HOw Virus Load in System
AppInit_DLLs: All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session. The AppInit DLLs are loaded by using the LoadLibrary() function during the DLL_PROCESS_ATTACH process of User32.dll. Therefore, executables that do not link with User32.dll do not load the AppInit DLLs. Therefore one of the 16 imports was user32.dll (Import table (libraries: 16))Because of their early loading, only API functions that are exported from Kernel32.dll are safe to use in the initialization of the AppInit DLLs. So murka.dat registers itself in the "AppInit_DLLs" as a load point for the beep.sys so that every time the computer starts, the RootKit driver can load itself with the kernel...
Example:
Trojan.Virantix.B---------------------------------------------------------------------------------------------------------------------------------------------When the Trojan is executed, it creates following files:%System%\user32.dat%Windir%\medichi.exe%Windir%\medichi2.exe%Windir%\murka.datIt then overwrites following files:%System%\beep.sys %System%\dllcache\beep.sys <---- Actual driver that later on uses RootKit feature to hide the process medichi.exe Next, the Trojan creates the following registry entries so that it executes whenever Windows starts:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%Windir%\murka.dat"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Medichi" = %Windir%\medichi.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Medichi2" = "%Windir%\medichi2"It then hooks the following API and hides itself: <--- RootKit activityZwQuerySystemInformation <--- Hooks the Native subsystems funftion callThe Trojan then connects to the following location, which displays a fake security alert:hxxp://gomyhit.com/MTc3MTY=/2/6018/852/It also opens the following URL, which may contain another program:hxxp://81.13.38.39/alerThe Trojan monitors the browser on the compromised computer and steals search keywords that can be used on certain search engines and submits it to following remote location:hxxp://werdagoniotu.com/searcIt attempts to download updates of itself from the following locations:hxxp://globalmenu.net/1/serthxxp://softinfoway.info/1/serthxxp://getupdate.info/1/sert
Example:
Trojan.Virantix.B---------------------------------------------------------------------------------------------------------------------------------------------When the Trojan is executed, it creates following files:%System%\user32.dat%Windir%\medichi.exe%Windir%\medichi2.exe%Windir%\murka.datIt then overwrites following files:%System%\beep.sys %System%\dllcache\beep.sys <---- Actual driver that later on uses RootKit feature to hide the process medichi.exe Next, the Trojan creates the following registry entries so that it executes whenever Windows starts:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%Windir%\murka.dat"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Medichi" = %Windir%\medichi.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Medichi2" = "%Windir%\medichi2"It then hooks the following API and hides itself: <--- RootKit activityZwQuerySystemInformation <--- Hooks the Native subsystems funftion callThe Trojan then connects to the following location, which displays a fake security alert:hxxp://gomyhit.com/MTc3MTY=/2/6018/852/It also opens the following URL, which may contain another program:hxxp://81.13.38.39/alerThe Trojan monitors the browser on the compromised computer and steals search keywords that can be used on certain search engines and submits it to following remote location:hxxp://werdagoniotu.com/searcIt attempts to download updates of itself from the following locations:hxxp://globalmenu.net/1/serthxxp://softinfoway.info/1/serthxxp://getupdate.info/1/sert
