The main source of spread of the virus are, as usual, the file-exchange network. The virus can enter the directories installed on the machines file-sharing programs like under the guise of "good" programs, and just in the infected software software distributions, you sent your friends or acquaintances. Unfortunately, most people stubbornly ignore the anti-virus programs or simply do not update the antivirus database, which "wakes up" the virus in their cars. As a result, infected computers are becoming breeding grounds for viruses to tens or even hundreds of computers. Potential hazards can also be CD / DVD-discs recorded on such "clean" vehicles, because it is clear that among them are recorded on the (disk) files and will be infected. It is not excluded also the possibility of catching the virus in the event that you use for transport / storage flash drives (USB Flash Memory Storage) or floppy disk.
Win32.HLLP.HiDrag is a Windows-resident program (called PE EXE-file that contains the label in its title "PE"; these include the program with 32-bit code written in high level languages, such as , C + + Builder, Borland Turbo Pascal (Delphi) and others that are created to run on Windows). Has capacity for all existing at the date of Windows.
The program code Win32.HLLP.HiDrag protected crypt code, which stands for when you run a virus with a specially built-in procedure decryption directly into the computer memory without creating any temporary files.
schematically the structure of the virus code looks as follows:
As can be seen from the scheme, the body Win32.HLLP.HiDrag consists of two parts - the main code and the additional section in which the virus can be stored inside information. Size additional section is approximately 3% of the total viral body. Win32.HLLP.HiDrag can install itself into the system in two ways, depending on which file is from his 1st start on a clean machine - in fact, which contains only the original virus program, or from the infected. When you run an infected file virus defines a function of% windir% directory name that is running Windows (typically a C: \ WINDOWS, so hereinafter I will refer to the default directory) and copies itself to him under the name C: \ WINDOWS \ svchost.exe The file has the following characteristics: - File Size: 36,352 bytes ; - attributes: "Archive" and "System" ("archive" and "hidden", so When configuring the "default" this file can not be detected, because Windows does not show the "hidden" files) - modification date: 24.08.2001 year (always the same) - modification time: the value of "hh" (hours) chosen from the options "21" or "22"; variables "mm" and "ss" (minutes and seconds, respectively) - or "00", or taken from an infected file from which the virus was launched. File svchost . exe remains resident in memory until the completion of Windows. To be able to activate the file on every system startup it creates a key called "PowerManager" in the register entry from the system decrypted and recorded in an additional section of the file (see above diagram) the digital signature, which is identical to that of Microsoft, and blows from the same system file, Windows XP - WINDOWS \ SYSTEM32 \ svchost.exe. As a result, the virus is able to camouflage in the system as an internal service process. When viewing the properties of the file system sees it as one of the core components:
If bare metal of the 1st run of the virus from a file containing only the virus code (ie, identical to the filesvchost.exe , but, for example, under the name zastavka.scr or any other), then install Win32. HLLP.HiDragas follows: the virus reads the name of the running virus file and creates the registers in the system registry key called "PowerManager" next where% path% - the location of the running virus file, and name.ext - his name. Thus, the role of component svchost.exe running a user executes a file from the original virus program.At the same time in the system catalog file svchost.exe is not created. If in the future will be launched from any infected files, svchost.exe will be created in the system directory, but the virus will append to the registry key and additional active to continue to be the above file.
After installation, the system waits for a virus a few minutes without making any steps to conceal its presence in the system and any visible activity. Then start searching and infecting PE EXE-(programs) and SCR-(screensavers) files. This process proceeds as follows: first, the virus searches the specified formats 6 files in the root system folder, ie C: \ WINDOWS \ *. exe C: \ WINDOWS \ *. SCR then stops the process of finding and infecting files, waiting for 5 - 10 minutes, and another 6 infects files, and then again waits for a specified period of time and resume the procedure. We should immediately say that the virus chooses to infect only those files that are larger than about 110 kb, and the rest do not touch them. Before infection of each file to hide its presence in the system, the virus reads the (file) attributes, modification date and time, infects a file, and then assigns these original data back. As a result, the system captures data infected files, as amended, which makes it difficult visual search of the latter. When the root of C: \ WINDOWS all the files are infected, the virus proceeds to infect scheme as outlined above in the following subdirectories of the directory system:for Windows 9X / ME: C: \ WINDOWS \ SYSTEM \ for Windows 2K/XP: C: \ WINDOWS \ SYSTEM32 \ , including files and subdirectories in all these directories. Later, the virus proceeds to infect files in all subdirectories of the system directory C: \ Program Files \ As for the infection of other files in other folders raspololozhennyh system drive, as well as on other logical drives cars, including the network, open to full or partial access it is based on some internal counters of the virus. For this reason, the files on these discs for a long time can stay clean. When searching for new files to infect the virus checks for the presence of its code: compares the basic code of the set in the file system with the initial content of the file, the "victim", so that each infected file contains only one copy of the virus. When you run an infected file is a virus at first treats him, and then executes it (this detail will raskazano hereinafter).
The virus evades the attribute "read only" ("read only") and uses a fairly complex algorithm write your code in files. At the same time apply the method to be used at one time in the old file viruses HLLP-family (High Level Language Program): overwrite EXE-discovered or SCR-file their code, which appends to the original program code. However, the virus simply writes its body to the source of the original program, and reconstructs the latest, changing its order of logical partitions by encrypting and its title, the first and one of the central sections. Schematically, it looks like this:
In its additional section, rather than a fake signature Microsoft, the virus writes the official data containing information about the original location peretusovannyh sections of the original program, as well as a pointer to those sections of the latter, which have been encrypted. The data placed in the additional section, the virus is encrypted.
It should be noted that the procedure for reconstruction of the original file, followed by encryption of its sections performed in a professional manner, resulting in the size of the original program after the infection is not changed, and the total file size increases by exactly 36 352 bytes (ie, only the amount of virus the body).
When an infected file, a copy of the virus stored in it, check whether the virus is installed in the system, then, the following things: - takes control located in our file copy of the virus, which refers to file WINDOWS \svchost.exe and makes him a special sub-procedure, after which the work of the infected file is completed; - received a call from my copy of the infected file, virus svchost.exe (hereinafter simply the "virus") reads it (the infected file) and stores the location this information to the system memory as a variable A, - according to a variable of a virus is our infected file, decodes, and reads from it the part of the package, which contains a scheme of reconstruction of the original program after infection, and stores this data in system memory as a variable V; - then the virus reads the characteristics of the infected file (its attributes, date, and modification time) and stores this data in system memory as a variable C - then the virus deletes its own copy of our infected file and block it with the scheme (file) remodeling after then, guided by data from the variable B, decrypts zakriptovany blocks an infected file, and then rearranges all the blocks of a file to its original form, which he (the file) had prior infection; - and the last thing that makes a virus - it assigns the appropriate file specifications, which reads of a variable, removes from memory the variables A, B, C and peresohranyaet file, and then runs it. This method of treatment of the virus by a virus rather original, and even on low-power machines causing delays in the launch of the original program from the infected file with a maximum of a couple seconds. However, there is a downside: when an infected file from the media, which is not possible to stream record (eg, CD-ROM or USB flash drive / floppy disk with the jumper, switched to the "write lock"), the original program will not run. Also, it can not be started and when the infected file is run on a net ofWin32.HLLP.HiDrag machine, but in a directory that already exists WINDOWS actin program of any other virus or a Trojan named svchost.exe .
The code of the virus contains the following encrypted text: Hidden Dragon virus. Born in a Tropical Swamp. Manages the Power save features of the Computer. Power Manager PowerManagerMutanthis first name - "Hidrag" - got a virus from fragments of the first text - " Hi dden Drag on "; second -" Jeefo "- on this snippet same text in encrypted form, which randomly appears in the body of the virus as "I jeefo!".
At the time of this description of anti-virus software detected a virus nomenclature under the following headings: Anti-Virus Kaspersky AntiVirus : Virus.Win32.Hidrag.a (cures infected files) Antivirus BitDefender Professional : Win32.Jeefo.A (cures infected files) Anti- DrWeb : Win32.HLLP . Jeefo.36352 (cures infected files) should be noted that a number of viral copies may be present in the files with the extensions "CHK" (the latter are the files that are backed up by some versions of Windows in cases where the bad clusters on the hard disk system application Scandisk). Because for the average user to carry out the treatment of the virus will not be easy, because in the treatment of under active Windows virus can infect the thread already disinfected the files (not to mention the fact that the virus scanner itself may be infected), the best solution virus problem, in my opinion, is to move the hard drive to other uninfected machine, connect it to it as a minor, followed prolechivaniem all the information contained therein. In the treatment of the file svchost.exe virus must be removed (as well as other file with the active copy of the virus, if any).
In our city, in Czernowitz, in addition to the mass distribution Win32.HLLP.HiDrag not less than the mass began to spread rumors about terrible things that allegedly uchinyaet the virus in the infected machine.Rumors were supported by the undisputed fact that most of the "rolled off" of the virus was discovered machines really Win32.HLLP.HiDrag .
Given the fact that the procedure is executed to infect files on a professional level, thereby eliminating the risk of damage during their last infection, and lack of any destructive procedures in the code of the virus, I did more research and has lost a few files for work, were found in copies of Win32.HLLP.HiDrag . As it turned out, the files have lost their efficiency as a result of infection by several viruses simultaneously. In particular, those infected machines was Win32.Parasite (aka Win32.Parite.b , Parite.2 ). The situation is as follows: in an infected file Win32.HLLP.HiDrag prescribed in its beginning, then peretusovyvaet sections, and some of them are encrypted, keeping your body in the relevant information about the changes made in the original code. In turn, Win32.Parasite appends his body in the infected end of the file and corrects the title of the latter (which at this point is already heading there to register the virus Win32.HLLP.HiDrag ). What do you think - whetherWin32.HLLP.HiDrag normally refurbish and return to the original view an infected file, if it (the file) tail appeared alien code, which according to available data on the virus of all changes made to them in the original code , nothing is said? Obviously not. Moreover, when you run the file Win32.HLLP.HiDrag in an attempt to recreate the original file permanently damage it (by the way, not only him, but the virus code Win32.Parasite). Anti-virus software will also be unable to cure this "mess."
Thus, the real reason unusable files, "cutting out" of the system and the loss of needed programs and batch files is a reality, even though it sounds paradoxical, the user, who naively or any other reasons, time does not cure your computer from e "cockroaches."
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 29.03.2005
Date of last change: 15.04.2005
Credits: Avramenko, Alex (aka Swat2) for detecting errors in the technical description
Author description: Broido Herman (aka VirusHunter )
No comments:
Post a Comment