TrendMicro also reported attacks using this virus. The body of the virus in a bit infected file is added to the end of the new section of the executable file, called. To transfer control to the main body. Before modifying the entry point code, the virus copies the original bytes to the beginning of the.
This startup code performs unpacking of the virus code into the. In the screenshot below we show the template for the startup code to be written during infection to the entry point of the bit file. During the infection process, the virus will prepare this startup code for insertion into the specified file and some of these instructions will be overwritten, thus ensuring the uniqueness of the.
In this case, the following types of instruction are subject to change: add , mov , or lea Load Effective Address , instructions that involve direct offsets immediate. At the end of the code, the virus adds a jump instruction which leads to the code unpacked into the. The screenshot below shows the startup code pattern on the left and startup code which was written into the infected file on the right.
Similar startup code for bit files is also located in the section. The size of the startup code in the case of a bit file is equal to 1, bytes, and for an x32 file is bytes. The virus infects executable files, passing through the directories recursively, infecting executable file by creating a special. The virus also infects signed executable files. After infection files are no longer signed, as the virus writes its body after the last section, where the overlay with a digital signature is located.
Accordingly, such a file can also be executed subsequently without reference to any information about digital signatures. The viral payload includes functionality to inject malicious code into web pages visited as well as steal login credentials.
Instead, to achieve persistance, the infection routine ensures that it initially infects at least one executable file that already has a pre-existing RunKey associated. All rights reserved. Products Products for Business For Business. Security Operations. Products for Home For Home. Memory Resident: No. Initial Samples Received Date: 09 Jun Minimum Scan Engine: 9. Step 2 Search and delete these components [ Learn More ]. Repeat the said steps for all files listed.
0コメント