Programs \ Startup \, the location of which depends on the version of Windows, under the guise of system files, desktop.ini and folder.htt respectively, and also creates an additional item in the " Startup"system under the name" Desktop "in the form of active links
Very rarely the virus can change their tactics of infection, that is: - a subdirectory for temporary files created by TMP-file: for Windows 9X/ME: WINDOWS \ TEMP \ *. TMP KLR for Windows Server 2K/2K / XP:Documents and Settings \ % user% \ Local Settings \ TEMP \ *. TMP KLR , where "*" in the name of the file - 3-4 characters, which are chosen randomly from the capital letters of the alphabet and numbers 0 to 9 (for example, KlrA3B7. TMP ). In this file, the virus remains in your computer memory code and the current data associated with conveyers application process "System - Explorer - system." The apparent size of the TMP-file - 0 bytes, because last shows the processing time in computer memory, but do not contain any specific program information, the actual volume of the data processed in the computer memory, is about 300 KB. - creates the following file with no extension: Program Files \ Common Files \ Microsoft Shared \ Stationery , which assigns the attributes of "Hidden" and "System" ("hidden" and "system"). In this file the virus writes the content is identical with an infected template file hypertext folder.htt . The size of the file 23 142 bytes .
The virus scans the directories that were installed in the components Kernel.dll and kjwall.gif , overwrites the original file contents folder.htt and desktop.ini in these directories for the contents of their files kjwall.gifrespectively [hereinafter referred to rewrite the procedure of system files virus will be referred to simply as the terms "infection folders" or "contamination directory"], and then identifies all the files with the extensions "htm", "html" (web page), "vbs" (script-based applications) [hereinafter referred to as - simply " Files'] and infects the same way as the template folder.htt . Also Folder proceeds to the global contamination of the machine. This happens as follows: 1. the virus searches the hidden system folders RECYCLED ("Basket") on all logical drives that car and infects the root, 2. and looking at each logical drive in a directory running 1st in the Latin alphabet, and it infects the root , then looking in the directory that which comes last in the Latin alphabet, and it infects the root, and then looking in the directory two others, going first to the Latin alphabet, and infects the past with all embedded in their subdirectories and files to the bottom the level of, inclusive.Further directories are infected only when accessed through Windows Explorer. The principle of file infection is shown in the diagram below (position 1 and 2):
The virus infects files only one time, but sometimes makes mistakes, what happens with a probability of about 0.5%, and tries to infect the past again, appending to the end of another copy of the dropper -code (see above scheme infection, position 3). Nevertheless, this fact does not affect the running of the virus from these infected files incorrectly and efficiency of the latter in particular.
The worm contains a bug which caused sometimes "forgets" to infect opened through Windows Explorer directory, resulting in a final and all who are in it files are kept clean (although this does not mean that the next time when you access the directory through Windows Explorer, the virus will not catch him again.)
Also, depending on certain system conditions, the virus can change the properties like the desktop so that the latter will be presented as Web-page. This gives the virus another opportunity to further activate the system is started from the infected file settings Desktop'a. In addition, as a result of this change after the first reboot the desktop icons disappear all (tags) and set a picture as its background changed to white (ie like a blank web page). This fact is explained by the fact that by default, Windows does not display icons and background image on your desktop, if the latter is represented as a Web-page. Trying to restore everything to its original form until the virus is in the car, it is useless - even if you return the original form of the Desktop, the virus will change the settings again, that will be shown after the first reboot, and in some cases it may happen to her.
After the first reboot the virus infects all the subdirectories of the above selected folders in alphabetical order on the logical drives car; absolutely all subdirectories system directory WINDOWS , as well as the system subdirectory Program Files \ Common Files \ Microsoft Shared \ Stationery . Folder reacts to the procedure for opening folders, produced by Windows Explorer, and when a user opens with the last one after the other directories (including roots and logical drives) to get to the desired file, the virus infects all of these instantly subdirectories, including being in their appropriate files. It should be noted that the virus can not infect directories, if a Windows user uses to manipulate files and folders, these editors managers, such as, Total Commander (former name - Windows Commander) or FAR Manager , as the latter do not apply to filesdesktop.ini and folder.htt in particular, as embedded in the principle of the Explorer. The virus can not infect a web page and script-based applications that are opened by these editors managers, as it reacts only to the following things: - the opening of folders through Windows Explorer; - opening an infected file already. The general principle of running a virus infected file is shown schematically as follows:
Virus "eats" memory resources and reduces the free space on computer hard drives, constantly inundating them with numerous copies of the file desktop.ini , folder.htt , as well as its own program of the infected files.Approximate theoretical calculations showed that a car with a capacity of 100 GB of information in the volume of trash a file created by the virus within 7-10 days, can reach about 380-420 MB (!)
Infecting machines linked by a local (office) network.
Propagation via floppy disks and flash drives. When you view / copy files from floppy disk (flash drive) / to a floppy disk (flash) [hereinafter referred to as simply "media"], using Windows Explorer a virus infects all immediately requested to have subdirectories, and the root directory. In this latter infection does not occur if: - to copy and view files / folders used by editors, managers of Windows Commander or FAR Manager; - when copying files / folders from the media to the machine via Windows Explorer on the last entry is blocked by a special jumper who are on the body of the carrier. Each infected the carrier is a potential source of infection other computers, because approximately 90% of users use Explorer and with a minimum of half of them do not use antivirus software. In addition, virtually no user connects to the system preferences folder view option to show hidden directories and files when working with Explorer, so that the appearance on the media to notice suspicious file desktop.ini and folder.htt while viewing its contents does not seem possible. When you open infected directory on the media through Windows Explorer to clean the machine is infected, as in the previously considered case of opening an infected Web page. You also can not carry through Windows Explorer on a machine infected Folder'om , formatting the media - the system will display a message that it is impossible to perform this action, T . k. removable media is busy "another application" (ie a virus).Reproduction in CD-ROMs. If the infected machine recorded CD-ROMs, they are also becoming a potential source of contamination of other computers, because they contain infected files and directories.Subsequently, these discs, if it is type "CD-R" (single-disc recording) shall be destroyed. Propagation via local (office) network. Infection occurs when handling an infected machine to shared folders on other computers on a network using Windows Explorer in the case if the discs last accessed by the infected machine, open for writing data to them.
Since January 2005, the name of the virus nomenclature of some antivirus companies have been replaced by the following: Anti-Virus Kaspersky AntiVirus : the infected files: Virus.VBS.Redlof.a ; incorrectly in the infected files in addition to the nomenclature of this title is also recognized as: Virus.VBS.Redlof. L ; main component Kernel.dll : Virus.VBS.Confi . cures infected files, but there is a side effect (see p.6). Anti- Trend PC-cillin : the infected files: VBS_REDLOF.A-2 , in ill infected files In addition to the nomenclatural name is also recognized as unknown , the main component Kernel.dll : VBS_REDLOF.A.GEN . It can not heal the infected files, only delete. Antivirus BitDefender Professional : the infected files: VBS.Redlof.A (HTT) ; in incorrectly infected files in addition to the nomenclature of this title is also recognized as: VBS.Redlof.A.dr ;main component Kernel.dll : VBS.Redlof.A . treat the infected files without any side effects. Anti DrWeb : the infected files: VBS. Redlof ; incorrectly in the infected files in addition to the nomenclature of this title is also recognized as: VBS.Redlof ; main component Kernel.dll : VBS.Redlof . cures infected files, but there is a side effect (see p.6). Antivirus Kaspersky AntiVirus and DrWeb not can remove the dropper-code, re-register in infected files incorrectly, giving the message that treatment of these files is impossible. Therefore, clean these files from the remnants of malicious code can be fingers, examining them visually (file) the last line. For the average user the best way to remove the virus from the car, in my opinion, anti-virus program that you want to get rid of a treatment regimen for at least 2 times. It is necessary to restart the computer before each subsequent runs of the virus. Other ways to treat the machine from Folder 'and I do not include in this description.
Set initial view your desktop and show hidden objects in the system.
Removing a file collection, created by the virus and eliminate side effects.
After treatment of antivirus Kaspersky AntiVirus and DrWeb observed following side effect: when you open any folder, which had been infected with the virus through Windows Explorer, you receive a system message
The cause of this message is that both of the antivirus completely remove virus code from files folder.htt , but the first line containing the jmp-virus code is left unchanged:
If you are accessing this file folder.htt jmp-code of the virus tries to find the virus in the body of the applet file, but it is not possible, because the rest of the virus code deleted by antivirus software. Therefore, a warning that the script requested was not found and the "Active Scripting" can not be executed.
If the machine to treat the virus with anti-virus BitDefender Professional, it overwrites the last line of virus code jmp-comment line
, So the above side-effect is absent.
In most cases, after treatment machines antivirus Kaspersky AntiVirus and DrWeb said side effect has no influence on the opening of folders through Windows Explorer, regardless of which of the options - "yes" or "No" when the user chooses when Icons with the above message. However, sometimes, for some undetermined reason, the system blocks after the contents of the request, resulting in all those in the subdirectories and files it will not be available for users of Windows Explorer. To fix this, I advise you to do the following: 1. Close all applications with which you work. 2. Hover your mouse on the desktop, and then one time it was the right key. 3. Go to the option properties and effects , then remove "bird" with the option to hide the icons when the desktop is represented as a Web page , and then alternately press the option Apply andOK . This will be restored to normal desktop view (background image and choose your own). 4. In order for your further work with Explorer users can see hidden files and folders, use the utility of a set of specials.Software from VirusHunter'a, which can be downloaded here . Before using the tool highly recommend reading the attached to a set of user manual. 5. Now move the cursor on the desktop, but aside from being on it icon and then press F3 - a menu to find files. 6. On the menu bar, type: - in string Name : folder.htt - in line Where to find : select Local Hard Drives ( C:, D:, ... ) , then click the option Search . 7. All the highlighted files in the search box, scroll through a combination of two keys Shift + PageUp (when driving on the list of files from the bottom-up) and delete them using other combinations of two keys - Shift + Del (a complete deletion of files, bypassing the "shopping cart"). Just want to say that deleting files folder.htt not entail no adverse effects. 8. Similarly, you can identify and remove files from the machine desktop.ini , but not recommended to remove those that are: - in the system directory WINDOWS and its subdirectories, - in the system directory Program Files and its subdirectories, - in folder My Documents ( My Documents ) , asremoval of the latter can adversely affect the performance of the system. So you get rid of the trash file, created by the virus, and simultaneously eliminate the side effects remaining after treatment of anti-virus Kaspersky AntiVirus and DrWeb. Now, users can run Windows Explorer as before, before infecting machinesFolder 'om. to detect in the future of both known and unknown variants of Trojans script to automatically run malicious code when accessing the Explorer to the main section of your hard drive, you can use the utility of a set number 9 VirusHunter'a - STSS (Stealth Trojan Script Searcher).
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 10/18/2003
Date of last change: 05.03.2005
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment